dcrat | 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Size

4.9MB
MD5

4331bb6448c6da37580f2ac382b45750
SHA1

4516ce7712311a62a03c332aec5d0dec7513efc3
SHA256

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de
SHA512

9ee79af2228dacf6294a06a069f3ef4addd897bfcd930d7c78a51062dec60ef611edcb3332f3d8181188b029dbc2635e1e35a8a2f6b8c88cb348f967da8a1b9a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2744	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2352-3-0x000000001B3E0000-0x000000001B50E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
2636	powershell.exe
2656	powershell.exe
2788	powershell.exe
1664	powershell.exe
2852	powershell.exe
2640	powershell.exe
444	powershell.exe
3052	powershell.exe
2660	powershell.exe
764	powershell.exe
664	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1680	lsass.exe
980	lsass.exe
976	lsass.exe
1200	lsass.exe
1744	lsass.exe
572	lsass.exe
2192	lsass.exe
2980	lsass.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Solitaire\69ddcba757bf72	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\smss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\dllhost.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\services.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD26A.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\6ccacd8608530f	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\RCXC77D.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXD6EF.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\42af1c969fbb7b	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Microsoft Games\Solitaire\smss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Google\CrashReports\dllhost.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Google\CrashReports\5940a34987c991	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\services.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\c5b4cb5e9653cc	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXB80B.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\RCXBA0F.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC097.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\886983d96e3d3e	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\Vss\RCXBE84.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\Vss\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\SchCache\RCXC9EE.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\SchCache\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\winsxs\x86_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_478e55843710fde4\services.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\Vss\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\Vss\f3b6ecef712a24	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\SchCache\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
832	schtasks.exe
1648	schtasks.exe
2868	schtasks.exe
2736	schtasks.exe
1444	schtasks.exe
3060	schtasks.exe
2004	schtasks.exe
2192	schtasks.exe
896	schtasks.exe
1572	schtasks.exe
536	schtasks.exe
2980	schtasks.exe
768	schtasks.exe
2708	schtasks.exe
2640	schtasks.exe
2316	schtasks.exe
2676	schtasks.exe
1644	schtasks.exe
2692	schtasks.exe
608	schtasks.exe
2840	schtasks.exe
2608	schtasks.exe
1832	schtasks.exe
1868	schtasks.exe
2644	schtasks.exe
2052	schtasks.exe
2780	schtasks.exe
2768	schtasks.exe
2652	schtasks.exe
2444	schtasks.exe
1516	schtasks.exe
1236	schtasks.exe
328	schtasks.exe
976	schtasks.exe
1348	schtasks.exe
3040	schtasks.exe
1848	schtasks.exe
2152	schtasks.exe
1736	schtasks.exe
668	schtasks.exe
3016	schtasks.exe
2156	schtasks.exe
1100	schtasks.exe
1984	schtasks.exe
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2856	powershell.exe
2656	powershell.exe
1664	powershell.exe
444	powershell.exe
2636	powershell.exe
2788	powershell.exe
2640	powershell.exe
664	powershell.exe
3052	powershell.exe
2660	powershell.exe
764	powershell.exe
2852	powershell.exe
1680	lsass.exe
980	lsass.exe
976	lsass.exe
1200	lsass.exe
1744	lsass.exe
572	lsass.exe
2192	lsass.exe
2980	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1680	lsass.exe
Token: SeDebugPrivilege	980	lsass.exe
Token: SeDebugPrivilege	976	lsass.exe
Token: SeDebugPrivilege	1200	lsass.exe
Token: SeDebugPrivilege	1744	lsass.exe
Token: SeDebugPrivilege	572	lsass.exe
Token: SeDebugPrivilege	2192	lsass.exe
Token: SeDebugPrivilege	2980	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2856	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	77
PID 2352 wrote to memory of 2856	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	77
PID 2352 wrote to memory of 2856	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	77
PID 2352 wrote to memory of 2636	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	78
PID 2352 wrote to memory of 2636	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	78
PID 2352 wrote to memory of 2636	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	78
PID 2352 wrote to memory of 2656	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	79
PID 2352 wrote to memory of 2656	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	79
PID 2352 wrote to memory of 2656	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	79
PID 2352 wrote to memory of 2852	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	80
PID 2352 wrote to memory of 2852	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	80
PID 2352 wrote to memory of 2852	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	80
PID 2352 wrote to memory of 2640	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	81
PID 2352 wrote to memory of 2640	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	81
PID 2352 wrote to memory of 2640	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	81
PID 2352 wrote to memory of 664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2352 wrote to memory of 664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2352 wrote to memory of 664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2352 wrote to memory of 1664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2352 wrote to memory of 1664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2352 wrote to memory of 1664	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2352 wrote to memory of 2788	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2352 wrote to memory of 2788	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2352 wrote to memory of 2788	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2352 wrote to memory of 764	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2352 wrote to memory of 764	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2352 wrote to memory of 764	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2352 wrote to memory of 2660	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2352 wrote to memory of 2660	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2352 wrote to memory of 2660	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2352 wrote to memory of 3052	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2352 wrote to memory of 3052	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2352 wrote to memory of 3052	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2352 wrote to memory of 444	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2352 wrote to memory of 444	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2352 wrote to memory of 444	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2352 wrote to memory of 2136	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	101
PID 2352 wrote to memory of 2136	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	101
PID 2352 wrote to memory of 2136	2352	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	101
PID 2136 wrote to memory of 1612	2136	cmd.exe	103
PID 2136 wrote to memory of 1612	2136	cmd.exe	103
PID 2136 wrote to memory of 1612	2136	cmd.exe	103
PID 2136 wrote to memory of 1680	2136	cmd.exe	104
PID 2136 wrote to memory of 1680	2136	cmd.exe	104
PID 2136 wrote to memory of 1680	2136	cmd.exe	104
PID 1680 wrote to memory of 2972	1680	lsass.exe	105
PID 1680 wrote to memory of 2972	1680	lsass.exe	105
PID 1680 wrote to memory of 2972	1680	lsass.exe	105
PID 1680 wrote to memory of 2332	1680	lsass.exe	106
PID 1680 wrote to memory of 2332	1680	lsass.exe	106
PID 1680 wrote to memory of 2332	1680	lsass.exe	106
PID 2972 wrote to memory of 980	2972	WScript.exe	107
PID 2972 wrote to memory of 980	2972	WScript.exe	107
PID 2972 wrote to memory of 980	2972	WScript.exe	107
PID 980 wrote to memory of 2156	980	lsass.exe	108
PID 980 wrote to memory of 2156	980	lsass.exe	108
PID 980 wrote to memory of 2156	980	lsass.exe	108
PID 980 wrote to memory of 848	980	lsass.exe	109
PID 980 wrote to memory of 848	980	lsass.exe	109
PID 980 wrote to memory of 848	980	lsass.exe	109
PID 2156 wrote to memory of 976	2156	WScript.exe	110
PID 2156 wrote to memory of 976	2156	WScript.exe	110
PID 2156 wrote to memory of 976	2156	WScript.exe	110
PID 976 wrote to memory of 1592	976	lsass.exe	111

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
"C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1612
- - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35a027be-2633-4748-a2b2-5ff978b6ffe2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:980
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463690e7-6481-4d14-9f99-887451243f3b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8477aa-86ab-48a2-b570-ee8270428fef.vbs"
        8⤵
        
        PID:1592
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6cf352c-d520-43df-b146-399e5d767048.vbs"
        10⤵
        
        PID:1284
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fff3fb78-0cae-4b36-8dcb-7819cf1a2f75.vbs"
        12⤵
        
        PID:1976
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ffd6a36-5ba8-43b3-96d2-fc555e26b2e8.vbs"
        14⤵
        
        PID:292
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0032384f-4566-4f11-ba77-4c0b0a0557c5.vbs"
        16⤵
        
        PID:1696
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8543f54f-958f-4a2a-b05c-b6070622841a.vbs"
        18⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f3d248c-5715-48eb-894a-13b638f16875.vbs"
        18⤵
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dee67746-6cbf-46b1-b952-6622b265c416.vbs"
        16⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22ee6b34-a508-4a71-bd62-964d74721526.vbs"
        14⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\423a4ada-7e59-4b1e-92ae-db994fe4dab8.vbs"
        12⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1265fc2-5263-4123-b974-903a297b3ec9.vbs"
        10⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfac61b-27f2-46c5-81ff-32f942fc5d37.vbs"
        8⤵
        
        PID:2532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451987a2-1ea1-4245-90be-561be758d388.vbs"
        6⤵
        
        PID:848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d284985-ee95-4386-96fa-c17902911834.vbs"
      4⤵
      PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\dllhost.exe

Filesize
4.9MB

MD5
4331bb6448c6da37580f2ac382b45750

SHA1
4516ce7712311a62a03c332aec5d0dec7513efc3

SHA256
9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de

SHA512
9ee79af2228dacf6294a06a069f3ef4addd897bfcd930d7c78a51062dec60ef611edcb3332f3d8181188b029dbc2635e1e35a8a2f6b8c88cb348f967da8a1b9a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe

Filesize
4.9MB

MD5
1ea2df8f7de8bf2363ad8d5bddbce715

SHA1
858583802bb2dd22f6d39a82c4e7fafc6fdaff8d

SHA256
2e103a6f7842931e21c29012b1ec1419f0e854a04577d8af9c077bcf68014dfa

SHA512
32f0edc144d1b4c3aa9a76d7b98678ef8b0d0d9e712e2f3daf4427acbb158889e8f5ae96380636a1844af23993347311cf83bd8011995ca5752bf4ca3cc51175

Download Submit
C:\Users\Admin\AppData\Local\Temp\0032384f-4566-4f11-ba77-4c0b0a0557c5.vbs

Filesize
734B

MD5
25dec297c3d869e57b009c8c9d70b2b7

SHA1
390fd6c2a276358433cf6a86fda105204e5aafc9

SHA256
7c46189b9980e077b9efaca9af60ca217342f40ece7eabfb6360fb89a07219f2

SHA512
905bb1a0afa2f1c9db178e39211f45d4cc5d9ed735d8ed0a7209ab05697e703be98e9e8f7c3ef7c44b499cd00c832bfcc4af0970db9be981d02dd8f2d21a44de

Download Submit
C:\Users\Admin\AppData\Local\Temp\35a027be-2633-4748-a2b2-5ff978b6ffe2.vbs

Filesize
734B

MD5
56b98fabdd4532f7258f6084ba537a48

SHA1
3bf6497b7a8c0613b04f129aea2c9cd5c45310bd

SHA256
cb2c7d4cee9e77e3ae432a3b509c2693d6ba22ff6abec87dc2a7cebe3e4756dc

SHA512
95deb3c786ad891aa7945163b534b041d6ff7459540ced2e78d151374dc424b8434ecec66798a6eb161ee6d9770d650489bd451dcc1b467e96ada6c36854023d

Download Submit
C:\Users\Admin\AppData\Local\Temp\463690e7-6481-4d14-9f99-887451243f3b.vbs

Filesize
733B

MD5
f015160e8adad32cadbc28e3c5743577

SHA1
3df4a4d18c1bb20633c18dbf1475ecc121c3a7e4

SHA256
10edb41d34308cc6efb9cf956054434017f9af66053f4ab2b740185ee57a055a

SHA512
abecac4c8c0e6469355f3c7296dd844c12f901e0bfad797455dd9bf38f0c4c7949ca0593acbdc4de24a4bb570a6f4ee9d2ac087ee485b8bb82756eea0959f1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b8477aa-86ab-48a2-b570-ee8270428fef.vbs

Filesize
733B

MD5
2a28464346c0e15f4e1d1b73387897a9

SHA1
cfa41ca601200bd4916ccc215223ae885ff64f75

SHA256
f97a7531cded5b0fdc5ef53504d485bf5320c0357186d11a1e6fffaaacf53389

SHA512
44b70b9774e255458eb23f06fc68205110f59268a4b5d0b4b380bc11bc91a382898404fe624e6616a9ede9cdc2838bc5bb916e3a5637aa6b79759c3f0d4afdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d284985-ee95-4386-96fa-c17902911834.vbs

Filesize
510B

MD5
d179a9f6453cc4ce28156ff7ee231fd3

SHA1
31cd4413c987f782e8e34209246911ee7ef66493

SHA256
e5467c1f7f55f472a0e6f0bc7b21d38bbbb131b0617abae2b439f9bb848708ca

SHA512
238587dd4827c5d6ba1600e185330dd168cc9df704608bd55cecee63d695143f01c363288b70163739737f88e3dff51e789789c970d0e7ee36bd72fa810ee235

Download Submit
C:\Users\Admin\AppData\Local\Temp\8543f54f-958f-4a2a-b05c-b6070622841a.vbs

Filesize
734B

MD5
6266a7912d1af2f68712ac24cef2b874

SHA1
4c43e999dff1e5aa1544af6b90d1533e2ff6a7c5

SHA256
758c31da9b9fbf81bd84154472a2b35376e1792298f1d87451588c6cdca5dcd9

SHA512
92a5247fe65edae256e4b2fe0329347ee1c53f33d29cdc1d50b811e0cc3e9bbb909b7ab4a6cd87f23f70483d4273dd801d75390d1eb6a62a7a8b8140e502632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ffd6a36-5ba8-43b3-96d2-fc555e26b2e8.vbs

Filesize
733B

MD5
f5433e9e7fcfbeb5cc4a2f59e60295bf

SHA1
e9bdec76f64a8d06d6491fb4068f149d875b3134

SHA256
c422a6b02f94ce276dedbfa0a76c33fa72a6fa3edd6faa1f48688b33205f4ba1

SHA512
418cd3e91f33a9172fa073fd807c0bfe0afe93c5c14a1430a54f99a8fea65e7edab7ce579d465e558d5173a4fc43687c82905976ce1f728d48e8d6ccdad09bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat

Filesize
223B

MD5
8c07bf1e8d744376d893958694a9efd3

SHA1
24ddf82bd830be333c5d2c73b35863abd24fbd15

SHA256
ea7f3ebe1c37ce09633ce41ff2e9bb7fbade80be3df7628b0f27928360bbc3c3

SHA512
b559e414787c2ed2b0c84c5e9cd8aecc363e189fa7cced436e051792185f250b8fd6e031ff6326316f1ff7ac4da7f2f872d7decc32f63d4aca96907840d62718

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6cf352c-d520-43df-b146-399e5d767048.vbs

Filesize
734B

MD5
730068dda90d0ed4228fbea194e0ce71

SHA1
7830fdef2c0470cc94369f414a3eb2a477e325f0

SHA256
b96b9eb7fe5ca563c1bb79228d6f9150607374236c964024d5d7f2b783035141

SHA512
0229dde77456c20f60be28f20684a9fa7da110bd55e8bc3fad5ee4d5e05be9ddacd69d3a236c8df6f847f7c589c52294ae45ec58938f90a0991cd9771cdd5856

Download Submit
C:\Users\Admin\AppData\Local\Temp\fff3fb78-0cae-4b36-8dcb-7819cf1a2f75.vbs

Filesize
734B

MD5
483928393bde94eb283826704216abcb

SHA1
1e0c27905988ca1a5fe0860f08657f0df8591fd9

SHA256
35c3242593a51daf223794e5049869067971f68e49137847bb45c1200a906f42

SHA512
1a853c09ccf6915dc874aca52572a58ead351412d3a9a8e4905106fb5d0e78629a5718e352a1e5ecfa266a8e73cd0ddbd93d861e0b2a9d1bc8d323fd324f8e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF84.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf5ede2766e1ebca2bc386280be29ed6

SHA1
d1e48f1e708dae0f24b8aff50a4799a228fc36ce

SHA256
92711eb8501cf2a484db3515fe44244847c34bde45f8a55384d5268aea7918bd

SHA512
a31128af9ff51a8206d27a40ed1b8c410168db29d5f5b811db0a0de0a1756714fe2af3198f2b9eb241e5ced13378a704cca88b1efe8bafbf59914bd917cc0db2

Download Submit
C:\Users\Public\Recorded TV\Sample Media\audiodg.exe

Filesize
4.9MB

MD5
4fc86a878aeebf1a49cd57f93eb5128e

SHA1
abca0b734233e970fd8bf8ca4cde8b6c756aca44

SHA256
a8405e8dfbc5d324d81d2c2f5f079ff4c748f3a051264af8f43b2bceb1b92388

SHA512
b5a5e59c5f67aaaabfc1981ead0e16f00d1d8b9b32b79243584be5682200119ee66f17be463ea5a0aa44c4ed3257f127788122944f8328e665ccd22893942395

Download Submit
C:\Windows\Vss\RCXBE84.tmp

Filesize
4.9MB

MD5
512222775a3f06aa97e16d7e548aa391

SHA1
f56e6a8e1d1b6042745d8a94b56db80a7491b382

SHA256
ad22704b7555f555ae966b7de1d592f2bb6068650c767b72a6d324f4923a1857

SHA512
5fb5468bfeed6e311372ca677b1f20444214326ceda184310fa5f8cf39c878ca92561850bd044a60af5dea3b2f1e0c14e7638830cb347d8daf0e1577d8fc2631

Download Submit
memory/980-238-0x0000000000CF0000-0x00000000011E4000-memory.dmp

Filesize
5.0MB

Download
memory/1200-267-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/1680-224-0x0000000000930000-0x0000000000E24000-memory.dmp

Filesize
5.0MB

Download
memory/2352-220-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-14-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2352-132-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-13-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/2352-1-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/2352-12-0x00000000024A0000-0x00000000024AE000-memory.dmp

Filesize
56KB

Download
memory/2352-3-0x000000001B3E0000-0x000000001B50E000-memory.dmp

Filesize
1.2MB

Download
memory/2352-11-0x0000000002490000-0x000000000249A000-memory.dmp

Filesize
40KB

Download
memory/2352-16-0x00000000025E0000-0x00000000025EC000-memory.dmp

Filesize
48KB

Download
memory/2352-118-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2352-10-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2352-9-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/2352-8-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2352-15-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/2352-7-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2352-6-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2352-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2352-5-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2352-4-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/2352-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-168-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2856-167-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download