dcrat | 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Size

4.9MB
MD5

4cb19f29a50b590b4e049659105ec340
SHA1

80bc53b20a62cf2d790376f121ec32ef2b1dc905
SHA256

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
SHA512

53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2980	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2980	schtasks.exe	29

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2796-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2464	powershell.exe
3012	powershell.exe
1324	powershell.exe
1824	powershell.exe
2612	powershell.exe
2708	powershell.exe
2896	powershell.exe
1564	powershell.exe
2320	powershell.exe
2876	powershell.exe
1492	powershell.exe
2444	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1744	lsm.exe
2992	lsm.exe
604	lsm.exe
2388	lsm.exe
2016	lsm.exe
2052	lsm.exe
1628	lsm.exe
840	lsm.exe
2968	lsm.exe
3004	lsm.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files\Google\Chrome\8647b3c35d49d9	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX100D.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\services.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Branding\Basebrd\services.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Branding\Basebrd\c5b4cb5e9653cc	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Help\Help\de-DE\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Help\Help\de-DE\0a1fd5f707cd16	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Branding\Basebrd\RCXA00.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Help\Help\de-DE\RCX2421.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Help\Help\de-DE\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
564	schtasks.exe
604	schtasks.exe
1268	schtasks.exe
2912	schtasks.exe
1508	schtasks.exe
1368	schtasks.exe
1864	schtasks.exe
2408	schtasks.exe
2016	schtasks.exe
380	schtasks.exe
1764	schtasks.exe
2936	schtasks.exe
1640	schtasks.exe
2996	schtasks.exe
1260	schtasks.exe
2044	schtasks.exe
2756	schtasks.exe
2308	schtasks.exe
1384	schtasks.exe
2440	schtasks.exe
1328	schtasks.exe
2768	schtasks.exe
1164	schtasks.exe
572	schtasks.exe
2968	schtasks.exe
1956	schtasks.exe
2380	schtasks.exe
2944	schtasks.exe
1652	schtasks.exe
3068	schtasks.exe
1748	schtasks.exe
1532	schtasks.exe
2452	schtasks.exe
1936	schtasks.exe
1876	schtasks.exe
1816	schtasks.exe
2820	schtasks.exe
2884	schtasks.exe
2456	schtasks.exe
1944	schtasks.exe
912	schtasks.exe
2556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1564	powershell.exe
2612	powershell.exe
2464	powershell.exe
2444	powershell.exe
3012	powershell.exe
1324	powershell.exe
2320	powershell.exe
1492	powershell.exe
1824	powershell.exe
2876	powershell.exe
2896	powershell.exe
2708	powershell.exe
1744	lsm.exe
2992	lsm.exe
604	lsm.exe
2388	lsm.exe
2016	lsm.exe
2052	lsm.exe
1628	lsm.exe
840	lsm.exe
2968	lsm.exe
3004	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1744	lsm.exe
Token: SeDebugPrivilege	2992	lsm.exe
Token: SeDebugPrivilege	604	lsm.exe
Token: SeDebugPrivilege	2388	lsm.exe
Token: SeDebugPrivilege	2016	lsm.exe
Token: SeDebugPrivilege	2052	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	840	lsm.exe
Token: SeDebugPrivilege	2968	lsm.exe
Token: SeDebugPrivilege	3004	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1564	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	72
PID 2796 wrote to memory of 1564	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	72
PID 2796 wrote to memory of 1564	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	72
PID 2796 wrote to memory of 2444	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	73
PID 2796 wrote to memory of 2444	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	73
PID 2796 wrote to memory of 2444	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	73
PID 2796 wrote to memory of 2320	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	74
PID 2796 wrote to memory of 2320	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	74
PID 2796 wrote to memory of 2320	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	74
PID 2796 wrote to memory of 2464	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	75
PID 2796 wrote to memory of 2464	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	75
PID 2796 wrote to memory of 2464	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	75
PID 2796 wrote to memory of 3012	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	76
PID 2796 wrote to memory of 3012	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	76
PID 2796 wrote to memory of 3012	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	76
PID 2796 wrote to memory of 1324	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	77
PID 2796 wrote to memory of 1324	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	77
PID 2796 wrote to memory of 1324	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	77
PID 2796 wrote to memory of 1824	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	78
PID 2796 wrote to memory of 1824	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	78
PID 2796 wrote to memory of 1824	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	78
PID 2796 wrote to memory of 2612	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	79
PID 2796 wrote to memory of 2612	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	79
PID 2796 wrote to memory of 2612	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	79
PID 2796 wrote to memory of 2708	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 2796 wrote to memory of 2708	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 2796 wrote to memory of 2708	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 2796 wrote to memory of 2876	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	81
PID 2796 wrote to memory of 2876	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	81
PID 2796 wrote to memory of 2876	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	81
PID 2796 wrote to memory of 2896	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	82
PID 2796 wrote to memory of 2896	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	82
PID 2796 wrote to memory of 2896	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	82
PID 2796 wrote to memory of 1492	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	83
PID 2796 wrote to memory of 1492	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	83
PID 2796 wrote to memory of 1492	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	83
PID 2796 wrote to memory of 1484	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	96
PID 2796 wrote to memory of 1484	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	96
PID 2796 wrote to memory of 1484	2796	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	96
PID 1484 wrote to memory of 3020	1484	cmd.exe	98
PID 1484 wrote to memory of 3020	1484	cmd.exe	98
PID 1484 wrote to memory of 3020	1484	cmd.exe	98
PID 1484 wrote to memory of 1744	1484	cmd.exe	99
PID 1484 wrote to memory of 1744	1484	cmd.exe	99
PID 1484 wrote to memory of 1744	1484	cmd.exe	99
PID 1744 wrote to memory of 2684	1744	lsm.exe	100
PID 1744 wrote to memory of 2684	1744	lsm.exe	100
PID 1744 wrote to memory of 2684	1744	lsm.exe	100
PID 1744 wrote to memory of 2596	1744	lsm.exe	101
PID 1744 wrote to memory of 2596	1744	lsm.exe	101
PID 1744 wrote to memory of 2596	1744	lsm.exe	101
PID 2684 wrote to memory of 2992	2684	WScript.exe	102
PID 2684 wrote to memory of 2992	2684	WScript.exe	102
PID 2684 wrote to memory of 2992	2684	WScript.exe	102
PID 2992 wrote to memory of 828	2992	lsm.exe	103
PID 2992 wrote to memory of 828	2992	lsm.exe	103
PID 2992 wrote to memory of 828	2992	lsm.exe	103
PID 2992 wrote to memory of 1812	2992	lsm.exe	104
PID 2992 wrote to memory of 1812	2992	lsm.exe	104
PID 2992 wrote to memory of 1812	2992	lsm.exe	104
PID 828 wrote to memory of 604	828	WScript.exe	105
PID 828 wrote to memory of 604	828	WScript.exe	105
PID 828 wrote to memory of 604	828	WScript.exe	105
PID 604 wrote to memory of 2852	604	lsm.exe	106

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3020
- - C:\Users\All Users\Documents\lsm.exe
    "C:\Users\All Users\Documents\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511f5aa7-066a-4fc7-8ea9-01c8ade37f8e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6995396e-29ea-4044-b2b9-0ffe51941207.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afd2a33d-5bd6-4142-9ece-86a850b5d315.vbs"
        8⤵
        
        PID:2852
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbba9294-9c21-4671-99bf-5bf9887cb9c7.vbs"
        10⤵
        
        PID:2828
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ad6c8e0-0a6b-41bf-b784-f8e4e3a4b98f.vbs"
        12⤵
        
        PID:2148
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4462304-0352-4c4e-b7c3-f150564683c1.vbs"
        14⤵
        
        PID:1800
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\accc5c32-99b0-41bc-95c0-b2ce6c820d25.vbs"
        16⤵
        
        PID:772
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24bbded-90ad-4e2a-85d6-707f70f6f58a.vbs"
        18⤵
        
        PID:316
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211cbc0d-ac03-46a7-a81f-f006af7024e3.vbs"
        20⤵
        
        PID:2496
        
        C:\Users\All Users\Documents\lsm.exe
        
        "C:\Users\All Users\Documents\lsm.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2370028c-1bf8-47bb-bc8c-0889e2c70abc.vbs"
        22⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1171f0-d7b1-4cb1-9795-cd7d39646537.vbs"
        22⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a4c834-edcb-464d-91df-16e37715e663.vbs"
        20⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd1ce172-1b77-40d3-952d-c3998d6edcf9.vbs"
        18⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55f1121e-6762-45da-9486-5ab829d6c326.vbs"
        16⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a0c2a6-7558-468c-96d1-5fd2196698f0.vbs"
        14⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d56d3b11-1db7-4f70-be08-178dea6240a8.vbs"
        12⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeec09dc-860d-4cbc-b066-c7f04b1b2596.vbs"
        10⤵
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c147d21-4fbe-44b5-a625-e83f01656691.vbs"
        8⤵
        
        PID:1968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aead724-39b0-4185-a6fd-149d9e6fb004.vbs"
        6⤵
        
        PID:1812
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b9f62f-2f7f-46b2-9cbb-8a2dfdbbf694.vbs"
      4⤵
      PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe

Filesize
4.9MB

MD5
4cb19f29a50b590b4e049659105ec340

SHA1
80bc53b20a62cf2d790376f121ec32ef2b1dc905

SHA256
5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

SHA512
53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
4.9MB

MD5
ba56bf4bb082d876734a6b7ec126305b

SHA1
4968fec6b449bc6b4372013920d9354c6b1835e0

SHA256
eda3ac5697f9618da517bd850020dcc397b9694dfb09d28acbf0379df81781be

SHA512
b9ceb1a69fb8a051ec20c5c8856c62783b14ef47e1b68ce759a03583e8343772ab485c09c7feea8e58236bd81fc7dedffad76389b7c0860ae4c6aec2f6ee0fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\211cbc0d-ac03-46a7-a81f-f006af7024e3.vbs

Filesize
712B

MD5
756a609b60e8242b7e679bee8bda31cc

SHA1
e7681b1cbcd5c9c976f355f968d96d0c10139952

SHA256
9f81c3a05544d1d9debc05340910477eae11a7a70096832f7fdc740de0cc0d30

SHA512
e818b5ce60cc9b42fd549c90200bebfb1f379ff2afa2a56ac960131b2a8d445db892de1484fb1e4f40efcf01d5cce6d2801e17eca86c02165754ab1b78e4d37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2370028c-1bf8-47bb-bc8c-0889e2c70abc.vbs

Filesize
712B

MD5
9ed04a28656e76bf0e0f727d6ac8e235

SHA1
190cd171928f79c2a82c56be71740eb756a80293

SHA256
39dff1e83c6ae7968b164fd8ca4b97ad70955241b58cdb0ebe7a4d3092404189

SHA512
29c9090dfd2bb3bfbf66a42f8897ff130dfd4eedd389cf49e0544e7446c9a97e9c06ff50ade39084de9dc1821b7542dbdda30ae77a71f421dc684fe23101b5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\26b9f62f-2f7f-46b2-9cbb-8a2dfdbbf694.vbs

Filesize
488B

MD5
6176cf0f2f0544bc9f211d488137e6c3

SHA1
3d2477f05d807f40392171a2e695f013af2babf5

SHA256
66f118877d67b694d6f2dd6c34fe4614b1720c5eb015a09bfa80cec6747ab19b

SHA512
4512c6216c82a2ca3809a2e71fb3887ed06553a31ebfb847b889fbe6a826ecb571920fb0e1d37b5f4b320a1721e99c3cb0b24321185e3e670d27163b04869cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\511f5aa7-066a-4fc7-8ea9-01c8ade37f8e.vbs

Filesize
712B

MD5
5e32bf2d729c050552ca5a76ab7f30c6

SHA1
924b0cd8ee3de4af4a7173f9043a3cde1e7158b1

SHA256
095ce42e0701df711b229a43a544329d39e0761f97eefcbc421b73561c549aa8

SHA512
6ec88a168292bd80ecd866b5df08a9489cd3ba69bf809dfd4e792698a03a4411f22750ce3c0f8cf4c512954e69f1eb49d41ea1bfb51e7acaeb7f232b0c7a3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6995396e-29ea-4044-b2b9-0ffe51941207.vbs

Filesize
712B

MD5
b8d74e04404c22e2276c443e6a194783

SHA1
37d3687c92cab92193aeb5da5fbbc849ac20b389

SHA256
d07b4d0027d6135b1742fa41417809cb08eb46fcec555af314e6f77c9321c90f

SHA512
272b7af45a665ef9736dd92c350534687207d1978ed33c08b1673caf370294d1d9fd9ed5425dfb4ed7c6a7ba9e0b483cab748a6a585a563857f79dfd916b1a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ad6c8e0-0a6b-41bf-b784-f8e4e3a4b98f.vbs

Filesize
712B

MD5
1d27ea91a7c396113fe89720376c296d

SHA1
5df5958adfd6bbf4734c2a23b9b99133e23b814c

SHA256
6d2c2ec44755b214c3212537701f487639d96ead140292fdc81f73993034ec1c

SHA512
ce2721970c82ac71cefc94405c532e6a19707ab5ab43df3c8d79c8a8d5b297900a7cee5785148e2968152458d9a829d3996bf3e38fd49025b9a5ca7b2d8c8e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat

Filesize
201B

MD5
19ca0b5d5a3f8f6ab669df77bf8c8eb3

SHA1
d0778aaa1b55619cb10aa1eebbfb64bc17dc23d8

SHA256
82714fa2eee36d84883823fb70df461e59eaf640f544e7abeac7f6d9558ebe12

SHA512
82dbf26a336c3db53a2b23720ce8df2fccf8e790fb53f93420699b6c811f988343f7331e420055f0b96b39afe7c88b9ec7d45b5abfbf2b714012a923afaae7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\accc5c32-99b0-41bc-95c0-b2ce6c820d25.vbs

Filesize
712B

MD5
1b001a2f6a53ae49c69dce7e1736dbdb

SHA1
ba57c83af8d1f4bde044addb34494473686fea2c

SHA256
8a9d8539955a1e180fbd95fd1ff94f136bb8559741ebcba5228af466a9ca66c5

SHA512
df85ca3ffa9e61582651fdbe5058d7b55f97ba82a4dcea7279e48fde0f7a5712fe18d2dd90a67fa2987919b93e31668f2a9178250c41c40bba52c590e4fef9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\afd2a33d-5bd6-4142-9ece-86a850b5d315.vbs

Filesize
711B

MD5
bb1b39353b41b6e1bceae00a9beda67a

SHA1
20b6d073ee1da617a6024b4603e09ee12728dd4e

SHA256
5d1603fe1f2bcabcf077295dbd714ec2a85f7102251247d1a22c331c4909ef91

SHA512
4126f6532bf254a10aec28ad5a241b5a742e7c87079fc850fd2b2b6cec9bfcc977aa83d9abcf82f9cc36c4824d57369670deecbc1969867b1473a6c0a5dbfdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e24bbded-90ad-4e2a-85d6-707f70f6f58a.vbs

Filesize
711B

MD5
083a110dac5ad33e502022e70776a08b

SHA1
361e8af76c9ce6c29e8b27986123f64ca04a9426

SHA256
e772788f820efd9311efff43e506b547acb7de3f821d3fff56de6000fe0df7f5

SHA512
a3953a4f477d03096191d51344ac4d7b093f16220659144290c986ace8df2ac74a1cb65ca3c7541c17da59ce4fd05900550e5c6477e94470dc346fad8e5f98c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4462304-0352-4c4e-b7c3-f150564683c1.vbs

Filesize
712B

MD5
ff31844cdce7a6947f10eec5ec3152d0

SHA1
f4cefe7fb23476cd397294f881033874c0746ee2

SHA256
d2fbcb805bf9c15e58298bb085c0ba97557fe8553060fc039686686b717b7ae5

SHA512
349f8c0b82c9466a23b024fa4626648e2579e1ed03a20b55788a14bea03553928cf543a0a7d8d81b7ef6129f6825798a2b7775d494588c3af271eac391a5682f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbba9294-9c21-4671-99bf-5bf9887cb9c7.vbs

Filesize
712B

MD5
6ed901de91bc7f8eac8ae26ff4c39c99

SHA1
15ff64d1e2c64d1c3a8095d2e848ed357f62da25

SHA256
3149b485676cb80addc641314fce29cb85e9a170c0a834b20967cd1f4190eae7

SHA512
6e8fa1a01045bf0058bb45972726a7f1e71673594318c8f60a629a7493be284324499515b437a877d40fbfb97eacf75f35c50d2f455d244a5af41b93ae51c69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5301f908feefeab8c290e2e8ef330004

SHA1
5d62a1092d7cd17bf330306716a659d58e64f78f

SHA256
d2459d7db5a71b0c30cc4202e0b8d5261fd86dc07b42fe5d130cdf3dbad636b9

SHA512
e2557bf18dd3ad127558338793551967bfc64c4ae623d1ddf7936188969bcdf4d230db88881734053c3807d232dfb670428c34e691d6df6979f6bdf4c7e85b8e

Download Submit
C:\Users\Public\Documents\lsm.exe

Filesize
4.9MB

MD5
87c1fb1cd37f034871ee2c0d0a120f4d

SHA1
c23c6acf99bbb712cf5e83c98f16f5b8cc79a1e7

SHA256
abf7722edd515b7fe74fa51000b80202e21c2cd4b2550c002695935313be95f4

SHA512
91de27bcb25ea5cd4d64c40efded2a24ab39081f8be11a4c96c3d8445f38942450c148a3eea5dc7059be8251e0102c4d92c5ca189419d16ae73688528135cca2

Download Submit
memory/604-240-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/604-239-0x0000000000B40000-0x0000000001034000-memory.dmp

Filesize
5.0MB

Download
memory/1564-155-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1564-154-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1628-300-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/1744-210-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2016-270-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/2052-285-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/2388-255-0x0000000000EA0000-0x0000000001394000-memory.dmp

Filesize
5.0MB

Download
memory/2796-8-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/2796-14-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2796-11-0x00000000025B0000-0x00000000025BA000-memory.dmp

Filesize
40KB

Download
memory/2796-10-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/2796-1-0x00000000009B0000-0x0000000000EA4000-memory.dmp

Filesize
5.0MB

Download
memory/2796-9-0x0000000002590000-0x000000000259A000-memory.dmp

Filesize
40KB

Download
memory/2796-16-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/2796-131-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2796-148-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-13-0x0000000002760000-0x000000000276E000-memory.dmp

Filesize
56KB

Download
memory/2796-7-0x0000000002560000-0x0000000002576000-memory.dmp

Filesize
88KB

Download
memory/2796-12-0x0000000002750000-0x000000000275E000-memory.dmp

Filesize
56KB

Download
memory/2796-6-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2796-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2796-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2796-15-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2796-4-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/2796-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp

Filesize
1.2MB

Download
memory/2796-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-329-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2992-224-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download
memory/3004-344-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/3004-345-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download