dcrat | 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Size

4.9MB
MD5

4cb19f29a50b590b4e049659105ec340
SHA1

80bc53b20a62cf2d790376f121ec32ef2b1dc905
SHA256

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
SHA512

53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2124	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2124	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2012-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1120	powershell.exe
1612	powershell.exe
1528	powershell.exe
1804	powershell.exe
1296	powershell.exe
1760	powershell.exe
904	powershell.exe
2388	powershell.exe
1592	powershell.exe
1596	powershell.exe
840	powershell.exe
1700	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1876	winlogon.exe
1712	winlogon.exe
1872	winlogon.exe
2544	winlogon.exe
584	winlogon.exe
2072	winlogon.exe
1532	winlogon.exe
276	winlogon.exe
2028	winlogon.exe
2412	winlogon.exe
2672	winlogon.exe
2944	winlogon.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files\Windows Defender\fr-FR\Idle.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\Idle.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXEE8B.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\0a1fd5f707cd16	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\27d1bcfc3c54e0	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE35E.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXE5CF.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\System.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Prefetch\ReadyBoot\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Prefetch\ReadyBoot\0a1fd5f707cd16	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Performance\System.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Performance\27d1bcfc3c54e0	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXE7E3.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\sppsvc.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Performance\RCXF31F.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
3024	schtasks.exe
1196	schtasks.exe
2440	schtasks.exe
1368	schtasks.exe
2760	schtasks.exe
2844	schtasks.exe
1548	schtasks.exe
1564	schtasks.exe
3020	schtasks.exe
1952	schtasks.exe
2828	schtasks.exe
2620	schtasks.exe
2364	schtasks.exe
624	schtasks.exe
2752	schtasks.exe
2944	schtasks.exe
2296	schtasks.exe
556	schtasks.exe
592	schtasks.exe
1508	schtasks.exe
812	schtasks.exe
2732	schtasks.exe
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
904	powershell.exe
1804	powershell.exe
1296	powershell.exe
1120	powershell.exe
2388	powershell.exe
1612	powershell.exe
1760	powershell.exe
1528	powershell.exe
1700	powershell.exe
1592	powershell.exe
1596	powershell.exe
840	powershell.exe
1876	winlogon.exe
1712	winlogon.exe
1872	winlogon.exe
2544	winlogon.exe
584	winlogon.exe
2072	winlogon.exe
1532	winlogon.exe
276	winlogon.exe
2028	winlogon.exe
2412	winlogon.exe
2672	winlogon.exe
2944	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1876	winlogon.exe
Token: SeDebugPrivilege	1712	winlogon.exe
Token: SeDebugPrivilege	1872	winlogon.exe
Token: SeDebugPrivilege	2544	winlogon.exe
Token: SeDebugPrivilege	584	winlogon.exe
Token: SeDebugPrivilege	2072	winlogon.exe
Token: SeDebugPrivilege	1532	winlogon.exe
Token: SeDebugPrivilege	276	winlogon.exe
Token: SeDebugPrivilege	2028	winlogon.exe
Token: SeDebugPrivilege	2412	winlogon.exe
Token: SeDebugPrivilege	2672	winlogon.exe
Token: SeDebugPrivilege	2944	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1596	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	56
PID 2012 wrote to memory of 1596	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	56
PID 2012 wrote to memory of 1596	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	56
PID 2012 wrote to memory of 1296	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	57
PID 2012 wrote to memory of 1296	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	57
PID 2012 wrote to memory of 1296	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	57
PID 2012 wrote to memory of 1804	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	59
PID 2012 wrote to memory of 1804	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	59
PID 2012 wrote to memory of 1804	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	59
PID 2012 wrote to memory of 1760	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	60
PID 2012 wrote to memory of 1760	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	60
PID 2012 wrote to memory of 1760	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	60
PID 2012 wrote to memory of 1592	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	62
PID 2012 wrote to memory of 1592	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	62
PID 2012 wrote to memory of 1592	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	62
PID 2012 wrote to memory of 2388	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	64
PID 2012 wrote to memory of 2388	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	64
PID 2012 wrote to memory of 2388	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	64
PID 2012 wrote to memory of 1528	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	65
PID 2012 wrote to memory of 1528	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	65
PID 2012 wrote to memory of 1528	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	65
PID 2012 wrote to memory of 1612	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	66
PID 2012 wrote to memory of 1612	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	66
PID 2012 wrote to memory of 1612	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	66
PID 2012 wrote to memory of 1700	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	67
PID 2012 wrote to memory of 1700	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	67
PID 2012 wrote to memory of 1700	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	67
PID 2012 wrote to memory of 1120	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	68
PID 2012 wrote to memory of 1120	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	68
PID 2012 wrote to memory of 1120	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	68
PID 2012 wrote to memory of 904	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	69
PID 2012 wrote to memory of 904	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	69
PID 2012 wrote to memory of 904	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	69
PID 2012 wrote to memory of 840	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	70
PID 2012 wrote to memory of 840	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	70
PID 2012 wrote to memory of 840	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	70
PID 2012 wrote to memory of 1680	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 2012 wrote to memory of 1680	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 2012 wrote to memory of 1680	2012	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	80
PID 1680 wrote to memory of 1848	1680	cmd.exe	82
PID 1680 wrote to memory of 1848	1680	cmd.exe	82
PID 1680 wrote to memory of 1848	1680	cmd.exe	82
PID 1680 wrote to memory of 1876	1680	cmd.exe	83
PID 1680 wrote to memory of 1876	1680	cmd.exe	83
PID 1680 wrote to memory of 1876	1680	cmd.exe	83
PID 1876 wrote to memory of 2904	1876	winlogon.exe	84
PID 1876 wrote to memory of 2904	1876	winlogon.exe	84
PID 1876 wrote to memory of 2904	1876	winlogon.exe	84
PID 1876 wrote to memory of 1656	1876	winlogon.exe	85
PID 1876 wrote to memory of 1656	1876	winlogon.exe	85
PID 1876 wrote to memory of 1656	1876	winlogon.exe	85
PID 2904 wrote to memory of 1712	2904	WScript.exe	86
PID 2904 wrote to memory of 1712	2904	WScript.exe	86
PID 2904 wrote to memory of 1712	2904	WScript.exe	86
PID 1712 wrote to memory of 2484	1712	winlogon.exe	87
PID 1712 wrote to memory of 2484	1712	winlogon.exe	87
PID 1712 wrote to memory of 2484	1712	winlogon.exe	87
PID 1712 wrote to memory of 2712	1712	winlogon.exe	88
PID 1712 wrote to memory of 2712	1712	winlogon.exe	88
PID 1712 wrote to memory of 2712	1712	winlogon.exe	88
PID 2484 wrote to memory of 1872	2484	WScript.exe	89
PID 2484 wrote to memory of 1872	2484	WScript.exe	89
PID 2484 wrote to memory of 1872	2484	WScript.exe	89
PID 1872 wrote to memory of 1440	1872	winlogon.exe	90

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jg9U23qGKp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1848
- - C:\Users\Default User\winlogon.exe
    "C:\Users\Default User\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6177f11f-9927-48b6-89a9-8ecfe9926fb5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1712
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5f18b6-c931-4856-87ca-415e01e28ee1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a3c899-b4ba-4356-94e4-57b35303ad09.vbs"
        8⤵
        
        PID:1440
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe87976-4528-4eeb-a501-efbf7a7f5ff6.vbs"
        10⤵
        
        PID:2676
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb98886c-0f40-469b-8598-5f198fbbb1ba.vbs"
        12⤵
        
        PID:3028
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79aa90de-535e-4739-bc49-6cb57280ab6b.vbs"
        14⤵
        
        PID:2108
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aedb908-3fcb-4d37-b17b-87bc5e61c5ec.vbs"
        16⤵
        
        PID:2664
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2acd06d1-0803-4ea1-9faf-1af6f518eb7b.vbs"
        18⤵
        
        PID:572
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaac55d-0543-470f-8b89-10899346a9e8.vbs"
        20⤵
        
        PID:1428
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\459b1409-981d-4638-a236-6f2b189b8de4.vbs"
        22⤵
        
        PID:2184
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\679c7be1-efd8-4af2-8dd4-6ce052b846da.vbs"
        24⤵
        
        PID:1612
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce46bdb0-7c9e-4a63-af1f-c4c8c119ab99.vbs"
        26⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e5f1d68-1bbc-4655-81a3-aa931e7afcd1.vbs"
        26⤵
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\035b4429-f840-4f83-9975-ea0459b6f449.vbs"
        24⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7deae3a8-1352-4334-aa41-96a35cf993f7.vbs"
        22⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc1a9d3c-dfc1-4b6b-add5-0fccd7f51306.vbs"
        20⤵
        
        PID:700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a39201dd-5555-4e33-a4a3-3d271ead9cd4.vbs"
        18⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a681308e-604a-4440-a943-f3b29ae15a70.vbs"
        16⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd109c7-832c-4334-ad6b-2299824e3139.vbs"
        14⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39423374-8079-43d8-86cf-4cf813b28f75.vbs"
        12⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e2670ad-b8d7-4676-bc1c-fae1d7410733.vbs"
        10⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdea5008-6677-46c9-b2c5-1a2efd217e82.vbs"
        8⤵
        
        PID:1884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7c201f-3b29-433e-806f-2a7413783fd4.vbs"
        6⤵
        
        PID:2712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e49ed5-3f57-4fa0-aa29-318b6368ac9f.vbs"
      4⤵
      PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
4.9MB

MD5
4cb19f29a50b590b4e049659105ec340

SHA1
80bc53b20a62cf2d790376f121ec32ef2b1dc905

SHA256
5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

SHA512
53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e5b2fa84a2497a5b430844da60a911465139fb2.exe

Filesize
4.9MB

MD5
2dd05b0e37103a6c7c09b857b60f21a7

SHA1
ac9372c4596caf9e72b67ac975aa47f91ce57c95

SHA256
110d4bfc1ed71e48ea11facccfa0194e88780573770dc33e3dce3d5156926d70

SHA512
2ae5a6ae7c71e66f7a6ac9a96da4a07785e02a57d9075b8ac7fc7063a416b99d3093fcaddae9432073296ab170abf0fafb7473513a4fa8ba0a801e75aee603e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\27e49ed5-3f57-4fa0-aa29-318b6368ac9f.vbs

Filesize
486B

MD5
3268e93bafe1508f5af4ad76b37250c6

SHA1
c9a4e20b68f39862e85f9f33d6d17a9ac81fffea

SHA256
c4fb021729b0989ba2ca68e3f3bfafd07d666e94c30bf76f22086ca51256e148

SHA512
682343c5535a28e7e91b9886ed620ab591790d3d47537c160b26ec7e80dc77853882d4af5b1594c61a858f7a98cba1a70793801a02dced84660014b7b631749f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2acd06d1-0803-4ea1-9faf-1af6f518eb7b.vbs

Filesize
709B

MD5
88a62b421a0241f10d11bc1919c30c08

SHA1
019aa1f23476fd004d10b98f5db23d4e7950654d

SHA256
9d26aa5fa8d87a84fb2bf058222ab3a380a64fba4bfc494cfe395676ace16f78

SHA512
10276351df83f56f5c5b49c0481caa4722d6d8ee5a7e6b94c3d5a6f65f6bfba72222a32605b1a875204c060e3ee9d861931ef54f9bf9407afe36870367939f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aedb908-3fcb-4d37-b17b-87bc5e61c5ec.vbs

Filesize
710B

MD5
cda3590aa04cc77bfc3ea27570e158b5

SHA1
d0e0e36a19f7d5f8bde43b945c4fec54d429ee5a

SHA256
93fe64ce3c2808898cd9f79f0546e0000e742d412ff3d0331a043ba6d5e961e9

SHA512
eedbd731f005507970262f7256dbabbafd51e0544e93744be60e59b796f484762e639052d002d7364f9ff5ae18e89c6786530740ebe46342f6ac49773b82784c

Download Submit
C:\Users\Admin\AppData\Local\Temp\459b1409-981d-4638-a236-6f2b189b8de4.vbs

Filesize
710B

MD5
d6cbc7c50aeecf5324d3e61beac64946

SHA1
a0f934be918e81a28ea3376cd6e10ef74717d3e2

SHA256
81bf5c9203d07b18af50d4aa710d24837bc01cf4b49754b39fa7a448c9549ebb

SHA512
8be8b852647b11a0f39917751802193c4f055db23c21fb610512805b75ef7ff84555de7a9c9a242e73c9f17edf3c82fd994e0ed08d7796a8c8f2655f9679acd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aaac55d-0543-470f-8b89-10899346a9e8.vbs

Filesize
710B

MD5
08fb6bb8f526f69fdbcbac3601e8938e

SHA1
75f3ad2c36cd515d7f35091a47aa9178a754ae81

SHA256
ac5846e29c2e23ae0bcb758038e468f9ba95006c30eaaeb89e5ca2ebe0d8f61d

SHA512
2f69d760aabab9d59c7c2aa2fb894742993e4becbd1ded6e960c2bbcc48924542aa4dd46f47f10bcdf622bf2f5f18e3f7af362bde1036f9dbc3499f6673f8d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\6177f11f-9927-48b6-89a9-8ecfe9926fb5.vbs

Filesize
710B

MD5
d2b16c5c5350101b1aaab3f7b91eecb3

SHA1
e06c3084a204b9959eb51f2dab1f23ede10959f4

SHA256
572bbee3c1e61c67c1b3fdaf7d42686de9e3c55a5eaf5f5e2da6a25ab19cac7f

SHA512
6ebd8f0e8f202f2eb44075ee09eb0bda4cf0ac7043ddd4d28333c1683edf0b37c44c918a65d4d69a42e829fc42b5ceb6f10b73240d098c21ff58bc4eef57696f

Download Submit
C:\Users\Admin\AppData\Local\Temp\679c7be1-efd8-4af2-8dd4-6ce052b846da.vbs

Filesize
710B

MD5
8ef81070ad8e2fa0fe1a50d334d0627e

SHA1
35cb5d3d73b01732b877f0ed8493295e13497e45

SHA256
15426962333a1d4fedd4491f43a6e3ee563b50468804d3bb5df074cba5facfc1

SHA512
a127f3ad28351958902574779bb6a5a20e80def77e58b83cb50a338cb316c0e24e16621cf46e18a72707faf4acf849a373dd67f8db592cb450e0004642dee57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fe87976-4528-4eeb-a501-efbf7a7f5ff6.vbs

Filesize
710B

MD5
dc9fec6cd13de6cd6a44e9849d637f17

SHA1
a1ba20d2e545b178ec3ffb0016c1951cb8602b67

SHA256
b1b926d7e0de4017edadd0b77d77b48f7ca2b613265ef28d07623e0daecbd93e

SHA512
f18ceea24c53104e11faf16191fc1e66d2dcd2e038147409b685e8702fffde714d3c5ccdbdcea252f3cc496f8229d4633aef943fabb61a92edb80fbb5ce06969

Download Submit
C:\Users\Admin\AppData\Local\Temp\79aa90de-535e-4739-bc49-6cb57280ab6b.vbs

Filesize
710B

MD5
5a5e29a796eef79a77ff0627cccfd970

SHA1
5e8cf0219136a93363fb779dc8f014199bac0e47

SHA256
3a4508cccf47c7047637043b063238e17d28e7aefe2f3ec422d25a4eafad58cb

SHA512
78a9e0728f3f0c77b4c4801ef8fa208087acc96950704f93c8028f7dbfc6f6db76cc33faa01b985869aa6fb9d1aa143b8b73235003887b6ba02a817f56c5066b

Download Submit
C:\Users\Admin\AppData\Local\Temp\94a3c899-b4ba-4356-94e4-57b35303ad09.vbs

Filesize
710B

MD5
a716dc0032043d8274a54b4b9c4c0bb2

SHA1
071c368293ab6764a33d76713c4a4f5f9da4a483

SHA256
a440254a582d04396e38efed8e9990d4c839eaf7111384519ae7888539f695e0

SHA512
cdeed9b7b2e7859aef043c60a5c87f706fe6dcf3a530ca86349d096cb2ef83ac717dc47469b24c1c536e268e817c9671cc18e95c6a4e094e277c0390f47e7e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b5f18b6-c931-4856-87ca-415e01e28ee1.vbs

Filesize
710B

MD5
a88671c3047aa358593d87ae53e0f663

SHA1
713901ce1d1c63bdfd4af1ffd977e2cdecd10882

SHA256
e9af51dbc2e057bbba5ec55322e8fca2221fb919c7c728a7c5cf0b37724d6b16

SHA512
4b114a32538b233d2e60f34b6c5d0fa8deda32e0cb3465e932f4ee648bba671005f44b2dc13cda7b93bdd4c510b2d4ec17aff5dc2916172cdff28156629029e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb98886c-0f40-469b-8598-5f198fbbb1ba.vbs

Filesize
709B

MD5
5d81c0ca40fbd3cb775563017b3d840e

SHA1
0d27105e398b9689d4eca51731d1c5138154f8bb

SHA256
d3f6c9a49d6495edd9209b5af6893732f1a7af440d6666148ff5d82b20d2b314

SHA512
84f4d4c83162298c1d2e633b9d98ca1ddb7e5a4afddb54fbec3d6022ef94cd4fd2ee0ef2b253c030f07c2e7e3744c184320d429ae9f68811ba307b03246a9d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce46bdb0-7c9e-4a63-af1f-c4c8c119ab99.vbs

Filesize
710B

MD5
42578989c5e70f7e10cd819fab9c69e0

SHA1
6c66826e133fded4dc6f1013397721f34bc2a622

SHA256
4596a91f4d11de960f7af05e3f55f69a57d26b8219b42c39d354ba8b883f7a5a

SHA512
6720c7c394a8d4296b24f06b12424db337c3ebe5ce5e89d68d61f6c88953ab1dd2932437ca12139f65fb30ca1726693edf2bf4e47c6bf19be836d9cb82915529

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg9U23qGKp.bat

Filesize
199B

MD5
352eed6c108eba5b3af14c03dc58fd31

SHA1
0892ece459891a35e02a01ae6ef904173a409b0d

SHA256
6e106850cf908ca973ed821ccf0e6882d26aa60eb99ba5c1d4b658f2362b1952

SHA512
2ef6cd6afa84f3160d014f2387f3a7c644fe7f18406626f7419ef74eba10938f4b630b54889aade3989e8cd3bed80e891d564305d3f3049f657665b9d2e80a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd47dc0d0d52de0e92e28ccd19841eb0

SHA1
210f0ca3b0e19d64c7c32461e78688c117793b6c

SHA256
4085d5ef3d033cfdb00df62eff27228bda617d04cd4f1876d4ef98ab4f5ca1b0

SHA512
8588b99e89ba9741fa6057067da3f60a6d6b816ebc9003f701b08e0ff2f26dc0fbb23171a87d10bf662e87b23130e476f54a7199b61b98b7f484c583d27ad49d

Download Submit
memory/276-263-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/584-217-0x0000000000860000-0x0000000000D54000-memory.dmp

Filesize
5.0MB

Download
memory/904-134-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1532-248-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1612-113-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1712-173-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download
memory/1876-159-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2012-9-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2012-8-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2012-15-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2012-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2012-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2012-1-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/2012-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2012-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2012-10-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2012-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp

Filesize
1.2MB

Download
memory/2012-3-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-133-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2012-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/2012-16-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2012-7-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/2012-6-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/2012-4-0x0000000000650000-0x000000000066C000-memory.dmp

Filesize
112KB

Download
memory/2012-5-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2028-279-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2028-278-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/2072-233-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/2072-232-0x0000000000D60000-0x0000000001254000-memory.dmp

Filesize
5.0MB

Download
memory/2412-294-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2544-202-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/2672-309-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2944-324-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download