dcrat | 4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Size

4.9MB
MD5

f11cb56089d86b89e8a22e2be3399c89
SHA1

f1143767c26d899493b0952228cb15e29b61930b
SHA256

4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c
SHA512

cf9a11bdc1d3955296be88a0b754f4e0e7f80e6af8afebab81db27e73618df4659dd78520288fab563dc5db4011b363278b9116cc0d496ea5b82bf489d56a11a
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 60 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2896	schtasks.exe
		2800	schtasks.exe
		2984	schtasks.exe
		2496	schtasks.exe
		2380	schtasks.exe
		860	schtasks.exe
		2400	schtasks.exe
		328	schtasks.exe
		2840	schtasks.exe
		2700	schtasks.exe
		1908	schtasks.exe
		1248	schtasks.exe
		2432	schtasks.exe
		2452	schtasks.exe
		2796	schtasks.exe
		2508	schtasks.exe
		972	schtasks.exe
		532	schtasks.exe
		1676	schtasks.exe
		2112	schtasks.exe
		1240	schtasks.exe
		856	schtasks.exe
		748	schtasks.exe
		812	schtasks.exe
		2296	schtasks.exe
		816	schtasks.exe
		2796	schtasks.exe
		316	schtasks.exe
		2684	schtasks.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e		4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
		2848	schtasks.exe
		2720	schtasks.exe
		1948	schtasks.exe
		2852	schtasks.exe
		2164	schtasks.exe
		2352	schtasks.exe
		3016	schtasks.exe
		2684	schtasks.exe
		2548	schtasks.exe
		1324	schtasks.exe
		1288	schtasks.exe
		2100	schtasks.exe
		2992	schtasks.exe
		340	schtasks.exe
		2948	schtasks.exe
		2676	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
		2936	schtasks.exe
		1696	schtasks.exe
		556	schtasks.exe
		1772	schtasks.exe
File created	C:\Windows\Resources\Themes\Aero\886983d96e3d3e		4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
		1988	schtasks.exe
		1796	schtasks.exe
		2960	schtasks.exe
		2836	schtasks.exe
		2044	schtasks.exe
		3064	schtasks.exe
		2616	schtasks.exe
		2568	schtasks.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2128	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2128	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1680-3-0x000000001B3F0000-0x000000001B51E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
920	powershell.exe
2532	powershell.exe
2788	powershell.exe
2116	powershell.exe
2700	powershell.exe
2876	powershell.exe
1576	powershell.exe
2704	powershell.exe
2764	powershell.exe
1940	powershell.exe
2248	powershell.exe
536	powershell.exe
1616	powershell.exe
1788	powershell.exe
316	powershell.exe
2080	powershell.exe
2396	powershell.exe
1804	powershell.exe
284	powershell.exe
2292	powershell.exe
2648	powershell.exe
2420	powershell.exe
2992	powershell.exe
940	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
684	wininit.exe
2848	wininit.exe
2416	wininit.exe
2524	wininit.exe
2732	wininit.exe
544	wininit.exe
1552	wininit.exe
1284	wininit.exe
1708	wininit.exe
992	wininit.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\RCXB639.tmp	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\c5b4cb5e9653cc	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\Aero\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\smss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Windows\Resources\Themes\Aero\csrss.exe	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File created	C:\Windows\Resources\Themes\Aero\886983d96e3d3e	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\RCXBCB2.tmp	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe
2840	schtasks.exe
2296	schtasks.exe
856	schtasks.exe
1772	schtasks.exe
316	schtasks.exe
1676	schtasks.exe
1948	schtasks.exe
3016	schtasks.exe
2508	schtasks.exe
812	schtasks.exe
2616	schtasks.exe
2164	schtasks.exe
2960	schtasks.exe
1908	schtasks.exe
2852	schtasks.exe
2380	schtasks.exe
556	schtasks.exe
2796	schtasks.exe
2496	schtasks.exe
2984	schtasks.exe
2936	schtasks.exe
972	schtasks.exe
1248	schtasks.exe
2896	schtasks.exe
860	schtasks.exe
2684	schtasks.exe
2720	schtasks.exe
1796	schtasks.exe
2796	schtasks.exe
1324	schtasks.exe
2800	schtasks.exe
2352	schtasks.exe
2432	schtasks.exe
2044	schtasks.exe
2848	schtasks.exe
2948	schtasks.exe
2452	schtasks.exe
2568	schtasks.exe
328	schtasks.exe
2112	schtasks.exe
2676	schtasks.exe
2684	schtasks.exe
2992	schtasks.exe
340	schtasks.exe
816	schtasks.exe
532	schtasks.exe
1988	schtasks.exe
2836	schtasks.exe
2700	schtasks.exe
1696	schtasks.exe
2548	schtasks.exe
748	schtasks.exe
2400	schtasks.exe
1240	schtasks.exe
2100	schtasks.exe
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
2648	powershell.exe
1940	powershell.exe
2420	powershell.exe
2396	powershell.exe
1616	powershell.exe
2292	powershell.exe
2248	powershell.exe
284	powershell.exe
2876	powershell.exe
1804	powershell.exe
536	powershell.exe
2532	powershell.exe
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
1576	powershell.exe
2704	powershell.exe
316	powershell.exe
2788	powershell.exe
2992	powershell.exe
2700	powershell.exe
920	powershell.exe
940	powershell.exe
2116	powershell.exe
1788	powershell.exe
2764	powershell.exe
2080	powershell.exe
684	wininit.exe
2848	wininit.exe
2416	wininit.exe
2732	wininit.exe
544	wininit.exe
1552	wininit.exe
1284	wininit.exe
1708	wininit.exe
992	wininit.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	684	wininit.exe
Token: SeDebugPrivilege	2848	wininit.exe
Token: SeDebugPrivilege	2416	wininit.exe
Token: SeDebugPrivilege	2732	wininit.exe
Token: SeDebugPrivilege	544	wininit.exe
Token: SeDebugPrivilege	1552	wininit.exe
Token: SeDebugPrivilege	1284	wininit.exe
Token: SeDebugPrivilege	1708	wininit.exe
Token: SeDebugPrivilege	992	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2648	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	52
PID 1680 wrote to memory of 2648	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	52
PID 1680 wrote to memory of 2648	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	52
PID 1680 wrote to memory of 1940	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	53
PID 1680 wrote to memory of 1940	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	53
PID 1680 wrote to memory of 1940	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	53
PID 1680 wrote to memory of 2396	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	54
PID 1680 wrote to memory of 2396	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	54
PID 1680 wrote to memory of 2396	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	54
PID 1680 wrote to memory of 2292	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	56
PID 1680 wrote to memory of 2292	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	56
PID 1680 wrote to memory of 2292	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	56
PID 1680 wrote to memory of 2420	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	57
PID 1680 wrote to memory of 2420	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	57
PID 1680 wrote to memory of 2420	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	57
PID 1680 wrote to memory of 2876	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	62
PID 1680 wrote to memory of 2876	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	62
PID 1680 wrote to memory of 2876	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	62
PID 1680 wrote to memory of 1616	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	63
PID 1680 wrote to memory of 1616	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	63
PID 1680 wrote to memory of 1616	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	63
PID 1680 wrote to memory of 1804	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	64
PID 1680 wrote to memory of 1804	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	64
PID 1680 wrote to memory of 1804	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	64
PID 1680 wrote to memory of 2532	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	65
PID 1680 wrote to memory of 2532	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	65
PID 1680 wrote to memory of 2532	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	65
PID 1680 wrote to memory of 2248	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	66
PID 1680 wrote to memory of 2248	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	66
PID 1680 wrote to memory of 2248	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	66
PID 1680 wrote to memory of 284	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	67
PID 1680 wrote to memory of 284	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	67
PID 1680 wrote to memory of 284	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	67
PID 1680 wrote to memory of 536	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	68
PID 1680 wrote to memory of 536	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	68
PID 1680 wrote to memory of 536	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	68
PID 1680 wrote to memory of 1704	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	76
PID 1680 wrote to memory of 1704	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	76
PID 1680 wrote to memory of 1704	1680	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	76
PID 1704 wrote to memory of 2900	1704	cmd.exe	78
PID 1704 wrote to memory of 2900	1704	cmd.exe	78
PID 1704 wrote to memory of 2900	1704	cmd.exe	78
PID 1704 wrote to memory of 3000	1704	cmd.exe	79
PID 1704 wrote to memory of 3000	1704	cmd.exe	79
PID 1704 wrote to memory of 3000	1704	cmd.exe	79
PID 3000 wrote to memory of 1576	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	118
PID 3000 wrote to memory of 1576	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	118
PID 3000 wrote to memory of 1576	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	118
PID 3000 wrote to memory of 316	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	119
PID 3000 wrote to memory of 316	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	119
PID 3000 wrote to memory of 316	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	119
PID 3000 wrote to memory of 940	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	120
PID 3000 wrote to memory of 940	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	120
PID 3000 wrote to memory of 940	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	120
PID 3000 wrote to memory of 2788	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	122
PID 3000 wrote to memory of 2788	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	122
PID 3000 wrote to memory of 2788	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	122
PID 3000 wrote to memory of 920	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	123
PID 3000 wrote to memory of 920	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	123
PID 3000 wrote to memory of 920	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	123
PID 3000 wrote to memory of 2700	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	125
PID 3000 wrote to memory of 2700	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	125
PID 3000 wrote to memory of 2700	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	125
PID 3000 wrote to memory of 2080	3000	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe	126

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
"C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe
    "C:\Users\Admin\AppData\Local\Temp\4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat"
      4⤵
      PID:2180
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2752
    - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6d94cf-8e2b-410d-9c1a-08d6d8fb1a7b.vbs"
        6⤵
        
        PID:2840
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df368d10-6174-42ec-9784-c38094554933.vbs"
        8⤵
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291ae2e4-2025-4f51-a15b-ce5151e70a2f.vbs"
        10⤵
        
        PID:1208
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\606a2ffa-f102-4c72-ab2c-da0ab3e7b0cb.vbs"
        12⤵
        
        PID:2100
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d39be1-0a05-470d-8913-a39f0446a5cf.vbs"
        14⤵
        
        PID:1072
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2aa4157-c17c-4607-9db9-572710d87bf7.vbs"
        16⤵
        
        PID:576
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf3c1d73-010e-401f-b82b-2709c6125568.vbs"
        18⤵
        
        PID:2956
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aefc0204-37dd-49d3-98c0-e2e5028db4f3.vbs"
        20⤵
        
        PID:1648
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f8c2996-c6bd-4e2a-a2f1-e8e294f67335.vbs"
        22⤵
        
        PID:1960
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3c6656-a377-4ab8-94fc-2bb2c9b688cd.vbs"
        24⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f0782f-785c-4e42-9cf6-a0fb27452188.vbs"
        24⤵
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47646849-9ea1-466f-9cd1-196bd43197ec.vbs"
        22⤵
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367979f6-7240-4753-a1ce-0d192ab65ce8.vbs"
        20⤵
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1d052c-ab59-4301-aa43-9f07ec3ba915.vbs"
        18⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d435a25-fe90-4761-8ab2-7c272afb545e.vbs"
        16⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbc7fda-bfda-4d8a-a900-8301ae7cf678.vbs"
        14⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c097d17-e02d-4133-93a0-06c37a149b64.vbs"
        12⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce22090-6e4f-4a1e-8a5a-4f53876364aa.vbs"
        10⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a509922-e19c-4200-9adf-6b851600d279.vbs"
        8⤵
        
        PID:1908
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87dd81f3-b1eb-4b2f-bf15-c5d2bfacade3.vbs"
        6⤵
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RCXB639.tmp

Filesize
4.9MB

MD5
e2d004e3b1cc8245218f6c42a3732e71

SHA1
aa4458f7b5bf3708bf37385a8ba2d0300357d48f

SHA256
4f28d62117922a5a52bfe4420fec268d11bd52ca31f5ac91374ca0a4da4324be

SHA512
9d2650fe85afec5279195689d347bee18c0fad6aa90b7ad0369fdb1d5fca924ac5047dd06cb4a4451a52e8ccfcd2811b188e097af1730dcec27e99cba7fb0138

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe

Filesize
4.9MB

MD5
f11cb56089d86b89e8a22e2be3399c89

SHA1
f1143767c26d899493b0952228cb15e29b61930b

SHA256
4b4ee64846cad1cf66beedce8ea566e807d4d7acb93ec7a0ef940287a9e39a4c

SHA512
cf9a11bdc1d3955296be88a0b754f4e0e7f80e6af8afebab81db27e73618df4659dd78520288fab563dc5db4011b363278b9116cc0d496ea5b82bf489d56a11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d6d94cf-8e2b-410d-9c1a-08d6d8fb1a7b.vbs

Filesize
749B

MD5
716771f59fa54791516946d3855568b0

SHA1
8dfeee84b4729364311b86f8633e2d63c6e36f7b

SHA256
1758fddd802f7f17b003313df99b5f95c98678870d14a1bb1af5e5ee2239b78c

SHA512
67026e9d33a9ad6f7225299cdf3a5b0fe77001c2bb06277b2b9012b90dd01da1557ec0a59c8d143cc6e2fbcb85452d11b60ef169cb5853a83365efc291a79096

Download Submit
C:\Users\Admin\AppData\Local\Temp\18d39be1-0a05-470d-8913-a39f0446a5cf.vbs

Filesize
750B

MD5
638bdbf2369b1de415ad744186637d7c

SHA1
5ac52459f4e01f9ca79b59a66eee8706c81bb2cb

SHA256
b93a6db4b62284526526b5d14e3649b99f22c24d2476bba67df0e9a34241c375

SHA512
a260929e21365a718fc7d8fae9de3a86d5322031887687b15430cb959ddab417898831741886dbb73ec70133ff54a272aea17c0cd4b58b9ebe4bf4297f2ca6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\291ae2e4-2025-4f51-a15b-ce5151e70a2f.vbs

Filesize
750B

MD5
d6c10f068de83bd605d83e6ac224c0c2

SHA1
a4db3817b8bbaea2fbe5e4fd01c109a9241458dc

SHA256
a08f0c4a49c7764f7d06264425b26cf8d9277d2e193cff7c60a9fb9aeff96f16

SHA512
6c9c8351013687e732e3e0cc5b80160b44c1e5602bc13e45259d7c08c7a3ef97b02584501ec433b34cbefb7e9335c56350776be93cb045bde12694fae5ecf555

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f8c2996-c6bd-4e2a-a2f1-e8e294f67335.vbs

Filesize
750B

MD5
e917842be97ffbbdd7d9fecc5e03e2c3

SHA1
10824db5a90dc270fc7906e98cd1236a8b5941b2

SHA256
f0393f814c8f816169a6faee2024641a9619fdc6d25a59979e34304d113b12e8

SHA512
bcedc8026a464da00a82d7eb0f1de011d7c82298619fcaeacc28afa1479a6b5698f90273c5c68c483aa590510f3d130d9a0bb7af046181d8e0108c44d15b3b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\64d4e8ccf489ae3286332e24d7cacae58b7aad22.exe

Filesize
4.9MB

MD5
07823c2cc738ecceee04f84aa32c7058

SHA1
86d41d2b4e951ba926ef6c6a6a5a020b3a3f3ff5

SHA256
83c775103b8f850943d8c5957c62450680966ddb7719cda1b70ad9333437f459

SHA512
f017248f38853d027bf6f1b3b8e50370bf670d2c775f30067fac5294bd5dbbc20622e8517c42f6d011a0e2358d167a9d633f983328378db4a7882ffb6e322e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c3c6656-a377-4ab8-94fc-2bb2c9b688cd.vbs

Filesize
749B

MD5
249d5594692ac42db25d7d0ca3687f3e

SHA1
b9ddf4b84d6e839a3b23cf8c5f9819ea90ca73d5

SHA256
6daa5934cf5d31c1ab7a745a688eccd3c30547527dfdc439c66a6cb9ca781066

SHA512
194ee43af385e5a0846ac1eeaa30e359883a87d11bac6b33ee8012ca0c94bebc8b696cbc802a5f32b4c8a4b52365cf2991a7e7d2365bb4f6bc941b810d3d02cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\87dd81f3-b1eb-4b2f-bf15-c5d2bfacade3.vbs

Filesize
526B

MD5
a40056fa13e7b28e0051f6d82f455863

SHA1
b1e200ece914175b94c330ea86444dd5d2c91b39

SHA256
198b6af58bc47d5c2b69125282c1e1ea781d88e1fff18df56442552cfebf2f20

SHA512
2763293668354efa654cb6e693ceff9aa6114283157740a141d8a0073e345b88e8017c6d6a3629edda98d423da8ddec663f16c9e947658a7e208888c0530a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UluF99a5gx.bat

Filesize
239B

MD5
94926e957f4404ae220d6534863a523a

SHA1
3261e1669cd69b9ee03a30c5e4fce3b9440ede02

SHA256
f4edbb0dcc96ab301300510722c00ff3ad6e9ef1c77987edde6ea7e7f8c9593b

SHA512
cbacaa9c286306e072cb0bf5759c1bbe21a623b21e1702408ebb04c190d79fcb7584bfe519000f21a2d4e2b7d76169b745f30fea8cef98a3c9eb915be2b5cbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2aa4157-c17c-4607-9db9-572710d87bf7.vbs

Filesize
749B

MD5
1159dec96ae8fbdd22b5d11ec2e6d41b

SHA1
1eb7282fa01a3f16b68e2243ffc29e5c8523952a

SHA256
26c0ffa67a0c59283de6a333c126214c6a7af8763f081928ea3033c1ad2f6745

SHA512
bfe7efabd1c6c3afb0bc1c851aacee6ab71bd38ebe6f46d0af9e43a86f835d744190e2460144f835977addbebbbf59688e4bde99426e48ee6ee293b6dd14a0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\aefc0204-37dd-49d3-98c0-e2e5028db4f3.vbs

Filesize
750B

MD5
8a06c4d29d5ac8d5228b0523c9fb49d8

SHA1
1fbe67da53667a5321a07987ab80768acd7a6904

SHA256
a6929ea9063b1145528a05b7a93b0f1fc665e355a079d51d99d43cbfccfa97d9

SHA512
9033e77672e2c66aecd94b9ca3ab4f7aae4fcd6a681d7c3b79b76d2cf7c99550d79df12277520f047a0faddee77deb6da1e5597b2e20c1cf866808316ae8ba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf3c1d73-010e-401f-b82b-2709c6125568.vbs

Filesize
750B

MD5
342d62d04a0f0532b28af4f088e31240

SHA1
139b39d4ae6ee43c8f77335d3fea5a28c17e5374

SHA256
5ac250fdcb53867fb13dbc50001e9372096d13990a6275ef778b3cbbc9a0e486

SHA512
3185e4921a069907e537f1d8cc418132e6ecfaa31e70cde9b73be47f8e346ac24ab28c2d4df04888858b941f7991e48bbccd27b1600726d0413655b4c4d59e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\df368d10-6174-42ec-9784-c38094554933.vbs

Filesize
750B

MD5
98950ae04d8ffd0b410e6703ad456a9e

SHA1
7f11decc475ff9f8119f4aacbeb79bb3820084c1

SHA256
8695102dae3fe729631fa423670bec4c01b0130a8b70d92927c9066792a5f442

SHA512
bbfce9911f6b219befaf91f2dbd6012f002ab2378d47d4ed3d7b73480109775990d2c526dbcef62dcb6f8e90af35d95b664b5ff376a83c2a712a8c57278813e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat

Filesize
267B

MD5
b959c5cba6edf78d4a5694e5b2b40447

SHA1
e7b58a436357026eb2e5858ac15d91a0009825fb

SHA256
9b032ccc938b02dde23e6b2c856ea658a86912138b3ebfaa8cfe9ca3dafdb6be

SHA512
1f9a6086e63d10dccc2e98fffb224b87fe58859186f1bd6a9d9c15f3b6fa27698094c5332af56c651d5cbe9a4f6d8b2415ce84904e2dcda8429710a138d363f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE521.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dbcb1d09f66ddd5f007292014dde0a1d

SHA1
72e1dc7801b7cc7c13e7106d61a39b8e6486e26c

SHA256
7a4df70dbdb18b5d90c1d1fd2f9ff6f6d206a4b6e92922c5deb5feb5e54ccf3a

SHA512
4516b8a47d5eca70f153d3d7b7a0eae19865ee1f575bd618fcd6b575f5f141dbb2d8f43446d408660f031f1b082365294c47a16e3af5f74fc80ff2103786e83a

Download Submit
memory/544-327-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/544-326-0x00000000009D0000-0x0000000000EC4000-memory.dmp

Filesize
5.0MB

Download
memory/684-266-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/992-388-0x00000000011D0000-0x00000000016C4000-memory.dmp

Filesize
5.0MB

Download
memory/1552-343-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1552-342-0x0000000000DE0000-0x00000000012D4000-memory.dmp

Filesize
5.0MB

Download
memory/1576-221-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/1576-220-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1680-9-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/1680-2-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-0-0x000007FEF5083000-0x000007FEF5084000-memory.dmp

Filesize
4KB

Download
memory/1680-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/1680-16-0x0000000002620000-0x000000000262C000-memory.dmp

Filesize
48KB

Download
memory/1680-11-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/1680-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1680-118-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-1-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/1680-3-0x000000001B3F0000-0x000000001B51E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-8-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1680-4-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/1680-7-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/1680-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1680-15-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/1680-10-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1680-5-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1680-14-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/1708-373-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1708-372-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/2416-295-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/2648-101-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2648-100-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2732-311-0x00000000003F0000-0x00000000008E4000-memory.dmp

Filesize
5.0MB

Download
memory/2848-280-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/3000-147-0x0000000000FE0000-0x00000000014D4000-memory.dmp

Filesize
5.0MB

Download