dcrat | ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Size

4.9MB
MD5

b01f6f3d873ab05578a58c77de3325e0
SHA1

8a0af4f893835a31fd5202c276c43b3a3e52d139
SHA256

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409
SHA512

8e564f46c0095bbcfe50bfd1b3043d3357f3afb41b6e030b2eb3790ca1a485007eec57f55928b4534104cd73594a805384370718eca48f6f2870937b311ad5f6
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2700	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2700	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2508-3-0x000000001B5A0000-0x000000001B6CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
692	powershell.exe
1488	powershell.exe
320	powershell.exe
2744	powershell.exe
2652	powershell.exe
2768	powershell.exe
2432	powershell.exe
2600	powershell.exe
492	powershell.exe
2656	powershell.exe
2124	powershell.exe
1660	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
1968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
532	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
668	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2164	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
448	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2176	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2808	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
3032	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\cc11b995f2a76d	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\886983d96e3d3e	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\RCXBE2C.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXB60E.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\winlogon.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\Windows Sidebar\services.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\886983d96e3d3e	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXAD82.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\RCXC234.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\Windows Sidebar\c5b4cb5e9653cc	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Internet Explorer\winlogon.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\Windows Sidebar\services.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Media\Landscape\dwm.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Media\Landscape\6cb0b6c459d5d3	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Prefetch\ReadyBoot\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Prefetch\ReadyBoot\69ddcba757bf72	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Media\Landscape\RCXC030.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Media\Landscape\dwm.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXC6A7.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2792	schtasks.exe
1776	schtasks.exe
1088	schtasks.exe
1712	schtasks.exe
1272	schtasks.exe
2356	schtasks.exe
2656	schtasks.exe
2160	schtasks.exe
2540	schtasks.exe
1740	schtasks.exe
1240	schtasks.exe
2768	schtasks.exe
1504	schtasks.exe
2004	schtasks.exe
2932	schtasks.exe
1388	schtasks.exe
2424	schtasks.exe
2556	schtasks.exe
2912	schtasks.exe
3000	schtasks.exe
1852	schtasks.exe
1864	schtasks.exe
2852	schtasks.exe
2892	schtasks.exe
332	schtasks.exe
840	schtasks.exe
1336	schtasks.exe
2272	schtasks.exe
3044	schtasks.exe
400	schtasks.exe
2492	schtasks.exe
2224	schtasks.exe
2308	schtasks.exe
1616	schtasks.exe
2132	schtasks.exe
2920	schtasks.exe
2772	schtasks.exe
2796	schtasks.exe
2628	schtasks.exe
664	schtasks.exe
2800	schtasks.exe
2992	schtasks.exe
2848	schtasks.exe
1580	schtasks.exe
740	schtasks.exe
1656	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2744	powershell.exe
492	powershell.exe
320	powershell.exe
1488	powershell.exe
2768	powershell.exe
2432	powershell.exe
2652	powershell.exe
2656	powershell.exe
1660	powershell.exe
692	powershell.exe
2124	powershell.exe
2600	powershell.exe
1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
1968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
532	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
668	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2164	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
448	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2176	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2808	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
3032	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	1968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	532	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	668	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2164	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	448	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2176	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2808	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	3032	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	2968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2744	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	80
PID 2508 wrote to memory of 2744	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	80
PID 2508 wrote to memory of 2744	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	80
PID 2508 wrote to memory of 692	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	81
PID 2508 wrote to memory of 692	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	81
PID 2508 wrote to memory of 692	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	81
PID 2508 wrote to memory of 1660	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	82
PID 2508 wrote to memory of 1660	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	82
PID 2508 wrote to memory of 1660	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	82
PID 2508 wrote to memory of 1488	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	83
PID 2508 wrote to memory of 1488	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	83
PID 2508 wrote to memory of 1488	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	83
PID 2508 wrote to memory of 2652	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	84
PID 2508 wrote to memory of 2652	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	84
PID 2508 wrote to memory of 2652	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	84
PID 2508 wrote to memory of 2768	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	85
PID 2508 wrote to memory of 2768	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	85
PID 2508 wrote to memory of 2768	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	85
PID 2508 wrote to memory of 2432	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2508 wrote to memory of 2432	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2508 wrote to memory of 2432	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2508 wrote to memory of 2600	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2508 wrote to memory of 2600	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2508 wrote to memory of 2600	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2508 wrote to memory of 492	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2508 wrote to memory of 492	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2508 wrote to memory of 492	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2508 wrote to memory of 320	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2508 wrote to memory of 320	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2508 wrote to memory of 320	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2508 wrote to memory of 2656	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2508 wrote to memory of 2656	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2508 wrote to memory of 2656	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2508 wrote to memory of 2124	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2508 wrote to memory of 2124	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2508 wrote to memory of 2124	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2508 wrote to memory of 2180	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	104
PID 2508 wrote to memory of 2180	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	104
PID 2508 wrote to memory of 2180	2508	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	104
PID 2180 wrote to memory of 1356	2180	cmd.exe	106
PID 2180 wrote to memory of 1356	2180	cmd.exe	106
PID 2180 wrote to memory of 1356	2180	cmd.exe	106
PID 2180 wrote to memory of 1644	2180	cmd.exe	107
PID 2180 wrote to memory of 1644	2180	cmd.exe	107
PID 2180 wrote to memory of 1644	2180	cmd.exe	107
PID 1644 wrote to memory of 1140	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	108
PID 1644 wrote to memory of 1140	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	108
PID 1644 wrote to memory of 1140	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	108
PID 1644 wrote to memory of 1932	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	109
PID 1644 wrote to memory of 1932	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	109
PID 1644 wrote to memory of 1932	1644	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	109
PID 1140 wrote to memory of 2980	1140	WScript.exe	110
PID 1140 wrote to memory of 2980	1140	WScript.exe	110
PID 1140 wrote to memory of 2980	1140	WScript.exe	110
PID 2980 wrote to memory of 1512	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	111
PID 2980 wrote to memory of 1512	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	111
PID 2980 wrote to memory of 1512	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	111
PID 2980 wrote to memory of 2504	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	112
PID 2980 wrote to memory of 2504	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	112
PID 2980 wrote to memory of 2504	2980	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	112
PID 1512 wrote to memory of 1968	1512	WScript.exe	113
PID 1512 wrote to memory of 1968	1512	WScript.exe	113
PID 1512 wrote to memory of 1968	1512	WScript.exe	113
PID 1968 wrote to memory of 568	1968	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	114

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
"C:\Users\Admin\AppData\Local\Temp\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mIr7g9QuKX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1356
- - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
    "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1644
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a15e8d83-c6ee-488c-9315-19abe7b45add.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2980
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19d23ea8-1bee-42bd-8d26-9385667aa1b9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98b1938e-395e-4de5-a915-0d89fb48f8a9.vbs"
        8⤵
        
        PID:568
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ee48303-b053-4424-9808-f7c135a5d635.vbs"
        10⤵
        
        PID:1964
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\febc0457-1bf8-4c30-ab16-3781db7f1b0a.vbs"
        12⤵
        
        PID:2608
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a5ea96c-71bd-4e4d-8fa2-fd1848775abd.vbs"
        14⤵
        
        PID:2524
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000dfc55-f240-41b5-9ed9-6a910d40f642.vbs"
        16⤵
        
        PID:580
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b51c83-7338-4be0-b4e4-542929ec0007.vbs"
        18⤵
        
        PID:2212
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f0d67d0-06da-4467-b79b-195cf04aa689.vbs"
        20⤵
        
        PID:2928
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b1cd33-ab71-4640-9340-eccbbfbea490.vbs"
        22⤵
        
        PID:2976
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be830950-2edf-4bd5-acdc-e9433ac3b32c.vbs"
        24⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e932036-81e0-40c5-89ab-2e11362e1769.vbs"
        24⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3124b9-47b5-4326-b1e7-05f76866906b.vbs"
        22⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd80f276-9e7e-476e-89f6-5cc69bdca230.vbs"
        20⤵
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fd67ce-d361-4b36-a8aa-d99944bbf983.vbs"
        18⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5233f2d7-4e74-4ffb-a3ed-e3ce228fe763.vbs"
        16⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2830647e-510e-4be2-8ad4-6160e6bb61e3.vbs"
        14⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65554d78-3f1c-4cce-b7e9-207baf10e8b1.vbs"
        12⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a9e77c8-56bd-4817-811a-644e7bca319c.vbs"
        10⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\029732cd-525c-4477-9be9-17796c6d0ab7.vbs"
        8⤵
        
        PID:492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7107035d-c486-43af-af53-7360df05a50d.vbs"
        6⤵
        
        PID:2504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bae8a03-7304-43c9-9d46-adc1896d2f38.vbs"
      4⤵
      PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Landscape\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Landscape\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\keystore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe

Filesize
4.9MB

MD5
d014e132bb02d79864af89c9d17a336c

SHA1
1c10883b70cac8fa85956bbcdbdf83820c86a43e

SHA256
c0d4e5cd44060c839d024b51217e58e0968d0a5ce09568993e686103608937ac

SHA512
35fc96b84c48faea69a41d6af3d2280dbd0df8fc2357d06dd84ddd9b8bbc7a423de884d882576828eeacfc608354b379a79c6b87e9f70d006a06c8743b7ab885

Download Submit
C:\Users\Admin\AppData\Local\Temp\000dfc55-f240-41b5-9ed9-6a910d40f642.vbs

Filesize
793B

MD5
e6222707ab0072f8a9157002ec70cfa0

SHA1
37002f95da85c3c4e5678989b482876ff4d759f7

SHA256
536b040046d661f4948acdd0c9ef619929821e006460e94c358e639fac1b4c7b

SHA512
096d429166026a0d033f21be868d6915e35b016b71cb790d91bd8b8fab94fd09ba00b5972298239f69e964a6a738ba14682c3a7a072bda1727e4e06169ea786e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16b1cd33-ab71-4640-9340-eccbbfbea490.vbs

Filesize
794B

MD5
bc6e8f1454713ae79021b63bf35c684c

SHA1
977d150c9afeedcbe19a1b200c684569912729e4

SHA256
7a5e08998bcbc0450dd10f16362448c5c53e7aa7055309fa1d1fd180d7c1c9f1

SHA512
154128287cd29cf9d5ee7c9bdefd34b892ba3ab1ae321282c6381b0f715e0d40e06dfa449a53d55977a6a4d6b41048a5bbb2295de103f60bbc9cfdb82412f6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\19d23ea8-1bee-42bd-8d26-9385667aa1b9.vbs

Filesize
794B

MD5
5397ba1de11cbd51ea52a1bbb3c8e005

SHA1
5a1d681d6e4f2b6cf3fd508f4e3209d27b51b0cd

SHA256
c3bc218b12586b128d32106d9ee7b6758e74ff38129f3f1a8e3e20a0e7c73626

SHA512
144b3910ad0c58354f62c04a187ff1d924b3a6b781c83f8d202ced6795284ca6efc456f60cc1a0a3503207a0464cd8952561cb32e129caf67d262071e71669ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bae8a03-7304-43c9-9d46-adc1896d2f38.vbs

Filesize
570B

MD5
3b496c605c281321c438f56dd936553f

SHA1
47f4ee1bc9dcf094254e7eb286e36752722c3739

SHA256
dc41d9d0945296fbaf4ba392ab39a38f94c4d5c71991520a6ff136d406fe4306

SHA512
0f7a038d25a597eeb91174d753f6d8f156cdc211d3a6f62b3244a1d243437d3ce45ea964ae8edc41fee46d61f6ba88ff33cb5d7f95eef19207ada1a3d736d8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ee48303-b053-4424-9808-f7c135a5d635.vbs

Filesize
793B

MD5
21239472a9772a9ef868f77a0eda9e1d

SHA1
83ed838c796081cdb69aca710f516c967fd33561

SHA256
1c89121f765fafa6ead5488bce7be9ebbce6f8bd9755986534cf8ee6f996bbbc

SHA512
69708095971fa203849469e54747238c4e3458c98976270d9b343da8cdcc22d4b715f04786282a35037d5ea87da3784ef6334294b255497b6e8077c45bcd480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a5ea96c-71bd-4e4d-8fa2-fd1848775abd.vbs

Filesize
794B

MD5
cfcce5edba2739529e1d0e4499f8c4c2

SHA1
0aec7bbd519486b46f17f4c0d9e1f809a1e6260c

SHA256
11e3ccb5066e43a2616ff48693e7c350efc83229e872b8f3195a2a8330e66fba

SHA512
5c6783236722b983b9fa9fcfaace80735600a8dc7ee7e2ce277d8145822eec08173469133d0cd77cfd0f245df7b6ff5cba25b15263131b163e2efb34f9856520

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f0d67d0-06da-4467-b79b-195cf04aa689.vbs

Filesize
794B

MD5
d2c30aa6d0194c54e9118affbb5a692e

SHA1
ecfbe605d009f5f0f4f2461fee08850f906e7d6f

SHA256
71b04f766ea1db4598dff4e88f5a7c27c89654d8a874d1cc9348abd51e5f226c

SHA512
945b541b91612d0c36029ae792b325ae982015f6cd0e5b8a25c0cf9b3e8ff2b6ae351a1754d6d97f59b675c2c2561e2ac3918662a2fa98018076ae7ebe595fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\90b51c83-7338-4be0-b4e4-542929ec0007.vbs

Filesize
794B

MD5
21f2d2e8449e567fc169dfbddc203ad1

SHA1
bc88b4a5c49cff038b2193ce5e76a2c5ec8316ff

SHA256
8d52b2162d047d14ba75959ab6b7231546199f9066ccb36bf4d2297f661dcd03

SHA512
37aa5cea27809147e23974f7cb5e9c120617b29ef56dea191d410d7dc21eba14e073daf573f349171af29570f0d95178e2bc54746752c40a5c6dc1866725fa8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\98b1938e-395e-4de5-a915-0d89fb48f8a9.vbs

Filesize
794B

MD5
242463ef45583032a7fb972c40ed51fa

SHA1
946f1f3a57749e731eda004605c3b88f818aea75

SHA256
3b4d60702fde83630dc0467e0fedd1aba2418ce8d42a0e1642a7dc5f14f5d001

SHA512
6a4ab2443fddad70127cd1f72dd706dff98cba1199fb0158d0bf793220f9c0ac2e0c67a59f522828792aec31e19e3a79e36e0f81256ee923e7aad31a01595537

Download Submit
C:\Users\Admin\AppData\Local\Temp\a15e8d83-c6ee-488c-9315-19abe7b45add.vbs

Filesize
794B

MD5
7e2ce03ba5a2a1b8def7fbd5c1395f0c

SHA1
881381cc66cafc56a80a5e53715ab21c0a8b69bf

SHA256
05d98cafc92ff61b720360ee567a46a8950f7233434a6b151fe33725e62927ca

SHA512
dacd6857ad1304b2bb832a26e6c89fc199532564a9953afd08323988d5057078e21d741407997966e701033ac55eb1ea08e55effedf1dde65b52e2c5a7a13eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\be830950-2edf-4bd5-acdc-e9433ac3b32c.vbs

Filesize
794B

MD5
993402bcc4d9965798e3995518aadc20

SHA1
9fffa4997b88db2860a63bb71a58588bc3a74f53

SHA256
a39bb24face73c525700d9112735e1c6cbc707e5044ef58c5c207e7a4b3651c7

SHA512
bacb17efcbf1caff0b653ac4f35f9167476bc124cbbc1e43326668fea18262d01f5278bc3bf8a8d86ca23ec784715010a0163d10d1c48c57d12eabcb050f5a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\febc0457-1bf8-4c30-ab16-3781db7f1b0a.vbs

Filesize
793B

MD5
dba3b259994135bfaa8533ca02d80486

SHA1
71092ab9567963c43738701c7fddca2067d263b8

SHA256
1d8e053e5bf925e5be68e59a1195fc3018c2a024089a4319f3aac41dfe721511

SHA512
61ccba5d980a62c4892971826a7e910bf492fb2c0efae88c646508bcec868138a506407038c7282fae039f60d3ac2514cab5ae9317300aad62b8d9b1e7db40ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIr7g9QuKX.bat

Filesize
283B

MD5
c0b605625cd33282f6e273805def24e9

SHA1
3b63692490b7eedc238fd438a2774af493ef53be

SHA256
164dce2ed210efe516924ce468aa108edeefc22a609531391764e08e258230d9

SHA512
fe521862530aeba1b0dc6760c47537db29583397f083287d17a1acc1fd3a46d49d39063f5e4d441762dc1d1a5bd0c101a1ef8c000ea8f4ec78d11d1cefa6ca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0F4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
183a26d50d65cfa5f1454b23b53583ac

SHA1
fb1e70d96699149c2b08a4e487559feb6a1a1637

SHA256
5371513bc7bef8623e847afe7821ab099b5b0ec0f9ecc26ce7398c5edb990383

SHA512
e526ab3ad7999e18ca4107cb69764c5587c1ed81ad90aed99b123adb226aad3a166b23fbc9ae0c09e80ed1cbda808bc84a9512de104ac9baa3a572abe9f9a9e9

Download Submit
C:\Users\Admin\Contacts\WmiPrvSE.exe

Filesize
4.9MB

MD5
b01f6f3d873ab05578a58c77de3325e0

SHA1
8a0af4f893835a31fd5202c276c43b3a3e52d139

SHA256
ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409

SHA512
8e564f46c0095bbcfe50bfd1b3043d3357f3afb41b6e030b2eb3790ca1a485007eec57f55928b4534104cd73594a805384370718eca48f6f2870937b311ad5f6

Download Submit
memory/448-316-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/532-271-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/668-286-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/1644-226-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/1644-227-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/1968-256-0x0000000000A50000-0x0000000000F44000-memory.dmp

Filesize
5.0MB

Download
memory/2164-301-0x0000000000830000-0x0000000000D24000-memory.dmp

Filesize
5.0MB

Download
memory/2176-331-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/2508-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/2508-7-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/2508-1-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/2508-160-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-147-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-138-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2508-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-16-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2508-15-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2508-14-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2508-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2508-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2508-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2508-10-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2508-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2508-8-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2508-3-0x000000001B5A0000-0x000000001B6CE000-memory.dmp

Filesize
1.2MB

Download
memory/2508-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2508-5-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2508-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2744-173-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2744-166-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2968-374-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/2980-241-0x0000000000840000-0x0000000000D34000-memory.dmp

Filesize
5.0MB

Download