dcrat | 624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c

Analysis

max time kernel
115s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Size

4.9MB
MD5

448d47b42345b544c7abe88fa356ed00
SHA1

ae9661c13ece2218c5fccf1ecaab39ecd617a4ca
SHA256

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c
SHA512

0a3b5da20602bb61d27cc8de94a238d15c27ba9f2f80e170a98c7ee3c5dab06e218a6c516b3aaf2d485b614f7ccd0aeb7bc4120027f7c5dcc7abf46cb2357ac3
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 23 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\69ddcba757bf72		624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
		2864	schtasks.exe
		2832	schtasks.exe
		2828	schtasks.exe
		2976	schtasks.exe
		2488	schtasks.exe
		1420	schtasks.exe
		2920	schtasks.exe
		2316	schtasks.exe
		2828	schtasks.exe
		2868	schtasks.exe
		2632	schtasks.exe
		2332	schtasks.exe
		1960	schtasks.exe
		2140	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
		2808	schtasks.exe
		2740	schtasks.exe
		2940	schtasks.exe
		2872	schtasks.exe
		2752	schtasks.exe
		2596	schtasks.exe
		884	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	536	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2104-3-0x000000001B570000-0x000000001B69E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2060	powershell.exe
2892	powershell.exe
1540	powershell.exe
2200	powershell.exe
2292	powershell.exe
2748	powershell.exe
3016	powershell.exe
2108	powershell.exe
836	powershell.exe
1792	powershell.exe
2608	powershell.exe
1320	powershell.exe
1924	powershell.exe
1932	powershell.exe
2212	powershell.exe
1604	powershell.exe
2064	powershell.exe
2436	powershell.exe
908	powershell.exe
2640	powershell.exe
1076	powershell.exe
1472	powershell.exe
1692	powershell.exe
1832	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
408	lsm.exe
1808	lsm.exe
1656	lsm.exe
1172	lsm.exe
1548	lsm.exe
792	lsm.exe
2732	lsm.exe
2064	lsm.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 10 IoCs

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\ja-JP\dllhost.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\69ddcba757bf72	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\DVD Maker\ja-JP\5940a34987c991	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files\DVD Maker\ja-JP\dllhost.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCXBE13.tmp	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2740	schtasks.exe
2868	schtasks.exe
2488	schtasks.exe
1960	schtasks.exe
1420	schtasks.exe
2828	schtasks.exe
2872	schtasks.exe
2752	schtasks.exe
884	schtasks.exe
2920	schtasks.exe
2316	schtasks.exe
2828	schtasks.exe
2976	schtasks.exe
2864	schtasks.exe
2832	schtasks.exe
2140	schtasks.exe
2940	schtasks.exe
2632	schtasks.exe
2332	schtasks.exe
2596	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
2200	powershell.exe
2640	powershell.exe
2292	powershell.exe
2212	powershell.exe
2748	powershell.exe
1924	powershell.exe
2892	powershell.exe
2608	powershell.exe
2060	powershell.exe
1320	powershell.exe
1932	powershell.exe
908	powershell.exe
2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
1076	powershell.exe
1792	powershell.exe
1540	powershell.exe
2064	powershell.exe
1472	powershell.exe
2108	powershell.exe
1604	powershell.exe
2436	powershell.exe
836	powershell.exe
1692	powershell.exe
3016	powershell.exe
1832	powershell.exe
408	lsm.exe
1808	lsm.exe
1656	lsm.exe
1172	lsm.exe
1548	lsm.exe
792	lsm.exe
2732	lsm.exe
2064	lsm.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	pid	Process
Token: SeDebugPrivilege	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	408	lsm.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1808	lsm.exe
Token: SeDebugPrivilege	1656	lsm.exe
Token: SeDebugPrivilege	1172	lsm.exe
Token: SeDebugPrivilege	1548	lsm.exe
Token: SeDebugPrivilege	792	lsm.exe
Token: SeDebugPrivilege	2732	lsm.exe
Token: SeDebugPrivilege	2064	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.execmd.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe

description	pid	Process	procid_target
PID 2104 wrote to memory of 2608	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	37
PID 2104 wrote to memory of 2608	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	37
PID 2104 wrote to memory of 2608	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	37
PID 2104 wrote to memory of 2640	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	38
PID 2104 wrote to memory of 2640	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	38
PID 2104 wrote to memory of 2640	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	38
PID 2104 wrote to memory of 2748	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	40
PID 2104 wrote to memory of 2748	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	40
PID 2104 wrote to memory of 2748	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	40
PID 2104 wrote to memory of 2292	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	41
PID 2104 wrote to memory of 2292	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	41
PID 2104 wrote to memory of 2292	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	41
PID 2104 wrote to memory of 2892	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	43
PID 2104 wrote to memory of 2892	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	43
PID 2104 wrote to memory of 2892	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	43
PID 2104 wrote to memory of 2200	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	44
PID 2104 wrote to memory of 2200	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	44
PID 2104 wrote to memory of 2200	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	44
PID 2104 wrote to memory of 2212	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	46
PID 2104 wrote to memory of 2212	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	46
PID 2104 wrote to memory of 2212	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	46
PID 2104 wrote to memory of 2060	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	48
PID 2104 wrote to memory of 2060	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	48
PID 2104 wrote to memory of 2060	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	48
PID 2104 wrote to memory of 1932	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	49
PID 2104 wrote to memory of 1932	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	49
PID 2104 wrote to memory of 1932	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	49
PID 2104 wrote to memory of 908	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	51
PID 2104 wrote to memory of 908	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	51
PID 2104 wrote to memory of 908	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	51
PID 2104 wrote to memory of 1924	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	52
PID 2104 wrote to memory of 1924	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	52
PID 2104 wrote to memory of 1924	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	52
PID 2104 wrote to memory of 1320	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	53
PID 2104 wrote to memory of 1320	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	53
PID 2104 wrote to memory of 1320	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	53
PID 2104 wrote to memory of 2416	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	61
PID 2104 wrote to memory of 2416	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	61
PID 2104 wrote to memory of 2416	2104	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	61
PID 2416 wrote to memory of 308	2416	cmd.exe	63
PID 2416 wrote to memory of 308	2416	cmd.exe	63
PID 2416 wrote to memory of 308	2416	cmd.exe	63
PID 2416 wrote to memory of 2376	2416	cmd.exe	65
PID 2416 wrote to memory of 2376	2416	cmd.exe	65
PID 2416 wrote to memory of 2376	2416	cmd.exe	65
PID 2376 wrote to memory of 1076	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	81
PID 2376 wrote to memory of 1076	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	81
PID 2376 wrote to memory of 1076	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	81
PID 2376 wrote to memory of 3016	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	83
PID 2376 wrote to memory of 3016	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	83
PID 2376 wrote to memory of 3016	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	83
PID 2376 wrote to memory of 1472	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	84
PID 2376 wrote to memory of 1472	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	84
PID 2376 wrote to memory of 1472	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	84
PID 2376 wrote to memory of 1540	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	85
PID 2376 wrote to memory of 1540	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	85
PID 2376 wrote to memory of 1540	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	85
PID 2376 wrote to memory of 2108	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	86
PID 2376 wrote to memory of 2108	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	86
PID 2376 wrote to memory of 2108	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	86
PID 2376 wrote to memory of 1604	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	87
PID 2376 wrote to memory of 1604	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	87
PID 2376 wrote to memory of 1604	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	87
PID 2376 wrote to memory of 2064	2376	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe	88

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

lsm.exelsm.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exelsm.exelsm.exelsm.exe624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
"C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:308
- - C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe
    "C:\Users\Admin\AppData\Local\Temp\624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0cN.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
      "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:408
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cc81402-4830-4b3e-9edf-95a7e102a461.vbs"
        5⤵
        
        PID:2808
      - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d0d792a-6c99-421f-8df3-97c34c7a162c.vbs"
        7⤵
        
        PID:2924
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\847af5fa-fc99-44a9-945d-3e3008af4846.vbs"
        9⤵
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d3b29f-783a-461c-b51e-f6ef2d4a6692.vbs"
        11⤵
        
        PID:2932
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\337e976d-d1fc-4a20-b8b9-e6ffacfca3f5.vbs"
        13⤵
        
        PID:1628
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\447ce387-e84d-4820-8fe8-6662df31ba38.vbs"
        15⤵
        
        PID:2300
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f84be59-85a4-4931-a3d3-99c0a32000ad.vbs"
        17⤵
        
        PID:2740
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fa4b65-bf5b-42e1-a096-8d1e8382a3ed.vbs"
        19⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff96630e-a072-46db-9bf9-854c77d2248a.vbs"
        19⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee40034-001f-4e71-9806-77016f1f7102.vbs"
        17⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15851ac0-dc82-4bcf-a0c2-c628f24c42c3.vbs"
        15⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd2b693d-312e-4082-a557-e0459b5b7a90.vbs"
        13⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdd58780-651f-485c-8496-0d15defb25d6.vbs"
        11⤵
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5552844-e538-4149-9f94-cf3384ff7001.vbs"
        9⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6b6b601-e228-4091-9e4c-90b3d1d2786b.vbs"
        7⤵
        
        PID:1544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81c90a18-482c-46af-a53d-73a589042271.vbs"
        5⤵
        
        PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d0d792a-6c99-421f-8df3-97c34c7a162c.vbs

Filesize
746B

MD5
321e45e0a4c6c4a5f8f86bdd4274b0f4

SHA1
d9d5285ca9fb8a70dad56683a5100fbfac7f9076

SHA256
335bf32244449e23475707a94d46e363983c2f9a7e588b2e314cb9cf5536befe

SHA512
90fd9d40875635939982ab12c914cec90ca140cf7b0e46d2723e37ae0735632c4eb75213b53b80f19f90f8336167b63a8b9da6ed76aa8f830a70b9def1356cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\337e976d-d1fc-4a20-b8b9-e6ffacfca3f5.vbs

Filesize
746B

MD5
a101f03786edcfb9b2c598b3b05f404a

SHA1
3da21051c32b912b3723c609726727ea387bd20f

SHA256
fe1bb52f1632cd01ecedc7657f6bed6dfe9b9d2fa86e5af2781f96af0f190ea5

SHA512
d39df82eb1005bd862862441b2b4822d374b5ddd4b2bc03c62e3e69c759db71876aac2da2f5043061e144ca32a1e201b596a50834b927bef126b7fbd9e5a0bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc81402-4830-4b3e-9edf-95a7e102a461.vbs

Filesize
745B

MD5
c1ee5f5f3ae5c4a44fd57575294b4fbc

SHA1
c029dd3cea61018b0acb2fe2778df0f90b21967a

SHA256
cc3e0bf392e262fb40ec506e07103c970924aa17a9a568edc50bb7559dbcab19

SHA512
efc404e2ee5718e56a9f38d01db288a61fbbd5a0da0ac44fe811f06e7865d6c68b5776c7d73627b387ba8716ba88e3905f9f541f51ac58c9783469d7b5172a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\447ce387-e84d-4820-8fe8-6662df31ba38.vbs

Filesize
745B

MD5
dbb91415a5f86344b3f76623a5f589a1

SHA1
d5b90d7ac5a80849bde6c6ba6718e559a888bfbd

SHA256
5c0854237eb70eea091ed92019c6db5896b3e09232c5a19b43121a262ef0441a

SHA512
c664080c4d825e050dea9405f119e503c3c610f91681ee85b016c92dc99a4d0ded77ed169f209394a51a031269c09037da301889528eab49f555319826dc4053

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f84be59-85a4-4931-a3d3-99c0a32000ad.vbs

Filesize
746B

MD5
a38218a8b9460f2702ab3724a848a72c

SHA1
4538222e66b82a9619d2f335428f6875835e56fd

SHA256
c9553437b8048cd6dfcec181ab7ad5030a9dd4d76b09ee356b991c6506a2e194

SHA512
4047b7793139dba81ec5f4b29de90b332513b74dcc2caee4a082ae7f277ef47da5ed6b55625944f00f20134f38064b2ae0e17c91f1904b3ea7417a7839caedce

Download Submit
C:\Users\Admin\AppData\Local\Temp\81c90a18-482c-46af-a53d-73a589042271.vbs

Filesize
522B

MD5
25ab794c5a1a2d43387ca464c50f6986

SHA1
4986c94aba32f68a17b3c5fa7572847d0d0ae13f

SHA256
5ca1258b2a3f3600834c16f77d83c3b769c77b979ebfb333e8af48c03993a644

SHA512
dc684579fd294de37131b178f9c63aa496897076c44813ce31bd06705e0d8d769dca2f5868dc3730e751cf5994dba372525ea10a96ab90b827632c3995976459

Download Submit
C:\Users\Admin\AppData\Local\Temp\847af5fa-fc99-44a9-945d-3e3008af4846.vbs

Filesize
746B

MD5
8506f898ec70531981453ae7b97e350d

SHA1
067746b66500d15cb0b8365db5fd9da9ed24035b

SHA256
871970b904c3b3a332c844e80ce31b817412dd14db4eb4630d9c61ad1d591139

SHA512
afab2fad6d6fd801cbec82693bb05597a52bf1431b0f66e5d2b49f742c3acc75a55884f9b22353bec7488167370a4f714cfb6f1ce09b83b3261df66fa1015186

Download Submit
C:\Users\Admin\AppData\Local\Temp\88d3b29f-783a-461c-b51e-f6ef2d4a6692.vbs

Filesize
746B

MD5
52014364b7ea8d75c4a47c37d93af6d4

SHA1
ecaa2a16139af4a04949b889874dd7ffa3798f6f

SHA256
6cb55b45cd93d9e364d1288536396409aa89c77b60f66fe4c2430d64eb3beae4

SHA512
224913864c566ae4e56e42a565481a61684f07c6e34ed439fb3ede5553f4abc29b842d1c352c16e75e9fa4ff6299833af1de1f4e5104be963a71a925723bc5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0fa4b65-bf5b-42e1-a096-8d1e8382a3ed.vbs

Filesize
746B

MD5
b0dca384ad9e61ba53d8c1a94726f36c

SHA1
53b430e37106012c572cacf77ae2caf4c6f0ff92

SHA256
b34ad7cc86f54260d0f2ffca2c692954db677841c6f5689291f360d9e95dab27

SHA512
cba5fff0f15153f14de866ef6b93f86180d595321095ff4662511ed9afd650039348f4958f8bb523f442f46aad66fc1499ac454109e04ccd24c98c6ba32c43a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF641.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat

Filesize
268B

MD5
860247b6015042e2be01eff9fd387774

SHA1
29bdebb60a800774b457c9e2b6194a55a4dc7099

SHA256
601533b68fbd538e62a5b19ae8e4554b7976efefc4f56e40f3ebf540e73d8694

SHA512
e34691703a994aeed4181126bd4d99b3679574a9a35d195d7e44edbd9008a201be1569c32d274a82fd85fd899c677f2f13153e3799fbea5330fd1e1fbcd81314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8M349WYJQCLSDCYXMKDA.temp

Filesize
7KB

MD5
ce6dfd8bef7b1570aa300105e2df2388

SHA1
7ea086fd3777f21a4cd6e3d18950e33d6d689c8f

SHA256
2d9266055894518f113bbd579e2b99cf85d70efe5807eb8e04b50c92b519512c

SHA512
d8ecc02a5d1bf9aa996f582ebeb4a494f03832e0a603a4c9e68b5bc4b8cfff2b16eb0cc79f58651227557aa44396bc670cdb86ea529d9a5fc2e29da5fb770f4b

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\csrss.exe

Filesize
4.9MB

MD5
448d47b42345b544c7abe88fa356ed00

SHA1
ae9661c13ece2218c5fccf1ecaab39ecd617a4ca

SHA256
624765c71966c0c1a24bed80da1819cd8f29f5025f088381f26fc27ebac35d0c

SHA512
0a3b5da20602bb61d27cc8de94a238d15c27ba9f2f80e170a98c7ee3c5dab06e218a6c516b3aaf2d485b614f7ccd0aeb7bc4120027f7c5dcc7abf46cb2357ac3

Download Submit
memory/408-150-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/792-270-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/1076-138-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1076-149-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/1172-240-0x0000000000230000-0x0000000000724000-memory.dmp

Filesize
5.0MB

Download
memory/1548-255-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/1656-225-0x0000000000BE0000-0x00000000010D4000-memory.dmp

Filesize
5.0MB

Download
memory/1808-210-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/1808-209-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2064-299-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/2104-10-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2104-11-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/2104-57-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/2104-14-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2104-16-0x000000001AB90000-0x000000001AB9C000-memory.dmp

Filesize
48KB

Download
memory/2104-15-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/2104-13-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

Filesize
56KB

Download
memory/2104-12-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/2104-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2104-9-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/2104-8-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2104-7-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2104-6-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2104-5-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2104-4-0x0000000000A60000-0x0000000000A7C000-memory.dmp

Filesize
112KB

Download
memory/2104-3-0x000000001B570000-0x000000001B69E000-memory.dmp

Filesize
1.2MB

Download
memory/2200-58-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2200-52-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download