dcrat | af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Size

4.9MB
MD5

efd24727bd3c623441b4d72e7bec1530
SHA1

1a80e16896a2c792a8bf193435e7aa12dda517e0
SHA256

af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8
SHA512

a4459a668fa63a9cbf8d288dc5d568ccb1474e8c94bf7ad467b7811f28d50672e3bc159706e0f6c98427275e48a97ed5e84b23d31c05f0cfa29380cee6bc5800
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2836	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2648-2-0x0000000001150000-0x000000000127E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2976	powershell.exe
2440	powershell.exe
928	powershell.exe
1256	powershell.exe
2252	powershell.exe
2120	powershell.exe
2516	powershell.exe
348	powershell.exe
2240	powershell.exe
900	powershell.exe
836	powershell.exe
1712	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2820	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2608	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2420	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1516	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
844	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2944	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1044	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXFB9F.tmp	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX5B3.tmp	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX824.tmp	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\c5b4cb5e9653cc	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\services.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files (x86)\Windows Media Player\System.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\System.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\RCXFDA2.tmp	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\services.exe	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1260	schtasks.exe
1636	schtasks.exe
764	schtasks.exe
2764	schtasks.exe
1760	schtasks.exe
2676	schtasks.exe
2900	schtasks.exe
784	schtasks.exe
2584	schtasks.exe
1984	schtasks.exe
2652	schtasks.exe
1632	schtasks.exe
2948	schtasks.exe
3008	schtasks.exe
1528	schtasks.exe
2396	schtasks.exe
624	schtasks.exe
2656	schtasks.exe
1276	schtasks.exe
2744	schtasks.exe
2052	schtasks.exe
1916	schtasks.exe
2724	schtasks.exe
2944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2516	powershell.exe
1256	powershell.exe
900	powershell.exe
2976	powershell.exe
2440	powershell.exe
1712	powershell.exe
348	powershell.exe
836	powershell.exe
928	powershell.exe
2252	powershell.exe
2240	powershell.exe
2120	powershell.exe
2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2820	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2608	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2420	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1516	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
844	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
2944	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
1044	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	2820	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	2608	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	2420	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	1516	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	844	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	2944	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Token: SeDebugPrivilege	1044	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2516	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	55
PID 2648 wrote to memory of 2516	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	55
PID 2648 wrote to memory of 2516	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	55
PID 2648 wrote to memory of 2976	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	56
PID 2648 wrote to memory of 2976	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	56
PID 2648 wrote to memory of 2976	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	56
PID 2648 wrote to memory of 348	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	57
PID 2648 wrote to memory of 348	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	57
PID 2648 wrote to memory of 348	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	57
PID 2648 wrote to memory of 2240	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	58
PID 2648 wrote to memory of 2240	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	58
PID 2648 wrote to memory of 2240	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	58
PID 2648 wrote to memory of 900	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	59
PID 2648 wrote to memory of 900	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	59
PID 2648 wrote to memory of 900	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	59
PID 2648 wrote to memory of 836	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	60
PID 2648 wrote to memory of 836	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	60
PID 2648 wrote to memory of 836	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	60
PID 2648 wrote to memory of 2440	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	61
PID 2648 wrote to memory of 2440	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	61
PID 2648 wrote to memory of 2440	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	61
PID 2648 wrote to memory of 928	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	62
PID 2648 wrote to memory of 928	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	62
PID 2648 wrote to memory of 928	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	62
PID 2648 wrote to memory of 1256	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	63
PID 2648 wrote to memory of 1256	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	63
PID 2648 wrote to memory of 1256	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	63
PID 2648 wrote to memory of 1712	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	64
PID 2648 wrote to memory of 1712	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	64
PID 2648 wrote to memory of 1712	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	64
PID 2648 wrote to memory of 2252	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	65
PID 2648 wrote to memory of 2252	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	65
PID 2648 wrote to memory of 2252	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	65
PID 2648 wrote to memory of 2120	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	66
PID 2648 wrote to memory of 2120	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	66
PID 2648 wrote to memory of 2120	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	66
PID 2648 wrote to memory of 2308	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	76
PID 2648 wrote to memory of 2308	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	76
PID 2648 wrote to memory of 2308	2648	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	76
PID 2308 wrote to memory of 1124	2308	cmd.exe	81
PID 2308 wrote to memory of 1124	2308	cmd.exe	81
PID 2308 wrote to memory of 1124	2308	cmd.exe	81
PID 2308 wrote to memory of 2936	2308	cmd.exe	82
PID 2308 wrote to memory of 2936	2308	cmd.exe	82
PID 2308 wrote to memory of 2936	2308	cmd.exe	82
PID 2936 wrote to memory of 2748	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	83
PID 2936 wrote to memory of 2748	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	83
PID 2936 wrote to memory of 2748	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	83
PID 2936 wrote to memory of 448	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	84
PID 2936 wrote to memory of 448	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	84
PID 2936 wrote to memory of 448	2936	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	84
PID 2748 wrote to memory of 1780	2748	WScript.exe	85
PID 2748 wrote to memory of 1780	2748	WScript.exe	85
PID 2748 wrote to memory of 1780	2748	WScript.exe	85
PID 1780 wrote to memory of 1680	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	86
PID 1780 wrote to memory of 1680	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	86
PID 1780 wrote to memory of 1680	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	86
PID 1780 wrote to memory of 2056	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	87
PID 1780 wrote to memory of 2056	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	87
PID 1780 wrote to memory of 2056	1780	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	87
PID 1680 wrote to memory of 2820	1680	WScript.exe	88
PID 1680 wrote to memory of 2820	1680	WScript.exe	88
PID 1680 wrote to memory of 2820	1680	WScript.exe	88
PID 2820 wrote to memory of 468	2820	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe	89

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
"C:\Users\Admin\AppData\Local\Temp\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e12j2F5HMu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1124
- - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
    "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2936
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f026108-6762-4983-a1b7-f8d3926c332b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1780
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d9cc62d-787b-4358-8dd1-a5d7ec92e786.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbb141a-febb-49f9-bca2-8b2c40dbf567.vbs"
        8⤵
        
        PID:468
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4704e08f-8ec9-402f-9c76-da1fd50c09e5.vbs"
        10⤵
        
        PID:2024
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2b765b6-3093-43c9-a248-0f23f4816f8b.vbs"
        12⤵
        
        PID:2412
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95b16e47-68cd-467c-95a2-87000f26d7c6.vbs"
        14⤵
        
        PID:2772
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40166f7-ddbb-48dd-b754-ae149463ca45.vbs"
        16⤵
        
        PID:1860
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b4abe11-5b5c-43d0-a877-2126006ad435.vbs"
        18⤵
        
        PID:2148
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e013cd-9f06-4662-b61b-64d5b7eb6629.vbs"
        20⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7f4c99b-c030-4e0c-a196-8ecf73d0b3e1.vbs"
        20⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0afa14-a30b-454b-a96b-2f7fb49d41a2.vbs"
        18⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92aa41d-6d75-4499-94c0-9fa7a89527a2.vbs"
        16⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3fc67d-77e9-4474-ba00-d5407087f2d4.vbs"
        14⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9398c58f-5a1f-4bd5-8df0-86b74f6451bf.vbs"
        12⤵
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307e8d79-623d-4884-944b-765dc378ee55.vbs"
        10⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebdd6e04-31e1-42bf-a876-0ee2c051f304.vbs"
        8⤵
        
        PID:532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d624223-fc2d-489e-b8c9-997f0d04c155.vbs"
        6⤵
        
        PID:2056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02678cc6-9f1a-431d-9605-03bbca7ee1b2.vbs"
      4⤵
      PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Favorites\Windows Live\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Windows Live\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Windows Live\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8Na" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8Na" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02678cc6-9f1a-431d-9605-03bbca7ee1b2.vbs

Filesize
570B

MD5
635c3b4849d594cae5fa317373015248

SHA1
ad446a3bd66f20f40fafd6d741102f09f31ffd81

SHA256
36b9ce4e06b2f9dab42739ce84159de7fe0edec6544691ccaf45d33e36ed40ae

SHA512
9739a531ab2fb0c282408e557dc5f6a4d2d3304c935f2733bb7a24501cc5c7dd311d185818b15dd0a47e5cbbd7ca626bf784d0fb5aa1fde5eaa8031382fca59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b4abe11-5b5c-43d0-a877-2126006ad435.vbs

Filesize
794B

MD5
88252c59ac784d5ceb5ee313192524a2

SHA1
18330d9ffcabbbef4884e7361d716d8c8813011c

SHA256
fb06575aff0ec721e3f50e17a9a0814f4cfb225fec21aff00593c9d22795081b

SHA512
5c763ba12185b50e041a4dfdc460b70e9a77d37218ea43e6a85a6e1010d26e2e1d0a34c3f3fd9fdaedf2de33062cdd706c2a6fbb3487b13ff77c7a043b1db69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4704e08f-8ec9-402f-9c76-da1fd50c09e5.vbs

Filesize
794B

MD5
e40b2edf9a16bbd3a6e30d2b4a6b2f94

SHA1
ea42b85e849c0834515f83a5aa4cec98975b9ee0

SHA256
476bde8d5fa725ebdeead5a73bcec93640c6154a360e78546df957e0305a8e73

SHA512
c151c03efa81e5da9d5baceb64dc91cd5396f0c489cf2dc6271b4c8f2375ba7d587c1404927a0158fdd7e94f6eef86009c10bd22e0e813a69d530f348c2379b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d9cc62d-787b-4358-8dd1-a5d7ec92e786.vbs

Filesize
794B

MD5
a1818c81b8512413062fef45e47fd436

SHA1
83cae5a55dead5e8afcfee997443c18e22c1d0ae

SHA256
a607d1c14cd52916026a80fc46b150006a97f9b9040e7d6f657479d193f3622a

SHA512
d4db803d3f529cef453fc22124f5cc38303335043016a117bb932a075e6177e409fbe564a6708b4ad817d6432ce1dc2a85ccf0842a00ffa796f48bcd43dfd25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95b16e47-68cd-467c-95a2-87000f26d7c6.vbs

Filesize
794B

MD5
654d25ddee97135f91045528c4d5589d

SHA1
531a1fe30247c0cb374b0452b40145366126e2f1

SHA256
7347810e2eb77009917be3e79ec5667f91852fe7d1c412caf42f56793fb15f05

SHA512
117a3ca80f638a4df275eb7dbae6a88940b5189985a15d1d96a9627324d29d1b37e11d5e79236c270f18df35910e6b7d1b2201e9ce1655fabd5c62a8a2125c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f026108-6762-4983-a1b7-f8d3926c332b.vbs

Filesize
794B

MD5
b6ffbb01ef1f89f935075127b03f940d

SHA1
ecb2051c70a5fad98a6cc4556806baa373ee0ff8

SHA256
8aec99e833785542fe09099a2814e0994dd59f4b7b413bdbc4ff787bb12d10b8

SHA512
dbee33c15b50a4c0289cc52b6efff59961229e7f16783f7642589886f5b0121e355ef8106ccb9b4c1c44316bf8a93cf22784319d9c50ccd521c852f7136953c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcbb141a-febb-49f9-bca2-8b2c40dbf567.vbs

Filesize
794B

MD5
ffedfe9a8974043d63c02fe8f022c3eb

SHA1
8e7b3588acd149a817e1d845eb8a0526bf746227

SHA256
8796ec98f3eb3f6dc758a0fcaefefaa2750a2c278da1b128d7d7a4ce07bd2fe7

SHA512
0204bbc70807bec0c71ceef7ebf598f256af9825dd670a8a84a4e4ea13cccde7a5d0b622a339524f56bcf3d92fa97fd69b298617b36878f3b1654fcddde1084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2b765b6-3093-43c9-a248-0f23f4816f8b.vbs

Filesize
794B

MD5
b696ce882e56cf4f685914523ec84fe8

SHA1
649652c1fe9f11a72d2900dba9a18373149ec220

SHA256
373ec9221ab7c2004bd3a888b32018554653b2d9f7a458455ac2ea21a08666a8

SHA512
92339bda6637b3d9d0c57788ada2a90b6a8dbf260e69c5cacb6ce9a944df14e3fd9daacaad2daa44c10c26a6cf16ab56fa7904916539ed554fb44ac18c5cb969

Download Submit
C:\Users\Admin\AppData\Local\Temp\e12j2F5HMu.bat

Filesize
283B

MD5
7865f2cb1988b37764278f08dea49c52

SHA1
d0e32bb4a22f4a961c0e273248d1ad0c7bdbf13c

SHA256
2fee34fb73789b11e375da3025c3d1061d33e7c6dc54fc6e3234a04327c59c1d

SHA512
3da6275f72423f505f05bdeabe2c80b125011e9976974edf85670682118ca02863a9e7f8b53aba135bd87dfcbe25ddcefe6855b23065273dea2efb76eee3f7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e013cd-9f06-4662-b61b-64d5b7eb6629.vbs

Filesize
794B

MD5
b01e386903e88990952f6ceb1976b10f

SHA1
7000042b8011faa731cc2f79d49de1dc0f51e216

SHA256
c95491c8fa514398f592d9756903d0969561ed8dd8f45a72578563352f34e149

SHA512
37442236e7350799b1d88602f165c9526ca7397fdaa15d7b220acbec28383a9bf2ec8d16d2bfeec0177a5a62bd8576cb8748c84a301ef196bb3924dec1ed181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f40166f7-ddbb-48dd-b754-ae149463ca45.vbs

Filesize
793B

MD5
e3c6827cada4f72f59b68c600b3bee04

SHA1
30d9f258ad2f75e0379b9bc038d0f6b16be3266c

SHA256
c3733f797c6a83cd03d21e31b91ba2b56313b556cc5360f78909b6ad83fc9590

SHA512
ad67f0dc5f124ac4a6213cf551ae130e00676ef2e977f906020c00ab56ef1c6f7f3987d449ed54c060449e7a901739868d50bb9243d4aec9a556520d3e3754b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp365C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MBWO997HS42UU2KN1D6K.temp

Filesize
7KB

MD5
d47763984735fa9e78b6affe7573ebe2

SHA1
e75ca0d0f65b5ce3ae86762a9e55269680bdbc28

SHA256
8d5c33bd9a08b80ad83b5c0d3c187bfcfd5e4596ca6de25496a4c333f940e2ac

SHA512
817e8deaf3e393f4bd0636acbe4c3eeb05f7c5da15ceeee89c12aa156e889396badcfebb319de2f74a49722a05dbc7d8fa0dd94ed504987ae953ae00963ce2aa

Download Submit
C:\Users\Admin\Favorites\Windows Live\OSPPSVC.exe

Filesize
4.9MB

MD5
efd24727bd3c623441b4d72e7bec1530

SHA1
1a80e16896a2c792a8bf193435e7aa12dda517e0

SHA256
af64244dd7aa72c062174bd05c38366baedd6da0451b756ae01c3e77cdaad6b8

SHA512
a4459a668fa63a9cbf8d288dc5d568ccb1474e8c94bf7ad467b7811f28d50672e3bc159706e0f6c98427275e48a97ed5e84b23d31c05f0cfa29380cee6bc5800

Download Submit
memory/844-253-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/1044-282-0x0000000000360000-0x0000000000854000-memory.dmp

Filesize
5.0MB

Download
memory/1044-283-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/1256-111-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1516-237-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/1516-238-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1780-178-0x0000000001140000-0x0000000001634000-memory.dmp

Filesize
5.0MB

Download
memory/2420-222-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/2516-112-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2648-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2648-15-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2648-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/2648-9-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/2648-10-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2648-14-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2648-13-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/2648-1-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/2648-12-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

Filesize
56KB

Download
memory/2648-114-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-3-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-2-0x0000000001150000-0x000000000127E000-memory.dmp

Filesize
1.2MB

Download
memory/2648-16-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2648-8-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2648-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2648-6-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2648-5-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2648-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2820-193-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/2936-164-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2936-163-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download