dcrat | 4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Size

4.9MB
MD5

d49f3eca938ef9afc22ab37348e7c3d0
SHA1

bbb92df0748401881fd5d2cddd8022130a735971
SHA256

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351
SHA512

97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2800	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2804	powershell.exe
2728	powershell.exe
2608	powershell.exe
2012	powershell.exe
2716	powershell.exe
1268	powershell.exe
2560	powershell.exe
2704	powershell.exe
2812	powershell.exe
2584	powershell.exe
2604	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2212	System.exe
2336	System.exe
1752	System.exe
940	System.exe
1552	System.exe
2328	System.exe
2072	System.exe
764	System.exe
296	System.exe
1520	System.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Microsoft Office\b75386f1303e64	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCX202F.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX2243.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX2D9E.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX39D3.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\audiodg.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\b75386f1303e64	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\c5b4cb5e9653cc	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX2929.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Microsoft Office\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Microsoft Office\Office14\42af1c969fbb7b	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\27d1bcfc3c54e0	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Microsoft Office\Office14\audiodg.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\System.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX2FA1.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\System.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\winlogon.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Windows\Tasks\winlogon.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Windows\Tasks\cc11b995f2a76d	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Windows\Tasks\RCX33B9.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe
3056	schtasks.exe
2868	schtasks.exe
640	schtasks.exe
2188	schtasks.exe
2152	schtasks.exe
1848	schtasks.exe
2668	schtasks.exe
2612	schtasks.exe
2120	schtasks.exe
1288	schtasks.exe
1508	schtasks.exe
2528	schtasks.exe
1248	schtasks.exe
1660	schtasks.exe
1796	schtasks.exe
2140	schtasks.exe
3044	schtasks.exe
2436	schtasks.exe
2808	schtasks.exe
2620	schtasks.exe
2260	schtasks.exe
304	schtasks.exe
2556	schtasks.exe
1484	schtasks.exe
2388	schtasks.exe
356	schtasks.exe
1716	schtasks.exe
2508	schtasks.exe
2392	schtasks.exe
2876	schtasks.exe
2624	schtasks.exe
320	schtasks.exe
2456	schtasks.exe
2344	schtasks.exe
836	schtasks.exe
1460	schtasks.exe
1404	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
2704	powershell.exe
2804	powershell.exe
2812	powershell.exe
1268	powershell.exe
2608	powershell.exe
2012	powershell.exe
2684	powershell.exe
2604	powershell.exe
2728	powershell.exe
2716	powershell.exe
2560	powershell.exe
2584	powershell.exe
2212	System.exe
2336	System.exe
1752	System.exe
940	System.exe
1552	System.exe
2328	System.exe
2072	System.exe
764	System.exe
296	System.exe
1520	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2212	System.exe
Token: SeDebugPrivilege	2336	System.exe
Token: SeDebugPrivilege	1752	System.exe
Token: SeDebugPrivilege	940	System.exe
Token: SeDebugPrivilege	1552	System.exe
Token: SeDebugPrivilege	2328	System.exe
Token: SeDebugPrivilege	2072	System.exe
Token: SeDebugPrivilege	764	System.exe
Token: SeDebugPrivilege	296	System.exe
Token: SeDebugPrivilege	1520	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2704	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	70
PID 2364 wrote to memory of 2704	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	70
PID 2364 wrote to memory of 2704	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	70
PID 2364 wrote to memory of 2804	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	71
PID 2364 wrote to memory of 2804	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	71
PID 2364 wrote to memory of 2804	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	71
PID 2364 wrote to memory of 2684	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	73
PID 2364 wrote to memory of 2684	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	73
PID 2364 wrote to memory of 2684	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	73
PID 2364 wrote to memory of 2560	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	74
PID 2364 wrote to memory of 2560	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	74
PID 2364 wrote to memory of 2560	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	74
PID 2364 wrote to memory of 1268	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	75
PID 2364 wrote to memory of 1268	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	75
PID 2364 wrote to memory of 1268	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	75
PID 2364 wrote to memory of 2812	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	76
PID 2364 wrote to memory of 2812	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	76
PID 2364 wrote to memory of 2812	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	76
PID 2364 wrote to memory of 2716	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	77
PID 2364 wrote to memory of 2716	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	77
PID 2364 wrote to memory of 2716	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	77
PID 2364 wrote to memory of 2012	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	78
PID 2364 wrote to memory of 2012	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	78
PID 2364 wrote to memory of 2012	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	78
PID 2364 wrote to memory of 2728	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	79
PID 2364 wrote to memory of 2728	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	79
PID 2364 wrote to memory of 2728	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	79
PID 2364 wrote to memory of 2608	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	80
PID 2364 wrote to memory of 2608	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	80
PID 2364 wrote to memory of 2608	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	80
PID 2364 wrote to memory of 2584	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	81
PID 2364 wrote to memory of 2584	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	81
PID 2364 wrote to memory of 2584	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	81
PID 2364 wrote to memory of 2604	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	82
PID 2364 wrote to memory of 2604	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	82
PID 2364 wrote to memory of 2604	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	82
PID 2364 wrote to memory of 2556	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	94
PID 2364 wrote to memory of 2556	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	94
PID 2364 wrote to memory of 2556	2364	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	94
PID 2556 wrote to memory of 2492	2556	cmd.exe	96
PID 2556 wrote to memory of 2492	2556	cmd.exe	96
PID 2556 wrote to memory of 2492	2556	cmd.exe	96
PID 2556 wrote to memory of 2212	2556	cmd.exe	97
PID 2556 wrote to memory of 2212	2556	cmd.exe	97
PID 2556 wrote to memory of 2212	2556	cmd.exe	97
PID 2212 wrote to memory of 1320	2212	System.exe	98
PID 2212 wrote to memory of 1320	2212	System.exe	98
PID 2212 wrote to memory of 1320	2212	System.exe	98
PID 2212 wrote to memory of 1568	2212	System.exe	99
PID 2212 wrote to memory of 1568	2212	System.exe	99
PID 2212 wrote to memory of 1568	2212	System.exe	99
PID 1320 wrote to memory of 2336	1320	WScript.exe	100
PID 1320 wrote to memory of 2336	1320	WScript.exe	100
PID 1320 wrote to memory of 2336	1320	WScript.exe	100
PID 2336 wrote to memory of 1980	2336	System.exe	101
PID 2336 wrote to memory of 1980	2336	System.exe	101
PID 2336 wrote to memory of 1980	2336	System.exe	101
PID 2336 wrote to memory of 1784	2336	System.exe	102
PID 2336 wrote to memory of 1784	2336	System.exe	102
PID 2336 wrote to memory of 1784	2336	System.exe	102
PID 1980 wrote to memory of 1752	1980	WScript.exe	103
PID 1980 wrote to memory of 1752	1980	WScript.exe	103
PID 1980 wrote to memory of 1752	1980	WScript.exe	103
PID 1752 wrote to memory of 2464	1752	System.exe	104

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
"C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2kvMhQbIai.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2492
- - C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
    "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2212
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de924e1a-b3e2-4518-81be-206a0711549a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2336
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d2d373-ae39-4b1b-ba89-916f41cbcc7a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaf9d8f-3d43-49ff-9702-075a988c74a9.vbs"
        8⤵
        
        PID:2464
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cdd6cde-8349-4554-b4b9-eac20adeccee.vbs"
        10⤵
        
        PID:2804
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6abf0f73-2e73-41af-9c6a-202ecfd8d67c.vbs"
        12⤵
        
        PID:1044
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68caa062-1326-4f36-8657-e8983d7a424f.vbs"
        14⤵
        
        PID:436
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170b34ed-b2d6-40b1-bd1b-eaba0187b0f2.vbs"
        16⤵
        
        PID:1996
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37485c7c-b9a7-4a3f-8370-b983f8c3d221.vbs"
        18⤵
        
        PID:444
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8bbf1f9-8a90-4836-9921-ad12b6d7a407.vbs"
        20⤵
        
        PID:1676
        
        C:\Program Files\Java\jdk1.7.0_80\bin\System.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\System.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81848996-3952-48fc-9ac2-e26620c2fbe8.vbs"
        22⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df0af7d9-c704-4e80-8694-7413fa6e2522.vbs"
        22⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa501a23-8c72-49c4-996d-d2ad35badb3b.vbs"
        20⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db770980-a165-4648-9e6e-534667a1f701.vbs"
        18⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35cdabd0-13a5-439f-b0c2-b5fb85c6706a.vbs"
        16⤵
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bc85c4c-1e41-4afd-854b-4da855724977.vbs"
        14⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34de3290-9260-4dfd-a39e-0a934f7a4b9b.vbs"
        12⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec39e3f-833c-4dc1-969c-8a68b3494b7b.vbs"
        10⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\745d4797-11b6-4a97-9a69-7a7a26a66a89.vbs"
        8⤵
        
        PID:2956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47bd93d4-03a5-4fb8-a46e-373b5aeebb23.vbs"
        6⤵
        
        PID:1784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ddb2105-a604-4b95-8fa8-864579fb706e.vbs"
      4⤵
      PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\Idle.exe

Filesize
4.9MB

MD5
d49f3eca938ef9afc22ab37348e7c3d0

SHA1
bbb92df0748401881fd5d2cddd8022130a735971

SHA256
4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

SHA512
97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68

Download Submit
C:\Users\Admin\AppData\Local\Temp\170b34ed-b2d6-40b1-bd1b-eaba0187b0f2.vbs

Filesize
724B

MD5
f43df0e7b47b2da3e34f8ba0e50b0812

SHA1
74d248eeeaefe971aac4cbbb5017a1ea8234f91a

SHA256
76fc12db0b4e472f0e9e493a4be6c3a9fb77d4b21eed999c8ef6c39c00609d51

SHA512
9ecbfae693de8e747d24bb8122b54f96f2bfe284957d354323cb809b8efba6c352950ebf7c31a7c446b8f58bcd01abc7b2b57759103acf4d9928ecd933cef98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2kvMhQbIai.bat

Filesize
213B

MD5
fe9e11394bc2af5cabe7e9cc8fc3be88

SHA1
83040a0bbc3333e33974380352100774b2875781

SHA256
58dcd8fcc96e775545f27afacb40718e875cf33e246da306e246c5bf1ae983c1

SHA512
2eec26d35714792132a76fd9f9a4c6566b46c58940012171a7a31b7655b2684075ba351e9bda14ef4b69aa1cddf331a4368588f835163fd59808603333887b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\37485c7c-b9a7-4a3f-8370-b983f8c3d221.vbs

Filesize
723B

MD5
44a8e7974fe3763b5f50a9a67e6a138a

SHA1
bfffb6f464214896e57e450fb37e4afaee77f6c0

SHA256
9b3ae8d95771b3f29e520f80ae4cc65dfc25b239b0dd13d2947d0f568ed03b2a

SHA512
7b5543edcec9bada65736c86884c89d51579dc8ee6046446280014846a85853a0c5aa3e3e6a51614fca1360c479f5856cad67211a0757af1f4a4e4fad784ad67

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aaf9d8f-3d43-49ff-9702-075a988c74a9.vbs

Filesize
724B

MD5
50bd6d845c5bfbb43c8d0cb1695edc12

SHA1
b1b05fa6c7ebbba70ddefa7565ca6d6b8b204f07

SHA256
76032c1cb0b42754c99d1e6c7e84da9ab8a26c4e381104e08e640b33d170c3a2

SHA512
4da9fec9ce6e389d8f57fa4a048062bb1bcac8baf0e0ad9786c705a7ce8ec410f034ecea5da701e7e02d6ee6dfd0bc995a01fdcbef00263cd323c14e606527a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\68caa062-1326-4f36-8657-e8983d7a424f.vbs

Filesize
724B

MD5
0557e63e5b6338f744a11b5b66e47c5c

SHA1
a4667ac36fbbdd23ef18073abdb8422bb37702a9

SHA256
3615d72048c50ab4d6cb0e77d205a0ffb90349ee15450bf01a2811d37a383a8f

SHA512
fc4fd8ffb233f79cae1e2d656a4e82bb79bf4956a4d4074e6df40305185f31bb97da539f6bec7f58dd3504c62297227db6922b4ad2fd2723e55f8bd63c5f83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6abf0f73-2e73-41af-9c6a-202ecfd8d67c.vbs

Filesize
724B

MD5
b556b26539fe0a5f642d1673b6fa9abf

SHA1
6bd75bf138b3767a2f2175ed4633f36d846b96af

SHA256
913f7f1e0cede002c24b94888c35e10980d8251fb24f7b95f4e58dda43c84360

SHA512
162b1c552e6bb33e8f3f8602cc6ab2b1d555afa3976b069baf614d76d46d6f3ad0509c7b6af75b5847ddfaab3c90b968594e08e67cdf72d1ca783a4f88332cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\81848996-3952-48fc-9ac2-e26620c2fbe8.vbs

Filesize
724B

MD5
ceac0cb6b712a21cdd05f6c9219478a3

SHA1
3d159d1bbfeb9fddd89d546a247e539590cf442c

SHA256
566b6f5adce72739b5ced6b0f17edff6eae958b3d36555ad7bfdede08191dd0b

SHA512
b62de8cab511a2d2d6f11e682e2e4128e29457a7524faf74d9e4a84ff51e5a22e513e63b5062ed0c00d2be71f85e64b8409823aadb5c7b1539717cfd6facf114

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d2d373-ae39-4b1b-ba89-916f41cbcc7a.vbs

Filesize
724B

MD5
47d5a62f239595ce6d1dd5c06e6563ee

SHA1
8e5e0f55964785280e62f71606e17f0aaef398d5

SHA256
a1511d3203d350375597cfcb635b88f0cff7453145bdb2183a45490ecb5370df

SHA512
e7e678481c0bd15618f532370399b1163fc168069f1fed022ff5d2dbd33ccee0860207102021e5141540a46daf5da18ecede9bd8618b2aabbe0593ba6414511a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cdd6cde-8349-4554-b4b9-eac20adeccee.vbs

Filesize
723B

MD5
9bb92e6169c895e5f083e0ce778ec364

SHA1
4bce62a9d6e75f70d3025ec094f295baf86959e5

SHA256
8f08ba3b5550ce8d0e9fb1faf372a7fae0fad1ff6f5655307c6015d3763cb76c

SHA512
3283bbc5784317c7f33501297574ee61fa5780e1a5665a64dd956ed03714582c625961dfe232c532471fcf0fc2572a1a11bc8827367611e356df6d623e19b8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ddb2105-a604-4b95-8fa8-864579fb706e.vbs

Filesize
500B

MD5
06190218b3dcb691cccbde1b48c29fde

SHA1
8f7c843cc372d3ed8c1903ef964acada4c59524e

SHA256
bba844dace892b85fb469d92c2e2b51b636ea5e9d32708d601c6da486ed54afe

SHA512
9842835e70f8fdf1e2f6ca930b06554a6c883b7e660b9ad463f459084b93d089f70bacbdbaa0cbb14b776adf8d16d4a7d29b5fd9f94805434703f95e712fb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\de924e1a-b3e2-4518-81be-206a0711549a.vbs

Filesize
724B

MD5
08e680c232001323c4929a637fb7fb12

SHA1
1783f4cabe6f36eb0f9a5b0a93edca212973d8a5

SHA256
d956aaa07e42cd6f582d711378a790fdb5cef48b69a03059cf78c96e85ed0487

SHA512
8a9aa8429518fd49b64208d15390eef5712da47d1b1bfb9fb2815b96cdbcd24386558189db6475a43e51c923a4c2257a733d08205424c544b8723755f43f4fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8bbf1f9-8a90-4836-9921-ad12b6d7a407.vbs

Filesize
723B

MD5
5a7bd4da6e3d8991e6953ffd6f61a00d

SHA1
af1d3ede8bb035a6927c7c419a082e32e6b7d706

SHA256
77bae07a5dc7214d23014c4570f4ff78cabc185d73f2c9869f7798f30edf5cde

SHA512
26ae7c90ab50692fd8b3b7e3ca0624490324a3c959615f252467d5d3bcab6a6ff52d12f936595a9af9e5e5b2484422cef333e011c5247a60002aedd8e3d02a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69EA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72c1ae74f9c12cfcfbc8ff0942213b3d

SHA1
07d2732e0e0ee2c53f1c731d0b143a170f4ac18d

SHA256
a67fe5244eff164a3d17ce6e815c23de432be11aca7c40e57914a7c38586d749

SHA512
c099bae1d94d4cc2752b160f67763f5815a63b255b92579ec48da59435b86e228abdddc006676cf6feac7434183ea678953999343fc74b9f4eaa5535ff6a338d

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
4.9MB

MD5
b776ef93fec35f3cad4a6ec535869928

SHA1
8f046a2fea46f0b7e2928e48838e3f376855dd10

SHA256
2436b1115fa468df9c9c164d027086e9cfeae171d856303974009b1ab92eba09

SHA512
f9d9bee3e754269aae3517fbb3fe7c8a3480b9ef3fe5a26e04f1bd2123556e9c2e41a8bb1e333c3e14be21bace215d22088980873df3ca035a5a981ac212e99a

Download Submit
memory/764-305-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/940-248-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download
memory/1752-232-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/1752-233-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2212-204-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/2364-11-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2364-10-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2364-1-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download
memory/2364-15-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2364-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp

Filesize
1.2MB

Download
memory/2364-14-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2364-13-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/2364-12-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2364-125-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-16-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2364-149-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-9-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2364-8-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2364-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/2364-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2364-5-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2364-4-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/2364-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-155-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2704-148-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download