dcrat | 690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073

Analysis

max time kernel
117s
max time network
108s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Size

4.9MB
MD5

005277f6397a0a43ce9eca2c2910b750
SHA1

ac5f700488ba1ca531cb528e718412473eb7b948
SHA256

690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073
SHA512

21c819d180a218e375928e76fca735ee4746d803aca4cae04a5f82f9dcdd97510e1b88e9fb789f57a37ae904e38b40e257b0e03f785dfba8931f85c4b6d29215
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2848	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2848	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3028-3-0x000000001BAB0000-0x000000001BBDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe
2388	powershell.exe
2352	powershell.exe
1728	powershell.exe
2260	powershell.exe
1936	powershell.exe
1772	powershell.exe
1740	powershell.exe
2132	powershell.exe
1856	powershell.exe
280	powershell.exe
1992	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1416	dwm.exe
2660	dwm.exe
1872	dwm.exe
2788	dwm.exe
1880	dwm.exe
2456	dwm.exe
532	dwm.exe
3060	dwm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\6cb0b6c459d5d3	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\27d1bcfc3c54e0	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX1E6F.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\b75386f1303e64	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\Reference Assemblies\lsm.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\System.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\Reference Assemblies\101b941d020240	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\56085415360792	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\Reference Assemblies\lsm.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCX3524.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX2EAC.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\RCX3321.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\System.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX1A68.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PLA\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\PLA\c5b4cb5e9653cc	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\addins\RCX2073.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\addins\spoolsv.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\PLA\RCX27C6.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\PLA\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\addins\spoolsv.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\addins\f3b6ecef712a24	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
628	schtasks.exe
2660	schtasks.exe
2588	schtasks.exe
2352	schtasks.exe
2636	schtasks.exe
1988	schtasks.exe
880	schtasks.exe
2884	schtasks.exe
2216	schtasks.exe
2356	schtasks.exe
1424	schtasks.exe
1044	schtasks.exe
2028	schtasks.exe
2480	schtasks.exe
2184	schtasks.exe
1936	schtasks.exe
1652	schtasks.exe
1704	schtasks.exe
1644	schtasks.exe
1332	schtasks.exe
2300	schtasks.exe
2980	schtasks.exe
2584	schtasks.exe
2556	schtasks.exe
832	schtasks.exe
1492	schtasks.exe
2608	schtasks.exe
2896	schtasks.exe
1800	schtasks.exe
2832	schtasks.exe
1076	schtasks.exe
2024	schtasks.exe
400	schtasks.exe
2264	schtasks.exe
2168	schtasks.exe
756	schtasks.exe
1996	schtasks.exe
2764	schtasks.exe
1864	schtasks.exe
840	schtasks.exe
2196	schtasks.exe
2172	schtasks.exe
1816	schtasks.exe
2088	schtasks.exe
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
2132	powershell.exe
1740	powershell.exe
1236	powershell.exe
2260	powershell.exe
1772	powershell.exe
1856	powershell.exe
280	powershell.exe
1936	powershell.exe
2388	powershell.exe
2352	powershell.exe
1728	powershell.exe
1992	powershell.exe
1416	dwm.exe
2660	dwm.exe
1872	dwm.exe
2788	dwm.exe
1880	dwm.exe
2456	dwm.exe
532	dwm.exe
3060	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1416	dwm.exe
Token: SeDebugPrivilege	2660	dwm.exe
Token: SeDebugPrivilege	1872	dwm.exe
Token: SeDebugPrivilege	2788	dwm.exe
Token: SeDebugPrivilege	1880	dwm.exe
Token: SeDebugPrivilege	2456	dwm.exe
Token: SeDebugPrivilege	532	dwm.exe
Token: SeDebugPrivilege	3060	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1236	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	78
PID 3028 wrote to memory of 1236	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	78
PID 3028 wrote to memory of 1236	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	78
PID 3028 wrote to memory of 1936	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	79
PID 3028 wrote to memory of 1936	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	79
PID 3028 wrote to memory of 1936	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	79
PID 3028 wrote to memory of 1772	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	80
PID 3028 wrote to memory of 1772	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	80
PID 3028 wrote to memory of 1772	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	80
PID 3028 wrote to memory of 1740	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	81
PID 3028 wrote to memory of 1740	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	81
PID 3028 wrote to memory of 1740	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	81
PID 3028 wrote to memory of 2388	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	82
PID 3028 wrote to memory of 2388	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	82
PID 3028 wrote to memory of 2388	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	82
PID 3028 wrote to memory of 2352	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	83
PID 3028 wrote to memory of 2352	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	83
PID 3028 wrote to memory of 2352	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	83
PID 3028 wrote to memory of 1728	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	84
PID 3028 wrote to memory of 1728	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	84
PID 3028 wrote to memory of 1728	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	84
PID 3028 wrote to memory of 2132	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	85
PID 3028 wrote to memory of 2132	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	85
PID 3028 wrote to memory of 2132	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	85
PID 3028 wrote to memory of 1856	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	86
PID 3028 wrote to memory of 1856	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	86
PID 3028 wrote to memory of 1856	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	86
PID 3028 wrote to memory of 280	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	87
PID 3028 wrote to memory of 280	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	87
PID 3028 wrote to memory of 280	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	87
PID 3028 wrote to memory of 1992	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	88
PID 3028 wrote to memory of 1992	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	88
PID 3028 wrote to memory of 1992	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	88
PID 3028 wrote to memory of 2260	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	90
PID 3028 wrote to memory of 2260	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	90
PID 3028 wrote to memory of 2260	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	90
PID 3028 wrote to memory of 2148	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	102
PID 3028 wrote to memory of 2148	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	102
PID 3028 wrote to memory of 2148	3028	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	102
PID 2148 wrote to memory of 2608	2148	cmd.exe	104
PID 2148 wrote to memory of 2608	2148	cmd.exe	104
PID 2148 wrote to memory of 2608	2148	cmd.exe	104
PID 2148 wrote to memory of 1416	2148	cmd.exe	105
PID 2148 wrote to memory of 1416	2148	cmd.exe	105
PID 2148 wrote to memory of 1416	2148	cmd.exe	105
PID 1416 wrote to memory of 3048	1416	dwm.exe	106
PID 1416 wrote to memory of 3048	1416	dwm.exe	106
PID 1416 wrote to memory of 3048	1416	dwm.exe	106
PID 1416 wrote to memory of 1620	1416	dwm.exe	107
PID 1416 wrote to memory of 1620	1416	dwm.exe	107
PID 1416 wrote to memory of 1620	1416	dwm.exe	107
PID 3048 wrote to memory of 2660	3048	WScript.exe	108
PID 3048 wrote to memory of 2660	3048	WScript.exe	108
PID 3048 wrote to memory of 2660	3048	WScript.exe	108
PID 2660 wrote to memory of 628	2660	dwm.exe	109
PID 2660 wrote to memory of 628	2660	dwm.exe	109
PID 2660 wrote to memory of 628	2660	dwm.exe	109
PID 2660 wrote to memory of 1788	2660	dwm.exe	110
PID 2660 wrote to memory of 1788	2660	dwm.exe	110
PID 2660 wrote to memory of 1788	2660	dwm.exe	110
PID 628 wrote to memory of 1872	628	WScript.exe	111
PID 628 wrote to memory of 1872	628	WScript.exe	111
PID 628 wrote to memory of 1872	628	WScript.exe	111
PID 1872 wrote to memory of 1092	1872	dwm.exe	112

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
"C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\32C0d90ThP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2608
- - C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
    "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7eba0e8-dd86-486e-87cf-b3576b0dea07.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b03f3fa7-1d4b-4b49-8b2c-879ea8015870.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47fd900-accd-4a57-b063-e6322186f84b.vbs"
        8⤵
        
        PID:1092
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b4073ca-a6d8-44fb-a23d-b762b101643f.vbs"
        10⤵
        
        PID:1464
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b82c0f-92d6-4bbf-a7e0-5fb99b376ab7.vbs"
        12⤵
        
        PID:2188
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807a6fcf-1eb6-4928-90ec-833fce13d9e5.vbs"
        14⤵
        
        PID:3004
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbff20ac-63c8-4d2a-818e-d17fe0ec3abe.vbs"
        16⤵
        
        PID:756
        
        C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a08fc7b2-2496-4c65-a479-13f60c779ee6.vbs"
        18⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\740019eb-d24b-4767-92d2-52a042c5daf8.vbs"
        18⤵
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cdaf5af-4117-4b63-bbbb-25e00ebcf6ab.vbs"
        16⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0662445-ac1d-4db5-8eb8-8390d6a2188c.vbs"
        14⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd876aae-916a-4ab6-8e59-106a1b0c8275.vbs"
        12⤵
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeeb1f93-724d-4bad-8c84-9776a6894a7c.vbs"
        10⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be18739a-8487-4551-82d9-023b694b051f.vbs"
        8⤵
        
        PID:2968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f8ea8dd-0d1b-41d2-bd61-09a9e5e8ef28.vbs"
        6⤵
        
        PID:1788
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df2f7edb-2f4f-4933-bdd4-7bdd35cde543.vbs"
      4⤵
      PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PLA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N6" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N" /sc ONLOGON /tr "'C:\Users\Default User\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N6" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX1A68.tmp

Filesize
4.9MB

MD5
bb74010b8bd89fce70a6ca6391baf78b

SHA1
1aabc2e97b9e2c4f4c3a7b556af29ba3f3b9f191

SHA256
bc2d04d68da9856587c9fd7454022371eb9ddec358b55890faa3977fa91c0c05

SHA512
885dc615aad766cc26aa4fc23c06d76d10e4053bce5529e62fed89c5e072faa159b68b2fc9c64d7e11647e1ed7c1a6c5c4780226725a1dc6f6a77a4fba126bee

Download Submit
C:\Program Files\Reference Assemblies\lsm.exe

Filesize
4.9MB

MD5
005277f6397a0a43ce9eca2c2910b750

SHA1
ac5f700488ba1ca531cb528e718412473eb7b948

SHA256
690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073

SHA512
21c819d180a218e375928e76fca735ee4746d803aca4cae04a5f82f9dcdd97510e1b88e9fb789f57a37ae904e38b40e257b0e03f785dfba8931f85c4b6d29215

Download Submit
C:\Users\Admin\AppData\Local\Temp\20b82c0f-92d6-4bbf-a7e0-5fb99b376ab7.vbs

Filesize
727B

MD5
a19e2fe9227026c5be75d12e5a104dcc

SHA1
8698427071393f4a1072a671f432224392c83885

SHA256
c1c508af04cf90bcf8aae793390cc7a84ee05596a26989c3cbfc3beb619ca5c0

SHA512
fbfefd208d4f583d3a9a2800c405a905a4eb6b560b957a28df71b13e63c48f338f8799aa8030b2bd62b2b2356a61a164ae6fb0c7977a9ad4fb747661466a7715

Download Submit
C:\Users\Admin\AppData\Local\Temp\32C0d90ThP.bat

Filesize
216B

MD5
10ed2e0a2e639d2540e4c92c00799db4

SHA1
dd48b8e5c727514e3ca694e273c0389efcbc7b4a

SHA256
ec950c7b527e389beacd27c6a1d09f72f7aab005c56d4c4bd06db0710d1b9532

SHA512
61b74a7f453a841ac75aeaa1501c02e62928b954d28b024388c089d79a7c7c89cb7ace02ea286f3d85ece7fffd49bef6840655e62614222d25000b74cbd219bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b4073ca-a6d8-44fb-a23d-b762b101643f.vbs

Filesize
727B

MD5
8266d962f1a3fac2368715626a7c5018

SHA1
75580cc38d7733a51954ae6c081d0341afbef6a5

SHA256
6caea687ce437f8e717f46224ffe5b48388a780f5b285fb48dea15294d071ef2

SHA512
2af8d8ae958137b0f2c2becc4c25c9e7e270b996be8cd486a923a438e506aeb939466112d7a972a8aca95e6a3463f303963a421566a0da99c610ff40b1ddce85

Download Submit
C:\Users\Admin\AppData\Local\Temp\807a6fcf-1eb6-4928-90ec-833fce13d9e5.vbs

Filesize
727B

MD5
d150c30779246f194335afbbd50f1918

SHA1
990087b1f33ddb16dd72d72ab64274847effd07b

SHA256
85bc4a9b2e37525eda08a28f66122b5f925b656ac2b86246ae234ce6eac9e8d8

SHA512
59ab550481fa9a8c2af43630a742d647ca7acf90e4495079e971595c59c070dce1a4df3fecb640f59bff99562c9ca612f089a0a389a65f823d0f0154be206511

Download Submit
C:\Users\Admin\AppData\Local\Temp\a08fc7b2-2496-4c65-a479-13f60c779ee6.vbs

Filesize
727B

MD5
9276771309e41d33f940f8dad523e283

SHA1
39c1861400fdab03d5d0af3ef2fb6e35ac9cec10

SHA256
f51bceab4bbadfd8f968eb3b763c95c0b692432fdf7e0268c77557c4c54bc303

SHA512
0cd4153b16fe6a7f010101ed202cd18af2023adb2c2b36bd8d786812efd6d038259e2dc0afa56626b1467ac00b2644f9d067ff72ace253c43fb1fe4c3f17a6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a47fd900-accd-4a57-b063-e6322186f84b.vbs

Filesize
727B

MD5
e211e6e8cbb0dc011690f37b5425a383

SHA1
b3f3f2200255a0e8604036d2cb6ee886b362620c

SHA256
f19b4acd5069b36c22362798283477b4dd643cd9fb6b2cddb82b63a7106e1802

SHA512
56831339bee34270d9b3de0c7258e469d27d7913b0a00e9e962e4b657d16ca38bfa4c7e462a188914ce7439cab50afc87393149a12a83b6ced717f2ed520e3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b03f3fa7-1d4b-4b49-8b2c-879ea8015870.vbs

Filesize
727B

MD5
a89fea7d94db604338e7b2c410830d31

SHA1
7b3dc59af4993c8870e32ab8621ce567f6380a3a

SHA256
aa341fb6cd269db123a7e3b41b6ae719d39acb318879c5d5b66455f35e3ded67

SHA512
041e8a2e66627f5e365990b1a293d46b80db8889278b3ead44c6c1c27d7b910b9080eadee734e3311f0b4dab225bb955ea75f64e40e17d220877c160a4125aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbff20ac-63c8-4d2a-818e-d17fe0ec3abe.vbs

Filesize
726B

MD5
5d5bae9aed82b9b99ef6709d4db4f530

SHA1
9855944183d831f233ce1dd970e5cc9bdec27161

SHA256
115f2239026c4845994ed4bb9fad6342ecce71d4bb02bb9a0f4a465ff4386348

SHA512
2031672c58adebe98761d46da82448f74cc62a17990d1f3245f4cbb420ae92c5f4b594b5b48f9e03039c5858437130ad3dec6e4e39ca9f4d35cec9d68ec36ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7eba0e8-dd86-486e-87cf-b3576b0dea07.vbs

Filesize
727B

MD5
72e7d54734bb5bfcdc898f4639e84495

SHA1
83e6de4f9b92085fc33867fe4dcedc950a8d2187

SHA256
c7bcb63adf225c1854181de6ba46e20f02d0de891dc65795c2c16933e3db457a

SHA512
460e3ccc82db8feb111ca32e7c434f5ff733d5f777c070f3bd50b5a537abf9b348295e3f428faa682a5d05935bc90fe114330d9c62deba194139c8597ddf7a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\df2f7edb-2f4f-4933-bdd4-7bdd35cde543.vbs

Filesize
503B

MD5
9261456f7340dd96e488078d2250e197

SHA1
ed8575b257420ef1f26438699fba4120d0fd2000

SHA256
d677c4e80dbc673fea817b5f7d2d04d80dd793b33879e196ee5b1edfe112e56b

SHA512
689570c50874d18aab1c38df6664602936d2748f511b40cd72feed06ab87a764abfb5aaa75dcd58456a13059e040dce977f4371355fa7dd4eb2e619342a6bbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B79.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf21a0fe3ece240144a77dd5556b7ff8

SHA1
18e86fd4cdad6d7b757f1fb6bcba23dedb9e74fa

SHA256
a96f2c3055b3cd356863b83d94f7e1eda7d4ad2b8d20f5f7c3b2fa255b21a3db

SHA512
d36ded6ff0e0f4fd280166fbc8120c8fdc7af0eb3033f3e0abe849b92329e9ed36608022b168c49e43a7cfe7a57c76a9bda55cdd7345c653ebba0b60afe7e0b1

Download Submit
memory/1236-162-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1416-223-0x00000000009D0000-0x0000000000EC4000-memory.dmp

Filesize
5.0MB

Download
memory/1872-252-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1880-282-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2132-176-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2456-297-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download
memory/2660-237-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2788-267-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/3028-10-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/3028-9-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/3028-136-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/3028-163-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-15-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/3028-16-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/3028-14-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/3028-13-0x0000000000A40000-0x0000000000A4E000-memory.dmp

Filesize
56KB

Download
memory/3028-12-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/3028-11-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/3028-0-0x000007FEF4D23000-0x000007FEF4D24000-memory.dmp

Filesize
4KB

Download
memory/3028-151-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-8-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/3028-7-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/3028-6-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/3028-5-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/3028-4-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/3028-3-0x000000001BAB0000-0x000000001BBDE000-memory.dmp

Filesize
1.2MB

Download
memory/3028-2-0x000007FEF4D20000-0x000007FEF570C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-1-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/3060-326-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download