dcrat | f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Size

4.9MB
MD5

06f186fc55f38b20a7273da22fe0007a
SHA1

3eae6dd2aec4dcd82864b9fbe446e85ea603784b
SHA256

f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
SHA512

05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2732	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2512-3-0x000000001B580000-0x000000001B6AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
1924	powershell.exe
2848	powershell.exe
1868	powershell.exe
2844	powershell.exe
2008	powershell.exe
2708	powershell.exe
2756	powershell.exe
1692	powershell.exe
2636	powershell.exe
2924	powershell.exe
2100	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
444	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2200	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2560	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1944	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1616	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2280	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
580	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
540	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1644	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\Idle.exe	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD5A8.tmp	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2720	schtasks.exe
2888	schtasks.exe
2776	schtasks.exe
2096	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2756	powershell.exe
1692	powershell.exe
2100	powershell.exe
2224	powershell.exe
2924	powershell.exe
2708	powershell.exe
2008	powershell.exe
1868	powershell.exe
1924	powershell.exe
2848	powershell.exe
2636	powershell.exe
2844	powershell.exe
1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
444	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2200	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2560	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1944	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1616	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
2280	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
580	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
540	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
1644	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	444	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	2200	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	2560	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	1944	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	1616	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	2280	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	580	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	540	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Token: SeDebugPrivilege	1644	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2708	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	38
PID 2512 wrote to memory of 2708	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	38
PID 2512 wrote to memory of 2708	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	38
PID 2512 wrote to memory of 2756	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	39
PID 2512 wrote to memory of 2756	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	39
PID 2512 wrote to memory of 2756	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	39
PID 2512 wrote to memory of 2224	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	41
PID 2512 wrote to memory of 2224	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	41
PID 2512 wrote to memory of 2224	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	41
PID 2512 wrote to memory of 2636	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	42
PID 2512 wrote to memory of 2636	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	42
PID 2512 wrote to memory of 2636	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	42
PID 2512 wrote to memory of 1692	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	44
PID 2512 wrote to memory of 1692	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	44
PID 2512 wrote to memory of 1692	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	44
PID 2512 wrote to memory of 2100	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	45
PID 2512 wrote to memory of 2100	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	45
PID 2512 wrote to memory of 2100	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	45
PID 2512 wrote to memory of 2008	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	48
PID 2512 wrote to memory of 2008	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	48
PID 2512 wrote to memory of 2008	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	48
PID 2512 wrote to memory of 1924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	50
PID 2512 wrote to memory of 1924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	50
PID 2512 wrote to memory of 1924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	50
PID 2512 wrote to memory of 2844	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	51
PID 2512 wrote to memory of 2844	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	51
PID 2512 wrote to memory of 2844	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	51
PID 2512 wrote to memory of 2848	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	52
PID 2512 wrote to memory of 2848	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	52
PID 2512 wrote to memory of 2848	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	52
PID 2512 wrote to memory of 2924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	53
PID 2512 wrote to memory of 2924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	53
PID 2512 wrote to memory of 2924	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	53
PID 2512 wrote to memory of 1868	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	54
PID 2512 wrote to memory of 1868	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	54
PID 2512 wrote to memory of 1868	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	54
PID 2512 wrote to memory of 2572	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	58
PID 2512 wrote to memory of 2572	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	58
PID 2512 wrote to memory of 2572	2512	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	58
PID 2572 wrote to memory of 1472	2572	cmd.exe	64
PID 2572 wrote to memory of 1472	2572	cmd.exe	64
PID 2572 wrote to memory of 1472	2572	cmd.exe	64
PID 2572 wrote to memory of 1624	2572	cmd.exe	65
PID 2572 wrote to memory of 1624	2572	cmd.exe	65
PID 2572 wrote to memory of 1624	2572	cmd.exe	65
PID 1624 wrote to memory of 2704	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	66
PID 1624 wrote to memory of 2704	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	66
PID 1624 wrote to memory of 2704	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	66
PID 1624 wrote to memory of 2724	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 1624 wrote to memory of 2724	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 1624 wrote to memory of 2724	1624	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	67
PID 2704 wrote to memory of 2076	2704	WScript.exe	68
PID 2704 wrote to memory of 2076	2704	WScript.exe	68
PID 2704 wrote to memory of 2076	2704	WScript.exe	68
PID 2076 wrote to memory of 1224	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2076 wrote to memory of 1224	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2076 wrote to memory of 1224	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	69
PID 2076 wrote to memory of 1420	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 2076 wrote to memory of 1420	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 2076 wrote to memory of 1420	2076	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	70
PID 1224 wrote to memory of 444	1224	WScript.exe	71
PID 1224 wrote to memory of 444	1224	WScript.exe	71
PID 1224 wrote to memory of 444	1224	WScript.exe	71
PID 444 wrote to memory of 1060	444	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe	72

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
"C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYD4RjTjc3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1472
- - C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
    "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1624
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3b41017-8b03-4e0f-a35b-d34ebfb48e9e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2076
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c993e149-5c05-4c4f-9468-71523ce2d602.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b777edb-683f-4644-8a58-eaacd13c4ce8.vbs"
        8⤵
        
        PID:1060
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4142999-4ff4-432d-a3f0-112f085893dc.vbs"
        10⤵
        
        PID:1652
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\542c99bf-4f20-48b4-9698-00a97f090307.vbs"
        12⤵
        
        PID:2600
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dab59bd-16f2-4239-8858-bfda25926fd1.vbs"
        14⤵
        
        PID:2120
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a597c77-13af-4822-a3aa-5b9f96124e90.vbs"
        16⤵
        
        PID:2324
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc889f8-65b7-4306-aa37-fec0177a6c01.vbs"
        18⤵
        
        PID:2816
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c20ae7-e0b3-41ec-9c80-f34552bb76e0.vbs"
        20⤵
        
        PID:2720
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e135e1c-a244-4942-8b8b-b9270601aba0.vbs"
        22⤵
        
        PID:1280
        
        C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
        
        "C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2ab75c-48fe-4ea2-83e2-bde52ac85f14.vbs"
        24⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48b62773-34b5-4312-b52b-3803c48b91b6.vbs"
        24⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44196642-d126-4369-aa91-968da2c4a507.vbs"
        22⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9356ddbc-b783-4531-aa06-2bd1e7367612.vbs"
        20⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d5ff2fb-97d6-4869-b10d-0859a24649e9.vbs"
        18⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea1c7210-684c-4660-a6e2-bbd05a3c70f3.vbs"
        16⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\241c08aa-30c0-4188-9304-4c801d56d227.vbs"
        14⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d13296e-f125-4827-a910-3ec12d82939c.vbs"
        12⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23760890-9a0e-43a2-8679-90ca6375e6b5.vbs"
        10⤵
        
        PID:824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60bf0c38-772f-4210-8b71-5fef0c2b6b3e.vbs"
        8⤵
        
        PID:1692
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9d11a3-1b8f-4a47-82f9-7450652f1205.vbs"
        6⤵
        
        PID:1420
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0e27dad-e241-4e3a-9b31-6439d302cae9.vbs"
      4⤵
      PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7f" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7" /sc ONLOGON /tr "'C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7f" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\Idle.exe

Filesize
4.9MB

MD5
06f186fc55f38b20a7273da22fe0007a

SHA1
3eae6dd2aec4dcd82864b9fbe446e85ea603784b

SHA256
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7

SHA512
05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\05c20ae7-e0b3-41ec-9c80-f34552bb76e0.vbs

Filesize
765B

MD5
b78520fef63ebad5fe4b13ae93aa4794

SHA1
d1ccdd20b76f19641cb6973abd0993793fcc6eb0

SHA256
e384fdc841f3fb65f04fcfa7a5d9bb18119460a5b12eedc2f43fb2116c3362cb

SHA512
d534c41757a02fd26a477aec0e285291d9fb5be56be16ab85a7a2a3f3efe52ca33ec9e233597e78240db1ca8aeadb7a0abf80b7c59711be5ee97df2eeca9bb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e135e1c-a244-4942-8b8b-b9270601aba0.vbs

Filesize
765B

MD5
24e435368d70de2a36aaeeae54875810

SHA1
5ee6c644d66b66fe531f5dd4e3fe60928a900521

SHA256
2dd937906738f41e187fc56d61e695e369e150a4632515032470d6bf6b9a76f4

SHA512
cd5eb25190f0802037af0ade41d205ee968767127569bb298bd395ae40843e884c4a686dfeca452f6c6013f7fdaba57b52e82da6956adf5d8e0a9cbf9396e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\542c99bf-4f20-48b4-9698-00a97f090307.vbs

Filesize
766B

MD5
49b4387fd5086359c8ac737908684eeb

SHA1
63399cfd46e050a394be3b4b525668e691243197

SHA256
976848c4455493f62add4fdf0118e437d53652dfa90b6064490c71e6ef3b29f3

SHA512
cbeab42fa7ded8a01823f07cdc6b31154212a7e2e2958a133a0baca74bc674ee87b25022b5dc914698f3fc1bb61eef2eb9cbe05607380e88bfbb986c12851d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a597c77-13af-4822-a3aa-5b9f96124e90.vbs

Filesize
766B

MD5
8a525318a751ef98c0f2c46ed1208cc9

SHA1
aaa1dbd7717e1aa7911794e3d8a2987af1c775fc

SHA256
f4c7505a694c816373fcb84c0951607b64fb7ebbb8043d36df01be881358cdc6

SHA512
67301f6e3b2a1ee8a2781b4f9df80ee4c9a4db8cec73b8990d0f94610d806c01227bbbca715832bdee4cd3af26542c5ec2a9b63b34087aba939c98ea99029c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dab59bd-16f2-4239-8858-bfda25926fd1.vbs

Filesize
766B

MD5
a34a157d32d92ad0932b0da541cfa657

SHA1
6b375da961a4a1f764c1eb9909ca208431f17b29

SHA256
65d10794f52ef4624f5520d3dbe19c01d4e9c04e6b31688bddca4b07b26e30e0

SHA512
35caa23fa46dc279ea09813bda5057cb6ba108ad4aa031b5c491d59595440ed7c327c633b29ad812be84131588c83f5ba3b1523b43f7303e78979c8b7125a8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b777edb-683f-4644-8a58-eaacd13c4ce8.vbs

Filesize
765B

MD5
dc8260b9dcf76117020208f508ad3032

SHA1
c3b50efdf2481263d46c46da5bb68603df32e53f

SHA256
e5fb3e5dd97f6e2cedac6d0a040719347e8fdae9ea560e8e90c500300b00829c

SHA512
b13571a9e692c00b724c22a10ccff6d7ed4a0baa87efeaa4dd7ee421ebdcc06d657fbe77ea51b14b1335e06fe6371734de9b58d1d8b9dbeff1057dbf4be521c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0e27dad-e241-4e3a-9b31-6439d302cae9.vbs

Filesize
542B

MD5
7967296be2958d78fe5f967bb10cc1f7

SHA1
cc26643380e75f55c825462a6d8d97828e3ef68b

SHA256
5666cecc7262122cb8ee5a82638fe80d601e3b1f4b4277fb456e591de7cb5697

SHA512
d10fab797365b69d0dbf5d833fcc8bec0380d9376a5f4c0769e226e519202329edbfb981987bc8cbbdced2c339055aecc43202382b32392b81392a132aecd841

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc2ab75c-48fe-4ea2-83e2-bde52ac85f14.vbs

Filesize
766B

MD5
61d311b4873a7101705fdfe5c0b34113

SHA1
8a810d10ff243241977a85014db6e37b27ac36b4

SHA256
43b8cc2e8d59b850e690000b2b827dc47fc0d98aa1e4a4ce850449c6412feba5

SHA512
60025e9358d6c65eca61fb555e98a76617643874156d8b876789a7ff563cb13dbfa0d02d65e04c686beb2d4431bd7bcffc1d167583c204e03a5598b80a052ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3b41017-8b03-4e0f-a35b-d34ebfb48e9e.vbs

Filesize
766B

MD5
8e5a649c800928661ceb65c135df1113

SHA1
f7ee40ca61612e497a0624ba1338e19ba02c81c0

SHA256
9e5c50ae168f2dcc827052c37ac2795b86da90f5a8c41053414995c944c1d6e5

SHA512
9a0182cd205866aa27d2ef170cebecffcf912a11f85c97ae492662297efd39eb139307209d7364d94b30dacd0f0a0a44e13b5eba65169a31daebbcffb5a34ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c993e149-5c05-4c4f-9468-71523ce2d602.vbs

Filesize
766B

MD5
474d0172dace7dff880f9ca501d7e222

SHA1
1330ce6cf2743b10d477ac44a2449bdb978b5c9a

SHA256
dd3ed00e8f756b29e33eb7aba333b7589a1e9f50566302acf19c949b72f781c6

SHA512
c91b836dca2b41e678995232b6f4e690e8de2c787fba1001f04c98f9a42b5f60e1a3067f58f2375d2fab396648f8270ad85d302bfd66661845d17eef51f0061a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4142999-4ff4-432d-a3f0-112f085893dc.vbs

Filesize
766B

MD5
f3fb8f5d214e31f7516b1ad2ae25f79a

SHA1
a841798a09db993d4a621907bbb9d4056f7c20b6

SHA256
789b0bfe95b54a4d371cea3c7ae855d73784e27dcc813971897f04d684600ca5

SHA512
0710b2047f4bd86177b183e14116f6ad47fb824f05014d3150ef3d24b2dc1bcc911bb2f9c735cc32db43a0526ef8449469c3f04f32c97b913b493bbdd09b1f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc889f8-65b7-4306-aa37-fec0177a6c01.vbs

Filesize
766B

MD5
997398390578efa4789c16e220a5d868

SHA1
793f3897924baeb196649a87999d7e61f152e9bb

SHA256
e40cabe5095ecdf0270f5fe547eed66ea3f65012bbd75416b78fd19270a0822d

SHA512
a6056e1c05cfb89c1608636d885de1a2e6a33dc4b14352552fd2ccd3061cfa69ec7c8217ef2cd863a1821aa9df03af4414af83dbf2dc7381b36362b67c411147

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYD4RjTjc3.bat

Filesize
255B

MD5
994c21e35c442d963ecccaa9fe982d76

SHA1
c061ca810510f7e9fe2cebe5bfbe4fab1756e83c

SHA256
4f2b405ce7ef7babc2977e2422fb6db3af7bc3d099e94070e16febcb139de796

SHA512
94ecb05a1d0fe504297e6b9e7ce6a02de91f4e740d6e2219e9ac7fb7543852b61fcc9df18cabd02a659bdd94fcaa50b2eef5a079c83cd6c12ce9dc29a0d52edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D86.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aee0696efa53d004dcd9fdbe87d32d04

SHA1
16e3826569b199d5ae7e27fd28d2256800364c1c

SHA256
b0a216b91e58be1fdecb7925185764f1f351ec1bec6b6d55403902165e7c5c53

SHA512
2711280399522b5b1cc2f29d9df21a4b670c0ac683c71eb58b96bb6d93d76057795f50a222e1021c176023076349d510a11387c18dbc6928f8613ffa8a58b15a

Download Submit
C:\Users\Default User\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe

Filesize
4.9MB

MD5
811b59383bb679038c036727afdf3935

SHA1
b4f8a302e5bbd944c8993871a797072de8ca6784

SHA256
ebb8e2518db0bef98d0b89b27c213536648feb8989d8a285430aa05158841bf7

SHA512
490e46cd3aa89e43aa3989e2b81013582c4aa9c90a28a620e6e3bede65cc1efcebfb35588a2ba7dfb4477124cd43ef0818c2e9cc0cf68ef659624a7f7d05dbd1

Download Submit
memory/444-139-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/444-138-0x0000000001350000-0x0000000001844000-memory.dmp

Filesize
5.0MB

Download
memory/540-242-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1616-198-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/1624-107-0x0000000000B40000-0x0000000001034000-memory.dmp

Filesize
5.0MB

Download
memory/1624-108-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2076-122-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/2076-123-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2200-154-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2280-213-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/2512-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2512-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2512-41-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-15-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2512-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2512-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2512-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2512-1-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/2512-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2512-10-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2512-3-0x000000001B580000-0x000000001B6AE000-memory.dmp

Filesize
1.2MB

Download
memory/2512-16-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2512-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2512-7-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/2512-6-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2512-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-5-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2512-4-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/2560-169-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2756-55-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2756-59-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download