dcrat | 7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Size

4.9MB
MD5

cdd2f8f721e6359a948f6b6c4d1d5cd0
SHA1

b30e80a275147eb27e916e11fcb80233f6b9cf73
SHA256

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d
SHA512

04e0ce6889b21c8560206b938aa3223d7ab4e0a874e74a79cd8e365b8adafe71523da0f27f4717b49bae01fc20a0ec7d3002a944bff5817e1d02f3db2b98524d
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2148	schtasks.exe

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2364-3-0x000000001B890000-0x000000001B9BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2308	powershell.exe
1616	powershell.exe
3012	powershell.exe
2368	powershell.exe
2796	powershell.exe
2376	powershell.exe
1580	powershell.exe
1524	powershell.exe
2504	powershell.exe
2860	powershell.exe
1928	powershell.exe
1060	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
784	winlogon.exe
2624	winlogon.exe
844	winlogon.exe
2428	winlogon.exe
2208	winlogon.exe
2452	winlogon.exe
1940	winlogon.exe
2684	winlogon.exe
2596	winlogon.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 28 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\taskhost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXCFB0.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\RCXD3B8.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\dllhost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\6ccacd8608530f	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD1B4.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXDE39.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\1610b97d3ab4a7	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\services.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\Microsoft Office\Office14\c5b4cb5e9653cc	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCXDBC8.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\dllhost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE04C.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\24dbde2999530e	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\Microsoft Office\Office14\services.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXCD7D.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\5940a34987c991	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\cc11b995f2a76d	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2256	schtasks.exe
2636	schtasks.exe
1552	schtasks.exe
2804	schtasks.exe
1864	schtasks.exe
1056	schtasks.exe
2780	schtasks.exe
2948	schtasks.exe
2852	schtasks.exe
2664	schtasks.exe
2692	schtasks.exe
1640	schtasks.exe
2384	schtasks.exe
2712	schtasks.exe
1824	schtasks.exe
1696	schtasks.exe
1768	schtasks.exe
560	schtasks.exe
2816	schtasks.exe
2704	schtasks.exe
2632	schtasks.exe
1440	schtasks.exe
1912	schtasks.exe
2672	schtasks.exe
704	schtasks.exe
2728	schtasks.exe
2608	schtasks.exe
1784	schtasks.exe
1248	schtasks.exe
1808	schtasks.exe
844	schtasks.exe
2792	schtasks.exe
2268	schtasks.exe
2616	schtasks.exe
1980	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
1060	powershell.exe
2308	powershell.exe
2796	powershell.exe
1524	powershell.exe
3012	powershell.exe
2504	powershell.exe
1928	powershell.exe
1580	powershell.exe
2376	powershell.exe
2368	powershell.exe
1616	powershell.exe
2860	powershell.exe
784	winlogon.exe
2624	winlogon.exe
844	winlogon.exe
2428	winlogon.exe
2208	winlogon.exe
2452	winlogon.exe
1940	winlogon.exe
2684	winlogon.exe
2596	winlogon.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	784	winlogon.exe
Token: SeDebugPrivilege	2624	winlogon.exe
Token: SeDebugPrivilege	844	winlogon.exe
Token: SeDebugPrivilege	2428	winlogon.exe
Token: SeDebugPrivilege	2208	winlogon.exe
Token: SeDebugPrivilege	2452	winlogon.exe
Token: SeDebugPrivilege	1940	winlogon.exe
Token: SeDebugPrivilege	2684	winlogon.exe
Token: SeDebugPrivilege	2596	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.execmd.exewinlogon.exeWScript.exewinlogon.exeWScript.exewinlogon.exe

description	pid	process	target process
PID 2364 wrote to memory of 2308	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2308	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2308	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2376	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2376	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2376	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1580	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1580	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1580	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1616	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1616	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1616	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1524	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1524	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1524	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2504	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2504	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2504	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1060	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1060	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1060	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2860	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2860	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2860	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 3012	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 3012	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 3012	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1928	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1928	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 1928	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2368	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2368	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2368	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2796	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2796	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2796	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2364 wrote to memory of 2784	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	cmd.exe
PID 2364 wrote to memory of 2784	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	cmd.exe
PID 2364 wrote to memory of 2784	2364	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	cmd.exe
PID 2784 wrote to memory of 2528	2784	cmd.exe	w32tm.exe
PID 2784 wrote to memory of 2528	2784	cmd.exe	w32tm.exe
PID 2784 wrote to memory of 2528	2784	cmd.exe	w32tm.exe
PID 2784 wrote to memory of 784	2784	cmd.exe	winlogon.exe
PID 2784 wrote to memory of 784	2784	cmd.exe	winlogon.exe
PID 2784 wrote to memory of 784	2784	cmd.exe	winlogon.exe
PID 784 wrote to memory of 2284	784	winlogon.exe	WScript.exe
PID 784 wrote to memory of 2284	784	winlogon.exe	WScript.exe
PID 784 wrote to memory of 2284	784	winlogon.exe	WScript.exe
PID 784 wrote to memory of 2716	784	winlogon.exe	WScript.exe
PID 784 wrote to memory of 2716	784	winlogon.exe	WScript.exe
PID 784 wrote to memory of 2716	784	winlogon.exe	WScript.exe
PID 2284 wrote to memory of 2624	2284	WScript.exe	winlogon.exe
PID 2284 wrote to memory of 2624	2284	WScript.exe	winlogon.exe
PID 2284 wrote to memory of 2624	2284	WScript.exe	winlogon.exe
PID 2624 wrote to memory of 2584	2624	winlogon.exe	WScript.exe
PID 2624 wrote to memory of 2584	2624	winlogon.exe	WScript.exe
PID 2624 wrote to memory of 2584	2624	winlogon.exe	WScript.exe
PID 2624 wrote to memory of 1552	2624	winlogon.exe	WScript.exe
PID 2624 wrote to memory of 1552	2624	winlogon.exe	WScript.exe
PID 2624 wrote to memory of 1552	2624	winlogon.exe	WScript.exe
PID 2584 wrote to memory of 844	2584	WScript.exe	winlogon.exe
PID 2584 wrote to memory of 844	2584	WScript.exe	winlogon.exe
PID 2584 wrote to memory of 844	2584	WScript.exe	winlogon.exe
PID 844 wrote to memory of 552	844	winlogon.exe	WScript.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
"C:\Users\Admin\AppData\Local\Temp\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqhx4G824Q.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2528
- - C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
    "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e701aa33-5dda-4d4c-84de-5d07333f40f2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c43f1dcf-9ab0-4b44-9b29-eb0ed378d680.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\617f2a94-4684-4d3b-b081-03dc3f2221ae.vbs"
        8⤵
        
        PID:552
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56ef994d-49ef-4ed3-8024-f04c29e55cf5.vbs"
        10⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45992595-f10c-46ce-9e0a-3bf64ebb6701.vbs"
        12⤵
        
        PID:1984
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bc8db44-ff05-46fc-bc51-76663dd3741f.vbs"
        14⤵
        
        PID:2392
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5541c6a-a206-40b1-8a78-c0159f715fa3.vbs"
        16⤵
        
        PID:824
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e111357c-899f-4cc0-979b-282f23b18f69.vbs"
        18⤵
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f599fb-af39-4dde-8cc5-6eb091a0d7fd.vbs"
        20⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe43f7b6-8c28-4776-8776-f72ade11fd33.vbs"
        20⤵
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1a97c7-37ce-4699-bd42-d898a563bc2f.vbs"
        18⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\856f2a7f-115e-4566-b5a2-cc8acd4313b1.vbs"
        16⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3192c869-328f-4580-85c9-615377e441aa.vbs"
        14⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c97b742-e11c-4080-9e9a-e1a221cac9a2.vbs"
        12⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e00ea784-57ba-4805-8f28-ca5e948fcbd2.vbs"
        10⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4aafafa-a882-4cb2-b637-51c86b044b76.vbs"
        8⤵
        
        PID:2704
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6298ff4c-e88d-4132-a4dd-0199228b570b.vbs"
        6⤵
        
        PID:1552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11f63d3-d9e4-4956-8ac5-e8f596ea30d0.vbs"
      4⤵
      PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN7" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN" /sc ONLOGON /tr "'C:\MSOCache\All Users\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN7" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe

Filesize
4.9MB

MD5
cdd2f8f721e6359a948f6b6c4d1d5cd0

SHA1
b30e80a275147eb27e916e11fcb80233f6b9cf73

SHA256
7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d

SHA512
04e0ce6889b21c8560206b938aa3223d7ab4e0a874e74a79cd8e365b8adafe71523da0f27f4717b49bae01fc20a0ec7d3002a944bff5817e1d02f3db2b98524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc8db44-ff05-46fc-bc51-76663dd3741f.vbs

Filesize
746B

MD5
da26e4a7234398ea81d5916ad6abbdd0

SHA1
a495019822e6afbbbe383599e5bd1512b3efce91

SHA256
e9b4270fd868b078b5130a6fd0618f2b38b7fb016a7c48b036fa6bfabfd823a3

SHA512
bd120aad930ed17addc6c6ab10ea6aed5b94a2e89ea7dca05ab3cbf633954f683e88b4264543ec28c375aa08f70a7e65cc13c5954ec317dfefad45443f5f8ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\45992595-f10c-46ce-9e0a-3bf64ebb6701.vbs

Filesize
746B

MD5
72509564969ac31ec4125bc8d1943537

SHA1
ee1e1bdf481634cdbbe46dc79b9a63d93d1496a3

SHA256
9396ff64ac6693e64acbef5af4104abfce8b754dd94645a6eb8fc3b0163783ad

SHA512
addb8744245d287a1720c23629fbd64dca8b32f27f8012833efbac0d400bf5a9f893ebe23175747e883da8b7beab1ddc17dd70e491cfc796329b8425166fb069

Download Submit
C:\Users\Admin\AppData\Local\Temp\56ef994d-49ef-4ed3-8024-f04c29e55cf5.vbs

Filesize
746B

MD5
a82b30a3bb3fc1ca7d17b497206fd306

SHA1
828913930652e0dfb543cfca4b67a1ec46b96249

SHA256
d24b75883c0bf57581285867e2cc1cf327a9db3d6965c43a8048ab7447d6b92d

SHA512
180cc1948bfa09c589eef1b79f3054ef427e1079ef3fb0b0728c49944999ffaa5216693de3817bd2606e420d5b49a6b0767015872c8bf8d18e7da7a0e9f79ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1f599fb-af39-4dde-8cc5-6eb091a0d7fd.vbs

Filesize
746B

MD5
8b432cbe88b551cd540089dfbf6c511a

SHA1
c7b0d09c3cf8c9a5322f404d8f3faf74ae49844b

SHA256
ad337e6b7f21d7b9cfcebed64acc0ff9319e16978c522f9604e181be4031416b

SHA512
7982b6cb2b1b147790e1e0a7d65df661f36b430c5c6fee05f37681a13e19c20e37ad92e42105c15056cdd28ad4db5ba6f813b2836028e0cf74d8183724a7c6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c43f1dcf-9ab0-4b44-9b29-eb0ed378d680.vbs

Filesize
746B

MD5
fd593a8d109db001958c184337451a74

SHA1
0cde75b594c93fda525191012edbb5bd0a7e92a9

SHA256
53c9b217aaa3be4041a26dec2fbc3fa225c90a89e7546108f4e78737b1a4ac75

SHA512
65acafbed481e45b7f5673414d9ee35010f0dbf7e9601e33aedef2fbeed5f139b0f2becf9fd20dc3caa49a0464bcf06e2fa4e2875646d9ef4680b310d8b2d558

Download Submit
C:\Users\Admin\AppData\Local\Temp\d11f63d3-d9e4-4956-8ac5-e8f596ea30d0.vbs

Filesize
522B

MD5
92337a6a3411d5bae6f64cdf693b1341

SHA1
5f818b50e7c2e26a26709bd68f1fd9ea4371eed2

SHA256
e51d6efaf7fe30e96df70a94c9e99202974734c402d3b559bc36a0475085893f

SHA512
a2fd69446678e9dd5facbf74056bb026cc212ba5531aebbf43133e36ca22a8dad3f86f0d417b03061222a8f0a21eb0cccb6f53e82d8d0adffa16cad224313da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e111357c-899f-4cc0-979b-282f23b18f69.vbs

Filesize
746B

MD5
9cea5e029c24ffc9118c9df06d3bea34

SHA1
76088a3ec2f1570baa088386c064f60949a56e6c

SHA256
60345dbf549379702881482a73be05767391b5e775ef56bf3c0ddec4d058c7a6

SHA512
cd86b18ebdf7841f733c73b9021a30fbf1b4707183cc9425d1622b4b8206b996b074f911ef059db282f44ec7aca3d9c3320277576bb8cea2a0f9d03255636dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e701aa33-5dda-4d4c-84de-5d07333f40f2.vbs

Filesize
745B

MD5
f662b1ecb6f8eb09263bd09ab39897c2

SHA1
efff01cdbb2ce42dfb31826a3a654aacd7599907

SHA256
f3d843420179729aeda33ec40727ddca1160a7cb136e4fb1dfaf76eb2c9a4cd2

SHA512
7733eabeff90a52b0df6ef178031c25f30a5cdf99f4f16d83e423f566d96b857234bddf38608fd68f9f222b6748c44713e973108bd01dcd89c2475f15dd926a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5541c6a-a206-40b1-8a78-c0159f715fa3.vbs

Filesize
746B

MD5
eb91b12c37e5b80597456e5f405054f8

SHA1
247a6d3f25073e619c2700a3e9b682f925366a5c

SHA256
50a78be92a5192a71b733522583fc647f31f7121d9e2c6cb64f139f32847fd71

SHA512
06eaba6d5071633882a30ac9879e57de52c43367c9297bd75374cfb77faf2274b30d83d9b88a626b00b44f8308121ea42bdd5687ff2350317232cdc237a0df26

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqhx4G824Q.bat

Filesize
235B

MD5
f4efd8a581da6fe209d2d37d08cbb8ef

SHA1
6e3d82c204323e7dfc212a002ff35e378dc5818f

SHA256
add5c970510c24b97ee0b272c650d112cfce57222ab425db731483880d134b07

SHA512
51cb368a809ff471c23bc0b34f8f87524dcc336fce54e5d4db64f11aace8f6e15458623f4d8932eb825389d2355bc77dfd7f35cfb82752143de4243a3827349a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8cb7cfd0ab2ad6609ce039a2ad9f30d4

SHA1
d57a4bab2c116cbf0c8ac8dcc77eaa2a03839f22

SHA256
547199fce5f4ce3a5ec090ffc157409f46e49c4358bd36aec8d77003306ae217

SHA512
0583a3a004dadf155df5ffcdfd2aecc11110edc4c80d2e1af4a90e31a93ebbfde14dcce3df858469409243d3340b8fb7268c58ee3d5d6b80712c3cdbb8931921

Download Submit
memory/784-196-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/784-195-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/844-225-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/1060-140-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1060-146-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2208-254-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2364-8-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2364-1-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2364-16-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/2364-14-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2364-13-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/2364-12-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2364-11-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2364-10-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2364-9-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/2364-7-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2364-15-0x00000000013A0000-0x00000000013A8000-memory.dmp

Filesize
32KB

Download
memory/2364-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-6-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2364-129-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-5-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2364-3-0x000000001B890000-0x000000001B9BE000-memory.dmp

Filesize
1.2MB

Download
memory/2364-4-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2428-239-0x0000000000090000-0x0000000000584000-memory.dmp

Filesize
5.0MB

Download
memory/2452-269-0x00000000001C0000-0x00000000006B4000-memory.dmp

Filesize
5.0MB

Download
memory/2596-313-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/2624-210-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2684-298-0x0000000000D50000-0x0000000001244000-memory.dmp

Filesize
5.0MB

Download