dcrat | 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Size

4.9MB
MD5

fa1e134ed3a3784a211e9fb679ef7e60
SHA1

586b4fd3f2e1163968ea56d61f349494b45fd633
SHA256

82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2
SHA512

a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2696	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2696	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2696	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2696	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2696	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2696	schtasks.exe	31

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2856-3-0x000000001B3C0000-0x000000001B4EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe
2132	powershell.exe
2512	powershell.exe
836	powershell.exe
1904	powershell.exe
2816	powershell.exe
2028	powershell.exe
2232	powershell.exe
2420	powershell.exe
2068	powershell.exe
2940	powershell.exe
2272	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1036	wininit.exe
2188	wininit.exe
868	wininit.exe
1292	wininit.exe
2336	wininit.exe
3068	wininit.exe
2788	wininit.exe
1932	wininit.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
1924	schtasks.exe
484	schtasks.exe
1608	schtasks.exe
1972	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
2232	powershell.exe
2420	powershell.exe
1904	powershell.exe
400	powershell.exe
2028	powershell.exe
2272	powershell.exe
836	powershell.exe
2940	powershell.exe
2068	powershell.exe
2512	powershell.exe
2816	powershell.exe
2132	powershell.exe
1036	wininit.exe
2188	wininit.exe
868	wininit.exe
1292	wininit.exe
2336	wininit.exe
3068	wininit.exe
2788	wininit.exe
1932	wininit.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1036	wininit.exe
Token: SeDebugPrivilege	2188	wininit.exe
Token: SeDebugPrivilege	868	wininit.exe
Token: SeDebugPrivilege	1292	wininit.exe
Token: SeDebugPrivilege	2336	wininit.exe
Token: SeDebugPrivilege	3068	wininit.exe
Token: SeDebugPrivilege	2788	wininit.exe
Token: SeDebugPrivilege	1932	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2272	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	38
PID 2856 wrote to memory of 2272	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	38
PID 2856 wrote to memory of 2272	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	38
PID 2856 wrote to memory of 2028	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	39
PID 2856 wrote to memory of 2028	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	39
PID 2856 wrote to memory of 2028	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	39
PID 2856 wrote to memory of 2232	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	40
PID 2856 wrote to memory of 2232	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	40
PID 2856 wrote to memory of 2232	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	40
PID 2856 wrote to memory of 2420	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	41
PID 2856 wrote to memory of 2420	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	41
PID 2856 wrote to memory of 2420	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	41
PID 2856 wrote to memory of 400	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	42
PID 2856 wrote to memory of 400	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	42
PID 2856 wrote to memory of 400	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	42
PID 2856 wrote to memory of 2132	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	43
PID 2856 wrote to memory of 2132	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	43
PID 2856 wrote to memory of 2132	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	43
PID 2856 wrote to memory of 2512	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	44
PID 2856 wrote to memory of 2512	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	44
PID 2856 wrote to memory of 2512	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	44
PID 2856 wrote to memory of 2068	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	45
PID 2856 wrote to memory of 2068	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	45
PID 2856 wrote to memory of 2068	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	45
PID 2856 wrote to memory of 836	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	46
PID 2856 wrote to memory of 836	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	46
PID 2856 wrote to memory of 836	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	46
PID 2856 wrote to memory of 1904	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	47
PID 2856 wrote to memory of 1904	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	47
PID 2856 wrote to memory of 1904	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	47
PID 2856 wrote to memory of 2816	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	48
PID 2856 wrote to memory of 2816	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	48
PID 2856 wrote to memory of 2816	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	48
PID 2856 wrote to memory of 2940	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	49
PID 2856 wrote to memory of 2940	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	49
PID 2856 wrote to memory of 2940	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	49
PID 2856 wrote to memory of 2224	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	62
PID 2856 wrote to memory of 2224	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	62
PID 2856 wrote to memory of 2224	2856	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	62
PID 2224 wrote to memory of 2548	2224	cmd.exe	64
PID 2224 wrote to memory of 2548	2224	cmd.exe	64
PID 2224 wrote to memory of 2548	2224	cmd.exe	64
PID 2224 wrote to memory of 1036	2224	cmd.exe	65
PID 2224 wrote to memory of 1036	2224	cmd.exe	65
PID 2224 wrote to memory of 1036	2224	cmd.exe	65
PID 1036 wrote to memory of 2704	1036	wininit.exe	66
PID 1036 wrote to memory of 2704	1036	wininit.exe	66
PID 1036 wrote to memory of 2704	1036	wininit.exe	66
PID 1036 wrote to memory of 568	1036	wininit.exe	67
PID 1036 wrote to memory of 568	1036	wininit.exe	67
PID 1036 wrote to memory of 568	1036	wininit.exe	67
PID 2704 wrote to memory of 2188	2704	WScript.exe	68
PID 2704 wrote to memory of 2188	2704	WScript.exe	68
PID 2704 wrote to memory of 2188	2704	WScript.exe	68
PID 2188 wrote to memory of 1948	2188	wininit.exe	69
PID 2188 wrote to memory of 1948	2188	wininit.exe	69
PID 2188 wrote to memory of 1948	2188	wininit.exe	69
PID 2188 wrote to memory of 2080	2188	wininit.exe	70
PID 2188 wrote to memory of 2080	2188	wininit.exe	70
PID 2188 wrote to memory of 2080	2188	wininit.exe	70
PID 1948 wrote to memory of 868	1948	WScript.exe	72
PID 1948 wrote to memory of 868	1948	WScript.exe	72
PID 1948 wrote to memory of 868	1948	WScript.exe	72
PID 868 wrote to memory of 2508	868	wininit.exe	73

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9MOUOnUXi1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2548
- - C:\Users\Public\Downloads\wininit.exe
    "C:\Users\Public\Downloads\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c44ddfab-cbb8-4928-a85d-74277d825cf0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2188
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72bde2f8-80a4-46ef-bf30-2719385cd00c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f4a276-7d45-4460-adb0-6fd1bd5b59aa.vbs"
        8⤵
        
        PID:2508
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e85a21d-7f3b-4752-9bff-0639079d9e26.vbs"
        10⤵
        
        PID:1704
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e15ae4-b0bd-46ab-8ea8-ee5c2ea8b004.vbs"
        12⤵
        
        PID:764
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3516bcf-712d-481b-aec4-ededab338546.vbs"
        14⤵
        
        PID:1512
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\902d21a0-4bd1-45aa-956a-d6ca506ecebc.vbs"
        16⤵
        
        PID:2772
        
        C:\Users\Public\Downloads\wininit.exe
        
        C:\Users\Public\Downloads\wininit.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2945643-272c-48a6-b009-b7813a405172.vbs"
        18⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278e6a4d-5669-4f65-885d-0090a5419770.vbs"
        18⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cfc167f-d97a-453a-8a40-168e06af244a.vbs"
        16⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19f2100c-547f-40fc-88f5-7c03fad0f748.vbs"
        14⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb1c7289-ae72-42bf-924f-b0fbbe902337.vbs"
        12⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6925bda-ab03-441a-9952-dd7f9c4c4055.vbs"
        10⤵
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7755b998-a578-457c-83db-505db6876e68.vbs"
        8⤵
        
        PID:2416
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62585533-e288-4243-a6a8-989017c98cf8.vbs"
        6⤵
        
        PID:2080
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8132a5-f6eb-4586-a0c7-45e4e3ce5b9b.vbs"
      4⤵
      PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\spoolsv.exe

Filesize
4.9MB

MD5
fa1e134ed3a3784a211e9fb679ef7e60

SHA1
586b4fd3f2e1163968ea56d61f349494b45fd633

SHA256
82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2

SHA512
a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379

Download Submit
C:\Users\Admin\AppData\Local\Temp\08e15ae4-b0bd-46ab-8ea8-ee5c2ea8b004.vbs

Filesize
713B

MD5
30199d74610cd7bfb7c1baf3040a6b5c

SHA1
5020462ce4a084c986b4362db349441648cec41b

SHA256
74f97f4e012e73ec9c7460057e39cf841c72c8d28bd2bb3fc25d74fc8e6854ce

SHA512
6ac699f97823785b7bb00633e256e1ea2a5af4c0e898fe5ed7c26a585be0662cb0f9b7912fec20de5e0a63c034dd29e1d8b0daba33062202bb71460d47267339

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e85a21d-7f3b-4752-9bff-0639079d9e26.vbs

Filesize
713B

MD5
ad351ab15daa113be16315df8990d26a

SHA1
c7f11ddc52fabaee3c0afec19e13297663e267a9

SHA256
16b387111ff73c53cdd71be66654753d942934c86fd3565a5afd0dba1234c3de

SHA512
3ec2a794aac0815686d99e1d23b3abbf4379ae61b254d3b7e96aec8dc4d2ecf8eaaaf8252c21db275c240416535d48df519e54116fbd112c02ed302e6017b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\72bde2f8-80a4-46ef-bf30-2719385cd00c.vbs

Filesize
713B

MD5
ea967b4e9bedc2aa6b3b5a019dc4563b

SHA1
05f85ba679d879cc0ba1d06bd0bae9945a65d914

SHA256
d551b1bf65621cb56f7f58ad34ff29a80833e62509af68a62ccb597d75ae2272

SHA512
eaec5ce1be51ac5cd54f90d83fcfef1af4d99c83cc715c95768f7657d904634162c115eb51e319f998f6cf250807479051fd2e80484471f7935d705b220854d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d8132a5-f6eb-4586-a0c7-45e4e3ce5b9b.vbs

Filesize
489B

MD5
cfda879344c65f6e6691ded97142301d

SHA1
91bc8b3e876a5e722c53578ca20cc212856dddd5

SHA256
d5fbe0bbbd8a5ea8e7fcd115dfdc402b1d2805a2fdfa4de4046718448410de89

SHA512
7ed69c3d2d38c30a56f912be2c2fac97d3e2fb39a95f677aae30027fc049ff1c1ea3cc119ac973fef3c414a66d4f61ffb4cdec902f36146f6299c7c0e19e7f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\902d21a0-4bd1-45aa-956a-d6ca506ecebc.vbs

Filesize
713B

MD5
f91848ecf18e49e622107da5a7f1ea98

SHA1
6cb17ca16bdea9e02ac734a62900bd3425b26b74

SHA256
ba8a61198d85ce4ef2730e57679c785968ac110942ff90e48057e8d8fde04627

SHA512
addc585611b86c08679ecbd17711830dee955a71fe43f108deaeefe6a5e7246005da119e2d01ffb93b25f86e98412c5dcfb57005ffa699a3c1d765f6dd7f7405

Download Submit
C:\Users\Admin\AppData\Local\Temp\9MOUOnUXi1.bat

Filesize
202B

MD5
b23eaf486b5a1279cb2b969df0b3eeff

SHA1
7c7a64eb7438ba1f743e5abaeab322299b7ab7af

SHA256
592a0466744915f7d2ef37d225eee289e3c10a20eacc0cc00c9af254afb1045e

SHA512
a624d018119b56ddcdfd62012e78486b9f80fcda202a45c874339fe0bc9e597549b06ccb4f9d1720cd140163555599f91cddebc3be542c64c88192e4973ff6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2945643-272c-48a6-b009-b7813a405172.vbs

Filesize
713B

MD5
f64576c211132c3f0aeaca987043a624

SHA1
df966637f65dc300bc8c761efe80432298748e55

SHA256
f4008f272cac47d2b3b34068cfe88fea24fe52509dd8f4794fea3a28ada4a3a2

SHA512
a9427a0e7570b2d05712342a856c99a6882e7940ac9d2df710a63dfdd0ea932b991851946fd55bdc51d554b2c42720f72dfca721f0141ab1f9b1377b4eb3a06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3516bcf-712d-481b-aec4-ededab338546.vbs

Filesize
713B

MD5
4f0b8e6f9127d931c75eb23b3f0ffaee

SHA1
b004f4fb627251b2f361a4b406855fb319c5e0af

SHA256
04d7661494fbbfbde401f63016913e904e967fd34c678a10c5e8989a2650a543

SHA512
1db2bb1879af0a65c4a345ceec05758ca8561d289981181fad5352a569e09d9a4b51af01c86c6ca0f1e59da4f6077a9a24b2e7b6b0c7e6a99655d855772d22d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c44ddfab-cbb8-4928-a85d-74277d825cf0.vbs

Filesize
713B

MD5
01ef5f667613d41268966c2a4b9df85a

SHA1
ecf245eb167c82c413259a53ea4c3f6b1e6ea2f8

SHA256
5358366c2a49e5f5b5a42352652aebdce05d6bf51f620a815a8a9f02ee53a8b8

SHA512
ab33617ba7e683891be8f4277ea42007e20d77e161c310c48bcb42ccf0d7e861354ba5423e78ce271f0a394d76843034b0e69843e2e1c06e842b9ee81af8e3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0f4a276-7d45-4460-adb0-6fd1bd5b59aa.vbs

Filesize
712B

MD5
5d58de6743e453acf1e192e9f10698be

SHA1
7d728d4307e30f4e615f046e4b438c0b7cf9b6c5

SHA256
5ffa8caeef54296d5ae57d1ce1839efa38a8e63b14659a0b4f8d46e8a2900774

SHA512
0069db852923d4e284ac738cce52f114e5a0b2924668cf8089c495b29c5cb89398c7a5bc90c1c3acf2e874e961570f8e4e606986124edd782b25dc1e00018995

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD059.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84ecf43d7589e726a56ec354301a67f3

SHA1
8999aedc8012c3f8272f11584b4699af61e8fe7a

SHA256
f45e060df1849b1011ea452ecebb1b1a808b312a962421f644ad152225a91503

SHA512
f2c953d0fde98643b35f16aee3701762ab25068a1ae21b7a93d4c169d4f129cccf10bc2e88a82ddea8244231facb89dc9ecb6de042f4376b36695a2bfceb79f7

Download Submit
C:\Users\Public\Downloads\wininit.exe

Filesize
4.9MB

MD5
898dd580b6ac0ddccd660391b0ee3ac9

SHA1
19bc7d5c19b3693e68a7f743bca5b2a869283a4c

SHA256
1fc1d7560d37f79f96a2b798bcd7ba995fcbc7157b44d0c9d88b325dcdd1751d

SHA512
32b6c74feeb5b2ae7b0fd604c40c6a904c7422762c80d520c794d7aaf54ad34bb537e4357bd7bd8e93a361770263dc6fbbd53a9b129048acc682a347b3dceef2

Download Submit
memory/868-136-0x0000000000070000-0x0000000000564000-memory.dmp

Filesize
5.0MB

Download
memory/1036-106-0x00000000008C0000-0x0000000000DB4000-memory.dmp

Filesize
5.0MB

Download
memory/1036-107-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/1292-151-0x0000000000F60000-0x0000000001454000-memory.dmp

Filesize
5.0MB

Download
memory/1932-211-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download
memory/2188-121-0x0000000000A40000-0x0000000000F34000-memory.dmp

Filesize
5.0MB

Download
memory/2232-43-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2232-42-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2336-166-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/2788-196-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download
memory/2856-14-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2856-1-0x0000000000850000-0x0000000000D44000-memory.dmp

Filesize
5.0MB

Download
memory/2856-6-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2856-9-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2856-97-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-8-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2856-7-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/2856-13-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/2856-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2856-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/2856-15-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2856-5-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2856-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2856-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2856-3-0x000000001B3C0000-0x000000001B4EE000-memory.dmp

Filesize
1.2MB

Download
memory/2856-12-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2856-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-16-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/3068-181-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download