dcrat | 3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Size

4.9MB
MD5

9c4fae6d26e906b396e0f285aa3a13a0
SHA1

57d65fcc620bac0eb5a08cab4b2d57dc45b9cafc
SHA256

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475
SHA512

b7fbeeb44a39e0258b94305e2ccc32601d6ae27acee023e16e3b341fa81a716938ff5135c5a243a28130ff75069d5db022678aec8dc3d10878c30015edbc5736
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2640	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2640	schtasks.exe

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2412-3-0x000000001B3B0000-0x000000001B4DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1144	powershell.exe
3052	powershell.exe
2488	powershell.exe
2228	powershell.exe
1932	powershell.exe
1856	powershell.exe
3024	powershell.exe
2992	powershell.exe
316	powershell.exe
1252	powershell.exe
3036	powershell.exe
2432	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid process

2960 spoolsv.exe
3016 spoolsv.exe
2836 spoolsv.exe
780 spoolsv.exe
2200 spoolsv.exe
2460 spoolsv.exe
2188 spoolsv.exe
1664 spoolsv.exe
2376 spoolsv.exe

pid	process
2960	spoolsv.exe
3016	spoolsv.exe
2836	spoolsv.exe
780	spoolsv.exe
2200	spoolsv.exe
2460	spoolsv.exe
2188	spoolsv.exe
1664	spoolsv.exe
2376	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 16 IoCs

Processes:

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\RCXEEBB.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files\Common Files\System\System.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files\Common Files\System\System.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\cc11b995f2a76d	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXE1BA.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\1610b97d3ab4a7	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files\7-Zip\Lang\be4f023f26cb64	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files\Common Files\System\RCXDF49.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files\Common Files\System\27d1bcfc3c54e0	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Program Files\7-Zip\Lang\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXECB8.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe

Drops file in Windows directory 9 IoCs

Processes:

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe

description	ioc	process
File created	C:\Windows\tracing\winlogon.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Windows\tracing\cc11b995f2a76d	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Windows\Globalization\OSPPSVC.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Windows\Boot\Fonts\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Windows\tracing\RCXE8A0.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Windows\Globalization\OSPPSVC.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File created	C:\Windows\Globalization\1610b97d3ab4a7	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Windows\tracing\winlogon.exe	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
File opened for modification	C:\Windows\Globalization\RCXF12C.tmp	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1528	schtasks.exe
2552	schtasks.exe
2148	schtasks.exe
1228	schtasks.exe
2004	schtasks.exe
3068	schtasks.exe
2812	schtasks.exe
376	schtasks.exe
2608	schtasks.exe
2660	schtasks.exe
2524	schtasks.exe
2620	schtasks.exe
2428	schtasks.exe
2876	schtasks.exe
3056	schtasks.exe
2740	schtasks.exe
1860	schtasks.exe
2912	schtasks.exe
2828	schtasks.exe
2232	schtasks.exe
2724	schtasks.exe
1052	schtasks.exe
2940	schtasks.exe
2188	schtasks.exe
2776	schtasks.exe
1548	schtasks.exe
1592	schtasks.exe
2872	schtasks.exe
2800	schtasks.exe
2644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
1932	powershell.exe
1856	powershell.exe
2228	powershell.exe
1252	powershell.exe
316	powershell.exe
1144	powershell.exe
3036	powershell.exe
2488	powershell.exe
3024	powershell.exe
2992	powershell.exe
2432	powershell.exe
3052	powershell.exe
2960	spoolsv.exe
3016	spoolsv.exe
2836	spoolsv.exe
780	spoolsv.exe
2200	spoolsv.exe
2460	spoolsv.exe
2188	spoolsv.exe
1664	spoolsv.exe
2376	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2960	spoolsv.exe
Token: SeDebugPrivilege	3016	spoolsv.exe
Token: SeDebugPrivilege	2836	spoolsv.exe
Token: SeDebugPrivilege	780	spoolsv.exe
Token: SeDebugPrivilege	2200	spoolsv.exe
Token: SeDebugPrivilege	2460	spoolsv.exe
Token: SeDebugPrivilege	2188	spoolsv.exe
Token: SeDebugPrivilege	1664	spoolsv.exe
Token: SeDebugPrivilege	2376	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.execmd.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exe

description	pid	process	target process
PID 2412 wrote to memory of 1856	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1856	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1856	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1932	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1932	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1932	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3024	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3024	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3024	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2992	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2992	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2992	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 316	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 316	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 316	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2432	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2432	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2432	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2228	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2228	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2228	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2488	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2488	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 2488	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3052	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3052	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3052	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3036	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3036	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 3036	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1252	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1252	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1252	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1144	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1144	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1144	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	powershell.exe
PID 2412 wrote to memory of 1600	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	cmd.exe
PID 2412 wrote to memory of 1600	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	cmd.exe
PID 2412 wrote to memory of 1600	2412	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe	cmd.exe
PID 1600 wrote to memory of 2192	1600	cmd.exe	w32tm.exe
PID 1600 wrote to memory of 2192	1600	cmd.exe	w32tm.exe
PID 1600 wrote to memory of 2192	1600	cmd.exe	w32tm.exe
PID 1600 wrote to memory of 2960	1600	cmd.exe	spoolsv.exe
PID 1600 wrote to memory of 2960	1600	cmd.exe	spoolsv.exe
PID 1600 wrote to memory of 2960	1600	cmd.exe	spoolsv.exe
PID 2960 wrote to memory of 2316	2960	spoolsv.exe	WScript.exe
PID 2960 wrote to memory of 2316	2960	spoolsv.exe	WScript.exe
PID 2960 wrote to memory of 2316	2960	spoolsv.exe	WScript.exe
PID 2960 wrote to memory of 2056	2960	spoolsv.exe	WScript.exe
PID 2960 wrote to memory of 2056	2960	spoolsv.exe	WScript.exe
PID 2960 wrote to memory of 2056	2960	spoolsv.exe	WScript.exe
PID 2316 wrote to memory of 3016	2316	WScript.exe	spoolsv.exe
PID 2316 wrote to memory of 3016	2316	WScript.exe	spoolsv.exe
PID 2316 wrote to memory of 3016	2316	WScript.exe	spoolsv.exe
PID 3016 wrote to memory of 2148	3016	spoolsv.exe	WScript.exe
PID 3016 wrote to memory of 2148	3016	spoolsv.exe	WScript.exe
PID 3016 wrote to memory of 2148	3016	spoolsv.exe	WScript.exe
PID 3016 wrote to memory of 2632	3016	spoolsv.exe	WScript.exe
PID 3016 wrote to memory of 2632	3016	spoolsv.exe	WScript.exe
PID 3016 wrote to memory of 2632	3016	spoolsv.exe	WScript.exe
PID 2148 wrote to memory of 2836	2148	WScript.exe	spoolsv.exe
PID 2148 wrote to memory of 2836	2148	WScript.exe	spoolsv.exe
PID 2148 wrote to memory of 2836	2148	WScript.exe	spoolsv.exe
PID 2836 wrote to memory of 2132	2836	spoolsv.exe	WScript.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe
"C:\Users\Admin\AppData\Local\Temp\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hLmLPTkt0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2192
- - C:\MSOCache\All Users\spoolsv.exe
    "C:\MSOCache\All Users\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2960
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ab8253-9fc1-449d-b288-3b24087692a6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3016
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26dd1cc8-9fc7-4960-9116-57148a27957e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bee7650-5000-4aa1-b044-5d6cfd2cbbbf.vbs"
        8⤵
        
        PID:2132
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69c34231-9bce-43bb-83e5-7b868e8639fc.vbs"
        10⤵
        
        PID:2748
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4abc4f01-af63-4ed0-9d5e-e1e87892d865.vbs"
        12⤵
        
        PID:2216
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61588f85-49d2-45ca-afd4-9bdfc8ef35ff.vbs"
        14⤵
        
        PID:2180
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf5ed2c1-99a5-445b-b3db-eb68fc9778bc.vbs"
        16⤵
        
        PID:2764
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b444bda-7466-4a00-a6ca-1fd27eb345a5.vbs"
        18⤵
        
        PID:780
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5006f846-a216-44ba-9646-da4d9852e087.vbs"
        20⤵
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6430b71a-ff85-4b55-a4d5-bb7fac6523f1.vbs"
        20⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\631a329f-8e24-4dde-87ac-253fed919a09.vbs"
        18⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa0a36c5-476c-49a2-90f1-ab243a41e64c.vbs"
        16⤵
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ad3451-fc56-426f-bff6-6f61f8642005.vbs"
        14⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf38dbf-bb84-4e7e-bd26-3a52b9058c56.vbs"
        12⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2447c1b-53ec-4470-9842-e5be4d89145a.vbs"
        10⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4252b5-dc80-4d97-bbfe-3b4e09cfca74.vbs"
        8⤵
        
        PID:1508
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d17da268-a8be-4b35-871f-434e968f6c68.vbs"
        6⤵
        
        PID:2632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7efb178-207a-40c6-9ac3-bede7f9539fc.vbs"
      4⤵
      PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N3" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N3" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N3" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N3" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\spoolsv.exe

Filesize
4.9MB

MD5
e4b9155dd710b6b8d9ff1041ce45a1b9

SHA1
c1f5c1a0677832d0e22e3d8c88a923f0438cf5d1

SHA256
0c934d1e296786daf59b43d75d7b3c785ab6be66f61459e7cc19a2aef217b81f

SHA512
16a898548edc6f21f938d7b8d0e669a51f494c8a9bd234c1dc7021ffe16cdf840f49572d0b11e29fcbec75665b7022c7f2050eebdc5eb0e80bd4ecf34dcfe69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\26dd1cc8-9fc7-4960-9116-57148a27957e.vbs

Filesize
709B

MD5
31a29bc62998fbbdd627bde4de8dee14

SHA1
72576af25d889ece00e53716622c327f8b053844

SHA256
a0dc57b94561c9330a7df939b9d4bef0631c9e159dc63a7e2fab917f3fe9d347

SHA512
5875f60af2ccb3b8831aa84b083e381f0e4b00d75c8762be215c44e8db9848bf0cce9d9a614df0d9fc7a5d79cab5c55370706b8f668e40b30e59d93bc4b39882

Download Submit
C:\Users\Admin\AppData\Local\Temp\4abc4f01-af63-4ed0-9d5e-e1e87892d865.vbs

Filesize
709B

MD5
8832ef88c3cdc5a4809b16bbc33cf83b

SHA1
026e6d2c6eb3d689da03b9a00cf90f62a34b649f

SHA256
f09ee909ccbe845bf2771461e38cd44d9d22d205e710fb2c2f5f14ebb6199047

SHA512
b9e03489e2592def9e77543f266831c82fdf5eed044c84ff98ae1a525466d86b4ee8e7e789c863a1a58e82278c190a15cbd3715c7ff7a0206624d0b991149265

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b444bda-7466-4a00-a6ca-1fd27eb345a5.vbs

Filesize
709B

MD5
cc431a2796f98749b6eafa0cda30c5de

SHA1
dd2e1c0640dea4b0b035e5ba61c490ce9ba27d04

SHA256
b057a4a51a1d6c6283501b8b1adddedd5fe20a5e3520e34c78d0043f4390760a

SHA512
197b00debabd952fd3a3b1358a95da7bed8b6da1b314b767538cfcd76c1a7bd27612472a5f6e765617f15e76cca3c6e386f9b66c66346ec4c3ef7b0ec0576395

Download Submit
C:\Users\Admin\AppData\Local\Temp\5006f846-a216-44ba-9646-da4d9852e087.vbs

Filesize
709B

MD5
6e4220795b77e05a9ef8161ec4e452a9

SHA1
bec8ccffa04f0efa46b8867f30fbba59552494fb

SHA256
9fd5da7b4d5710e88b25ed81d89b14c25f7e0a10dc9d745a2267df33d621d257

SHA512
11efc5963bd20aada7c01305f417bd0e3c7b5cdd1b73017fca8b0bad6758f734d26e9a69a82fbb2a054235977ce8cc6152b199017d57c10f33ba1922d7f77173

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bee7650-5000-4aa1-b044-5d6cfd2cbbbf.vbs

Filesize
709B

MD5
77b8406df725564a1e2e4cc891f9709e

SHA1
abddc64bb6ccafd4edab2a23e88d8b106feadf81

SHA256
8f096d68b52d1a51901eb20bc62a02641ba7e77f2f14efff757eaf1530d9d40f

SHA512
6f2a7783bb9896bc63d3a7e7314fc03759ec6867f71c1dfd38c9a5c97d04d4e09a313ab7140d8b754622b5feb3144e3b81acaba796b2d9d6111959c3559fe801

Download Submit
C:\Users\Admin\AppData\Local\Temp\61588f85-49d2-45ca-afd4-9bdfc8ef35ff.vbs

Filesize
709B

MD5
a2fd26d5b8c761ae5c973654a593f1fe

SHA1
770487d3234889bbc21d57a52679bf7dc9219aa7

SHA256
4bb3f5a8dbee67dc2cb07d0a585efc72b7e31e134a1eb4bf6717deb828988506

SHA512
b935dd8bc7838f2c787f40c52c64874d5567b75b0d1de160c65f5767f77fa25e1773112ab0a9214e43fb6b63c48cddf27b25b27bcf9ef3811958cb2b03ee5777

Download Submit
C:\Users\Admin\AppData\Local\Temp\69c34231-9bce-43bb-83e5-7b868e8639fc.vbs

Filesize
708B

MD5
5a72b67a99d7c4c29924b992729ed710

SHA1
2752dd3e30f98000e2a75bd9001a2b4c651763a4

SHA256
8cee1f9ed38de20e5b17033638d616082741ec75428a2330faf488efb3726335

SHA512
9acf8fd28f287ca0d4cb78712e719f81cede5e832729db95d3adb34f347248606e42424ef91fd5e752a88c40b8e2f0b4f189a2be6be5f453513da0d395146859

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hLmLPTkt0.bat

Filesize
198B

MD5
98e9aad09455fb84040eaf9b5ff834ee

SHA1
500a90e03a744ee9beb28d79754133ff40a41fc1

SHA256
94e948fa3b531035c00de187e0db6722d17be2406de73abd676221b8620836b2

SHA512
df7394d04eea347badc6d34e209160dfa2fb47dc0aaed0bd8567a5a7b790c24eaaebd2c4edb91f85014650f4e6f9596a50dd0bc34b0dd119d2af682bb7f22114

Download Submit
C:\Users\Admin\AppData\Local\Temp\84ab8253-9fc1-449d-b288-3b24087692a6.vbs

Filesize
709B

MD5
ccd2b53e8728365af6251af4c6c926c4

SHA1
f1ce06b7f10a7510213174476b9d7ed4487ef614

SHA256
0f9956968dd105ec9da60a8de130bf8b5e69b8eda3f08275cc095a52a61a3d9e

SHA512
faeb36fe27ab48972ac76b23c2af049d13c6f1196f1deb20b368b349164b6a2e15f32ac6bbba4ce1057b0bf7d6dc42b7c4cc90f84cf7ebe02d4c51229c3af22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf5ed2c1-99a5-445b-b3db-eb68fc9778bc.vbs

Filesize
709B

MD5
1f1216ed16e623fa8f3319dc631170f1

SHA1
7373f816dc01977c016e72988589b174f0315212

SHA256
43c7aed7801e501fdf1db1e10120bfcf1c7a70f6bac21b36e35fa471c42bb485

SHA512
a85c590ca48b95808c6ae760492d9754587114db07465efe253ebf910acba50f7e25454b1f25ff61c2913336eae647b2bc6f971ec2f6b4ad767c3d8f5296666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7efb178-207a-40c6-9ac3-bede7f9539fc.vbs

Filesize
485B

MD5
66abb12887086ce9f0e26eb4d1b79405

SHA1
4597ce7d1114ea6e8ff5ec9c16f0a7e21917b1ee

SHA256
c9619d1a3df2e63607d6a499f0e25716e31585a2afcf05d4877074842638c1ae

SHA512
3105336da8c9ac320441b518d53e17c920f936a66c892bed2eb04a57ac3504240ca767e884e70d95d201d92d2adcd94699bb34eed23dc74d558768b5e080ab62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AL523M6LT9JSXO9DWZ2.temp

Filesize
7KB

MD5
813d8b80894e22f838fa28d3ef37e294

SHA1
404725d97deb7198c2307edafa59e20c15a88978

SHA256
837f26d25e3963addd6133de7444b0618648d0f1beeb030284c5dd30e7772094

SHA512
f11702d37427e00820be7fcbe7b3ec81810988651c6a52811b43716c0093ed89c8b01bdd7854d93ed916e164c4134bc99ab95de2318aa96c9c0eccce0645d843

Download Submit
C:\Windows\tracing\RCXE8A0.tmp

Filesize
4.9MB

MD5
ff0a418ae1c239af539483da4637441f

SHA1
5d4842eeacb69f1d1f48bd07fb21746c588924fb

SHA256
1c29bd52d1b05b3a0fa436bb3625eeb4d54db2980d998c5af73be8dc405e8203

SHA512
a7655087894ca9596220a20f5c2510b7aadc04248ec1ffd913d59493f34c3e181b6238daf47a8d88a3401f3ba994378eeb6c611757e9ab30dca9e14d3d69560a

Download Submit
C:\Windows\tracing\winlogon.exe

Filesize
4.9MB

MD5
9c4fae6d26e906b396e0f285aa3a13a0

SHA1
57d65fcc620bac0eb5a08cab4b2d57dc45b9cafc

SHA256
3263cda6552af33f3292861f0a28f7f06adae5c79a847d4271c2e1f1d1e18475

SHA512
b7fbeeb44a39e0258b94305e2ccc32601d6ae27acee023e16e3b341fa81a716938ff5135c5a243a28130ff75069d5db022678aec8dc3d10878c30015edbc5736

Download Submit
memory/1932-123-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1932-124-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2188-265-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2200-236-0x0000000001200000-0x00000000016F4000-memory.dmp

Filesize
5.0MB

Download
memory/2412-5-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2412-4-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2412-122-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-13-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

Filesize
56KB

Download
memory/2412-12-0x00000000026B0000-0x00000000026BE000-memory.dmp

Filesize
56KB

Download
memory/2412-1-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/2412-11-0x00000000026A0000-0x00000000026AA000-memory.dmp

Filesize
40KB

Download
memory/2412-10-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/2412-9-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2412-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-8-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2412-3-0x000000001B3B0000-0x000000001B4DE000-memory.dmp

Filesize
1.2MB

Download
memory/2412-7-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/2412-6-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2412-14-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

Filesize
32KB

Download
memory/2412-16-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

Filesize
48KB

Download
memory/2412-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x000000001ABC0000-0x000000001ABC8000-memory.dmp

Filesize
32KB

Download
memory/2836-207-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download
memory/2960-178-0x0000000000B10000-0x0000000001004000-memory.dmp

Filesize
5.0MB

Download
memory/3016-192-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download