dcrat | 3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Size

1.5MB
MD5

e0c65dbfbfc5260e19c57ecb844449d0
SHA1

dd9f1a77331257afe3869d2de63a4e14b7797632
SHA256

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb
SHA512

6ec5998f4d56f7c179b6e150b38c1b83639dd73ce12e7f137f3673278023d4155db2f4d204f216ad1e99ad1a7d2f793a15ff63142945206efe2ec261ab45c956
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\sysmon\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\sysmon\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\", \"C:\\Documents and Settings\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\sysmon\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\", \"C:\\Documents and Settings\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Users\\Public\\Music\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\", \"C:\\Windows\\sysmon\\sysmon.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2044	schtasks.exe	84

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4560	powershell.exe
396	powershell.exe
5116	powershell.exe
1256	powershell.exe
3772	powershell.exe
3520	powershell.exe
1628	powershell.exe

Drops file in Drivers directory 1 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 15 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid	Process
1736	SearchApp.exe
4316	SearchApp.exe
1292	SearchApp.exe
3652	SearchApp.exe
532	SearchApp.exe
3716	SearchApp.exe
4248	SearchApp.exe
1292	SearchApp.exe
4224	SearchApp.exe
3544	SearchApp.exe
2244	SearchApp.exe
4272	SearchApp.exe
4188	SearchApp.exe
4820	SearchApp.exe
4028	SearchApp.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN = "\"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\sysmon\\sysmon.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN = "\"C:\\Documents and Settings\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN = "\"C:\\Recovery\\WindowsRE\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp\\SearchApp.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\sysmon\\sysmon.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN = "\"C:\\Documents and Settings\\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Music\\System.exe\""	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 4 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXBC7E.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\e1ef82546f0b02	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Drops file in Windows directory 8 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

description	ioc	Process
File opened for modification	C:\Windows\sysmon\sysmon.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\38384e6a620884	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\sysmon\sysmon.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File created	C:\Windows\sysmon\121e5b5079f7c0	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\RCXB875.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
File opened for modification	C:\Windows\sysmon\RCXBA79.tmp	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4912	schtasks.exe
4956	schtasks.exe
3736	schtasks.exe
3548	schtasks.exe
4976	schtasks.exe
5020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchApp.exeSearchApp.exe

pid	Process
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
1256	powershell.exe
1256	powershell.exe
1628	powershell.exe
1628	powershell.exe
396	powershell.exe
396	powershell.exe
3520	powershell.exe
3520	powershell.exe
4560	powershell.exe
4560	powershell.exe
396	powershell.exe
5116	powershell.exe
5116	powershell.exe
3772	powershell.exe
3772	powershell.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
5116	powershell.exe
1256	powershell.exe
4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
3520	powershell.exe
4560	powershell.exe
1628	powershell.exe
3772	powershell.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
1736	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe
4316	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	pid	Process
Token: SeDebugPrivilege	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	1736	SearchApp.exe
Token: SeDebugPrivilege	4316	SearchApp.exe
Token: SeDebugPrivilege	1292	SearchApp.exe
Token: SeDebugPrivilege	3652	SearchApp.exe
Token: SeDebugPrivilege	532	SearchApp.exe
Token: SeDebugPrivilege	3716	SearchApp.exe
Token: SeDebugPrivilege	4248	SearchApp.exe
Token: SeDebugPrivilege	1292	SearchApp.exe
Token: SeDebugPrivilege	4224	SearchApp.exe
Token: SeDebugPrivilege	3544	SearchApp.exe
Token: SeDebugPrivilege	2244	SearchApp.exe
Token: SeDebugPrivilege	4272	SearchApp.exe
Token: SeDebugPrivilege	4188	SearchApp.exe
Token: SeDebugPrivilege	4820	SearchApp.exe
Token: SeDebugPrivilege	4028	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exe

description	pid	Process	procid_target
PID 4016 wrote to memory of 3772	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	97
PID 4016 wrote to memory of 3772	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	97
PID 4016 wrote to memory of 1256	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	98
PID 4016 wrote to memory of 1256	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	98
PID 4016 wrote to memory of 5116	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	99
PID 4016 wrote to memory of 5116	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	99
PID 4016 wrote to memory of 396	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	100
PID 4016 wrote to memory of 396	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	100
PID 4016 wrote to memory of 4560	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	102
PID 4016 wrote to memory of 4560	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	102
PID 4016 wrote to memory of 1628	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	103
PID 4016 wrote to memory of 1628	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	103
PID 4016 wrote to memory of 3520	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	104
PID 4016 wrote to memory of 3520	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	104
PID 4016 wrote to memory of 1736	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	111
PID 4016 wrote to memory of 1736	4016	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe	111
PID 1736 wrote to memory of 4956	1736	SearchApp.exe	114
PID 1736 wrote to memory of 4956	1736	SearchApp.exe	114
PID 1736 wrote to memory of 3572	1736	SearchApp.exe	115
PID 1736 wrote to memory of 3572	1736	SearchApp.exe	115
PID 4956 wrote to memory of 4316	4956	WScript.exe	120
PID 4956 wrote to memory of 4316	4956	WScript.exe	120
PID 4316 wrote to memory of 3172	4316	SearchApp.exe	121
PID 4316 wrote to memory of 3172	4316	SearchApp.exe	121
PID 4316 wrote to memory of 372	4316	SearchApp.exe	122
PID 4316 wrote to memory of 372	4316	SearchApp.exe	122
PID 3172 wrote to memory of 1292	3172	WScript.exe	123
PID 3172 wrote to memory of 1292	3172	WScript.exe	123
PID 1292 wrote to memory of 764	1292	SearchApp.exe	124
PID 1292 wrote to memory of 764	1292	SearchApp.exe	124
PID 1292 wrote to memory of 3124	1292	SearchApp.exe	125
PID 1292 wrote to memory of 3124	1292	SearchApp.exe	125
PID 764 wrote to memory of 3652	764	WScript.exe	128
PID 764 wrote to memory of 3652	764	WScript.exe	128
PID 3652 wrote to memory of 4816	3652	SearchApp.exe	130
PID 3652 wrote to memory of 4816	3652	SearchApp.exe	130
PID 3652 wrote to memory of 740	3652	SearchApp.exe	131
PID 3652 wrote to memory of 740	3652	SearchApp.exe	131
PID 4816 wrote to memory of 532	4816	WScript.exe	132
PID 4816 wrote to memory of 532	4816	WScript.exe	132
PID 532 wrote to memory of 4648	532	SearchApp.exe	133
PID 532 wrote to memory of 4648	532	SearchApp.exe	133
PID 532 wrote to memory of 100	532	SearchApp.exe	134
PID 532 wrote to memory of 100	532	SearchApp.exe	134
PID 4648 wrote to memory of 3716	4648	WScript.exe	135
PID 4648 wrote to memory of 3716	4648	WScript.exe	135
PID 3716 wrote to memory of 1844	3716	SearchApp.exe	136
PID 3716 wrote to memory of 1844	3716	SearchApp.exe	136
PID 3716 wrote to memory of 5048	3716	SearchApp.exe	137
PID 3716 wrote to memory of 5048	3716	SearchApp.exe	137
PID 1844 wrote to memory of 4248	1844	WScript.exe	138
PID 1844 wrote to memory of 4248	1844	WScript.exe	138
PID 4248 wrote to memory of 3056	4248	SearchApp.exe	139
PID 4248 wrote to memory of 3056	4248	SearchApp.exe	139
PID 4248 wrote to memory of 4836	4248	SearchApp.exe	140
PID 4248 wrote to memory of 4836	4248	SearchApp.exe	140
PID 3056 wrote to memory of 1292	3056	WScript.exe	141
PID 3056 wrote to memory of 1292	3056	WScript.exe	141
PID 1292 wrote to memory of 2564	1292	SearchApp.exe	142
PID 1292 wrote to memory of 2564	1292	SearchApp.exe	142
PID 1292 wrote to memory of 3648	1292	SearchApp.exe	143
PID 1292 wrote to memory of 3648	1292	SearchApp.exe	143
PID 2564 wrote to memory of 4224	2564	WScript.exe	144
PID 2564 wrote to memory of 4224	2564	WScript.exe	144

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe
"C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\sysmon\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1736
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a13de96-5f38-44fa-9155-207fab2f4297.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
      C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edd8c11b-0dfc-4434-b651-521d87ef18de.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8f1b6e3-e132-476d-ae8d-c89a2690f477.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f68d60-af4c-467a-9a9f-1247aa3ad2ef.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5716fb-ecdc-4c4e-8509-25c54c68be31.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe79208-c19b-46c8-8bf5-602a0a33fafd.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f826bcf-3ab4-433f-8ee0-0f74e68189d0.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79320bba-f37b-40b2-9fdf-bcfbf34779a9.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\210abada-db4b-4805-b3e4-c042dec361a4.vbs"
        19⤵
        
        PID:3588
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd7890bc-3e73-45eb-9081-05f8480a79cc.vbs"
        21⤵
        
        PID:1840
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52a50398-ef44-41df-af02-20350caaeb29.vbs"
        23⤵
        
        PID:220
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42e05b11-0d3f-4dea-863d-a9169549fce4.vbs"
        25⤵
        
        PID:2016
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068c697b-ab58-4bd9-9989-3557dfb1d118.vbs"
        27⤵
        
        PID:3188
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66a6dde-842f-47ec-b96a-5b9fb5204cbb.vbs"
        29⤵
        
        PID:716
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        
        C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30162552-d337-4490-ac4a-5595da6428e7.vbs"
        31⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a131102a-4947-4218-a0b2-1ae9c75a1001.vbs"
        31⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b58c7fc1-5542-497a-abce-c59d63ca4111.vbs"
        29⤵
        
        PID:3480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\848b3f28-30d2-4022-bfcd-49f7317bf744.vbs"
        27⤵
        
        PID:4004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d529b664-3433-48f9-89fb-7b438ee69c6e.vbs"
        25⤵
        
        PID:3436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e2f09d-e976-4369-bfa5-f5b5a7bd4907.vbs"
        23⤵
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46faf08d-56e7-46a1-bbdf-fc9900f8d55e.vbs"
        21⤵
        
        PID:3292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\926227e5-a028-4f0d-9f2c-1ad3886e457f.vbs"
        19⤵
        
        PID:3924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0648f8c9-ecb3-4d23-ba25-fc93139297f8.vbs"
        17⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f8dee47-e580-46b2-9065-edca4e0e2250.vbs"
        15⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2afbb4a1-b553-4dc8-88e9-6dcd31bb22e8.vbs"
        13⤵
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0a2598-f263-4ef4-b3ec-57e10b8cf884.vbs"
        11⤵
        
        PID:100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5523b44-b434-4f88-875b-91f602c49791.vbs"
        9⤵
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd96e76-45e9-4600-b889-8d9eb385d589.vbs"
        7⤵
        
        PID:3124
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148ad341-fc31-4ad2-9ce6-7e6d1990c827.vbs"
        5⤵
        
        PID:372
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f294c2-c330-4780-8774-0d134b4c05b3.vbs"
    3⤵
    PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\sysmon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN" /sc ONLOGON /tr "'C:\Documents and Settings\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bbN.exe

Filesize
1.5MB

MD5
e0c65dbfbfc5260e19c57ecb844449d0

SHA1
dd9f1a77331257afe3869d2de63a4e14b7797632

SHA256
3612e6c95f19d675333d7cda11d5b78c0d95bedc97313921fd21c00daba530bb

SHA512
6ec5998f4d56f7c179b6e150b38c1b83639dd73ce12e7f137f3673278023d4155db2f4d204f216ad1e99ad1a7d2f793a15ff63142945206efe2ec261ab45c956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\05f68d60-af4c-467a-9a9f-1247aa3ad2ef.vbs

Filesize
760B

MD5
925d7b42a086cd0108d576bf3beb2f14

SHA1
a0f62d86a7d93082c1a469e5adb002815bac421f

SHA256
87fae54b6595388dec825177bdaf72faacc625c463ea6889f213b14648ceb8b2

SHA512
5d40e795255f4b91a49349ac16e99df74888fe68b596425727ec7fde0598fec7bda4891d657e823ba34222af2f99f2e723099379ac928ee503db591d46f9bd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\068c697b-ab58-4bd9-9989-3557dfb1d118.vbs

Filesize
760B

MD5
8b800e3d0d10ffc1209cae17183ae1bf

SHA1
889ef6662b1ef752d2fb42be9e4f185562e3a3fb

SHA256
d72a783da23d4ac2cdf7e6016239fde816d8c9bbc689725ac72d225f78d2afe5

SHA512
eb37632f795714cc57dda278f7bc7e9f7d898dacf620e93f1cafced3be820cb24bee948946f312c6ff4234d863b7bc8438ebcb1fec7f81aa293954cf37f252b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a13de96-5f38-44fa-9155-207fab2f4297.vbs

Filesize
760B

MD5
7d6ee293af2693570a61da18e5a9cb5d

SHA1
a84ea91a25847f6ad4e44d9c8f5806b6a8f4ff8c

SHA256
0e605b2e155f2308c4e55f88da48414dcb1b0a4a555d73191ad769d1b9fbd227

SHA512
e500494afcdca719b92886b2d29138803b8e86b7e24f5ea62d4b4a2d7793ec56938364ef1d7c1f76f589884c3399365e49c301428f8b595fe34c5c43d7ec2003

Download Submit
C:\Users\Admin\AppData\Local\Temp\210abada-db4b-4805-b3e4-c042dec361a4.vbs

Filesize
760B

MD5
732b2fbc136416d7c33c897a089cc05a

SHA1
d1deb2dd6d64e171e962ba7eade5a1c10a7263cb

SHA256
a2460bd4ba16e6e5adc40e1bd971a503801a3e76a863a15e99c51c762547626d

SHA512
7bd8927769d136333ebf732a5c7d28df352311c0321f551f0456af3462804c78d3e7e23684152084fa16856b7536df27ec1763a1857ce0e5c6ac0969a29660d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\42e05b11-0d3f-4dea-863d-a9169549fce4.vbs

Filesize
760B

MD5
ebe13b81cf9f0f9c7bd69d2cae3c2e8f

SHA1
e6607d48e68badfd43702a992662685be79dd23c

SHA256
9a4e44671c17b2885586281f7caa6650fa3d7a6f96a72f3fcf832cc0cca5fbc1

SHA512
5a992ae2a13c527afd275ec19278be9667611b73ce512a887a992777b096339f387ec1185de169bcd9ea23e0f0180b5c7728fb54601f15a8be62854066468066

Download Submit
C:\Users\Admin\AppData\Local\Temp\52a50398-ef44-41df-af02-20350caaeb29.vbs

Filesize
760B

MD5
3bdcc629b3924ddd5002505ebb82d2c3

SHA1
b34cef1c87321e938737c07b1917162820a76675

SHA256
8a06bad87f1576f75a20fd1ca9f803bf1970cb3e419508c3b446b87dfc90b87f

SHA512
5fcd28b62372e7d63821b8f494b0a3f40462a82bf693272683fb8899a10c4a0271733ddaca7d383c3c5bb80260aa3c59b8dc1c5abe9faf713d527bd92269bf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f826bcf-3ab4-433f-8ee0-0f74e68189d0.vbs

Filesize
760B

MD5
e4f7adf63233ea228146e0b536663dd5

SHA1
85ef476b8b63d08aeacc9ece59bfb03aa082c09e

SHA256
1a2f80765a548818417e2ed42f722adf11735462388625db4f4359caa793c988

SHA512
c80a3176d591cb0301ad47881b2a533e5d28fe94e99d88527326c8ddc4b8200a21f831d910b430a946939f24e07f6cf8dacbe8f4e9b8042d8444f203d4a91290

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvpczyat.m0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8f1b6e3-e132-476d-ae8d-c89a2690f477.vbs

Filesize
760B

MD5
b846973cb828efce5e3e24cc3be63e2c

SHA1
f3e6f9a81bda12cac6260e4f6caa693eaf9e012a

SHA256
a652fac1b7628fe3a59a699267d0e26c36f359319f6f3906625e8248528e88f1

SHA512
7b14289437e85090c1a8315cc2292b224c600187fe053379bd7c0f9c59a19ba7c4d5a1c1f4e65d5705ba7045de16236698552a7ae29ec4307603436e574d48e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7f294c2-c330-4780-8774-0d134b4c05b3.vbs

Filesize
536B

MD5
435510266a9cbfe0e66c891ed8ed54ef

SHA1
df392c021f05d5618e7da4c63091214d1ed41cc9

SHA256
fac369bd6c84b3ddedbc3c424a022c83fae0cad284160c35d63c82e1b1b16c6e

SHA512
b968e4c5a0ddca1575089693aa837562e32e13975d1df3d2770952e6ee5da8bf9687644a29eb3f19e6a85b301b69852657289e76d89c30b9722e47a475a195c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbe79208-c19b-46c8-8bf5-602a0a33fafd.vbs

Filesize
760B

MD5
64cab230a762aba3c9a7c4966d02aacb

SHA1
87cb9e988020e9655f1f1d4ebd4bc7ad63073610

SHA256
a1c845fb6a1b7e0e44df10ea59213b92cdd4f1ac5d67a06fc2d3c858c4bbe8a9

SHA512
d2d18d1d6824aa6c8fdc6992577264ced4303f7d2d365198cb498b04f6a6d09d975956e8c78c4a08daf5b21364ba1257c5b42f1c6cf1c407aa71c4c1e2eeeebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7890bc-3e73-45eb-9081-05f8480a79cc.vbs

Filesize
760B

MD5
b652e77d0cfa564f7df2358f3f1f3f7c

SHA1
93848ab6a1208c6ae0fd377edd84319206d484a1

SHA256
3fd294d2a417d67a6f0a183d861269ed51d13ee54570216ba10f530e5c3be4b7

SHA512
72eff8f0a999552945666e3afd02c391309c94faed080141471e45956058929d135484d2089f456270ec65af6a444bc02fd58805b85ccb8e3560cb5c55b87a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\edd8c11b-0dfc-4434-b651-521d87ef18de.vbs

Filesize
760B

MD5
bdb7b65fb36c97ed3266ea2fc3bedb0f

SHA1
27af951b8248e39453621dab694aa8e5fec2ddfc

SHA256
9385a7bbdcc977a271782cf615e48078d66ccf6e791e9f825c57afd878d763ef

SHA512
cc0add4444e5f5c288f391dd06649d9e76f40ba02c56005478ef7c1dfab3474d1ed8d5d3868945ff6332b4676164795051776ed68b99787e2a3e3cf6e0eb725c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f66a6dde-842f-47ec-b96a-5b9fb5204cbb.vbs

Filesize
760B

MD5
feef1b70cfe088ef6d268c12f189e5ee

SHA1
7cef0bcd0a816efa7ae65bd555b8e75bbed33fb7

SHA256
049686593f8d36776da523741fdab4f09772764508b222b499eca9c1c410c92f

SHA512
3932b37a0746430879f62afd42d302e3e2e55b6960c0dde7a7c51fd29d101f4c6e9bb68c4384fa608a212de7bda9e1223ba43ec8877737b24f0ffcc3336e3100

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5716fb-ecdc-4c4e-8509-25c54c68be31.vbs

Filesize
759B

MD5
a2d825ce2ee49f70c18e84fdaa546d4a

SHA1
48b6d750e434e07ba833216a6904426ade870ede

SHA256
9c5a0afd793b1bf9e667d6c7a90c08ee832248d4ccd3cfaac10e3660248ec487

SHA512
9a47faa6690ab0086e9f7f91045f5999b94f01b59ed60a034ee60235e2b7238cd46442e644ee1b25e41299704b9e2c3831aee100d162e86522cfdc57b1d8e4b4

Download Submit
memory/1256-143-0x0000022CCC890000-0x0000022CCC8B2000-memory.dmp

Filesize
136KB

Download
memory/1736-205-0x000000001B440000-0x000000001B452000-memory.dmp

Filesize
72KB

Download
memory/2244-335-0x00000000030A0000-0x00000000030B2000-memory.dmp

Filesize
72KB

Download
memory/3544-323-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/3652-265-0x000000001CE60000-0x000000001CF62000-memory.dmp

Filesize
1.0MB

Download
memory/4016-9-0x00000000026D0000-0x00000000026DC000-memory.dmp

Filesize
48KB

Download
memory/4016-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/4016-18-0x000000001B250000-0x000000001B258000-memory.dmp

Filesize
32KB

Download
memory/4016-17-0x000000001B240000-0x000000001B24C000-memory.dmp

Filesize
48KB

Download
memory/4016-16-0x000000001B230000-0x000000001B238000-memory.dmp

Filesize
32KB

Download
memory/4016-15-0x000000001B220000-0x000000001B22A000-memory.dmp

Filesize
40KB

Download
memory/4016-14-0x000000001B210000-0x000000001B21C000-memory.dmp

Filesize
48KB

Download
memory/4016-13-0x000000001B0F0000-0x000000001B0FA000-memory.dmp

Filesize
40KB

Download
memory/4016-12-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

Filesize
32KB

Download
memory/4016-11-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/4016-8-0x00000000026C0000-0x00000000026C8000-memory.dmp

Filesize
32KB

Download
memory/4016-25-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/4016-21-0x000000001B290000-0x000000001B298000-memory.dmp

Filesize
32KB

Download
memory/4016-20-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/4016-10-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

Filesize
64KB

Download
memory/4016-1-0x00000000002E0000-0x000000000045E000-memory.dmp

Filesize
1.5MB

Download
memory/4016-6-0x0000000002690000-0x000000000269A000-memory.dmp

Filesize
40KB

Download
memory/4016-7-0x00000000026B0000-0x00000000026BC000-memory.dmp

Filesize
48KB

Download
memory/4016-204-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/4016-5-0x00000000026A0000-0x00000000026AC000-memory.dmp

Filesize
48KB

Download
memory/4016-24-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/4016-3-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/4016-2-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/4016-4-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4028-381-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download
memory/4188-359-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4248-289-0x0000000001660000-0x0000000001672000-memory.dmp

Filesize
72KB

Download
memory/4272-347-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download