dcrat | 2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Size

4.9MB
MD5

13b6da3b2c4cb91d305cf9bf20998000
SHA1

99c9b99ae564f1861ee2994eb345c16b2d505048
SHA256

2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b
SHA512

853e2a327e2a1c5708d5ea12a48c8ebedf7ccea9ba14d2d693681ec892222bdbc1ac23af21d03f1d3cf11273f9a0f15a6577c385d27c4a5868ee9a567295d6c9
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2748	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2024-3-0x000000001B310000-0x000000001B43E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
1848	powershell.exe
768	powershell.exe
652	powershell.exe
2632	powershell.exe
2760	powershell.exe
1840	powershell.exe
2996	powershell.exe
2420	powershell.exe
2980	powershell.exe
2580	powershell.exe
1752	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2600	spoolsv.exe
2544	spoolsv.exe
1796	spoolsv.exe
2760	spoolsv.exe
1052	spoolsv.exe
2568	spoolsv.exe
1908	spoolsv.exe
1516	spoolsv.exe
2588	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
2656	schtasks.exe
3060	schtasks.exe
2568	schtasks.exe
2556	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
2420	powershell.exe
2580	powershell.exe
2632	powershell.exe
2980	powershell.exe
652	powershell.exe
1840	powershell.exe
2760	powershell.exe
768	powershell.exe
1752	powershell.exe
2996	powershell.exe
1848	powershell.exe
1516	powershell.exe
2600	spoolsv.exe
2544	spoolsv.exe
1796	spoolsv.exe
2760	spoolsv.exe
1052	spoolsv.exe
2568	spoolsv.exe
1908	spoolsv.exe
1516	spoolsv.exe
2588	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	2600	spoolsv.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2544	spoolsv.exe
Token: SeDebugPrivilege	1796	spoolsv.exe
Token: SeDebugPrivilege	2760	spoolsv.exe
Token: SeDebugPrivilege	1052	spoolsv.exe
Token: SeDebugPrivilege	2568	spoolsv.exe
Token: SeDebugPrivilege	1908	spoolsv.exe
Token: SeDebugPrivilege	1516	spoolsv.exe
Token: SeDebugPrivilege	2588	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2980	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	38
PID 2024 wrote to memory of 2980	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	38
PID 2024 wrote to memory of 2980	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	38
PID 2024 wrote to memory of 2580	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	40
PID 2024 wrote to memory of 2580	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	40
PID 2024 wrote to memory of 2580	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	40
PID 2024 wrote to memory of 2420	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	41
PID 2024 wrote to memory of 2420	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	41
PID 2024 wrote to memory of 2420	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	41
PID 2024 wrote to memory of 2996	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	42
PID 2024 wrote to memory of 2996	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	42
PID 2024 wrote to memory of 2996	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	42
PID 2024 wrote to memory of 768	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	44
PID 2024 wrote to memory of 768	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	44
PID 2024 wrote to memory of 768	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	44
PID 2024 wrote to memory of 652	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	45
PID 2024 wrote to memory of 652	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	45
PID 2024 wrote to memory of 652	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	45
PID 2024 wrote to memory of 1848	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	47
PID 2024 wrote to memory of 1848	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	47
PID 2024 wrote to memory of 1848	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	47
PID 2024 wrote to memory of 1516	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	48
PID 2024 wrote to memory of 1516	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	48
PID 2024 wrote to memory of 1516	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	48
PID 2024 wrote to memory of 1840	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	49
PID 2024 wrote to memory of 1840	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	49
PID 2024 wrote to memory of 1840	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	49
PID 2024 wrote to memory of 1752	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	50
PID 2024 wrote to memory of 1752	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	50
PID 2024 wrote to memory of 1752	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	50
PID 2024 wrote to memory of 2632	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	51
PID 2024 wrote to memory of 2632	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	51
PID 2024 wrote to memory of 2632	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	51
PID 2024 wrote to memory of 2760	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	52
PID 2024 wrote to memory of 2760	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	52
PID 2024 wrote to memory of 2760	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	52
PID 2024 wrote to memory of 2600	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	61
PID 2024 wrote to memory of 2600	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	61
PID 2024 wrote to memory of 2600	2024	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe	61
PID 2600 wrote to memory of 2732	2600	spoolsv.exe	63
PID 2600 wrote to memory of 2732	2600	spoolsv.exe	63
PID 2600 wrote to memory of 2732	2600	spoolsv.exe	63
PID 2600 wrote to memory of 2560	2600	spoolsv.exe	64
PID 2600 wrote to memory of 2560	2600	spoolsv.exe	64
PID 2600 wrote to memory of 2560	2600	spoolsv.exe	64
PID 2732 wrote to memory of 2544	2732	WScript.exe	65
PID 2732 wrote to memory of 2544	2732	WScript.exe	65
PID 2732 wrote to memory of 2544	2732	WScript.exe	65
PID 2544 wrote to memory of 2892	2544	spoolsv.exe	66
PID 2544 wrote to memory of 2892	2544	spoolsv.exe	66
PID 2544 wrote to memory of 2892	2544	spoolsv.exe	66
PID 2544 wrote to memory of 2192	2544	spoolsv.exe	67
PID 2544 wrote to memory of 2192	2544	spoolsv.exe	67
PID 2544 wrote to memory of 2192	2544	spoolsv.exe	67
PID 2892 wrote to memory of 1796	2892	WScript.exe	68
PID 2892 wrote to memory of 1796	2892	WScript.exe	68
PID 2892 wrote to memory of 1796	2892	WScript.exe	68
PID 1796 wrote to memory of 1900	1796	spoolsv.exe	69
PID 1796 wrote to memory of 1900	1796	spoolsv.exe	69
PID 1796 wrote to memory of 1900	1796	spoolsv.exe	69
PID 1796 wrote to memory of 876	1796	spoolsv.exe	70
PID 1796 wrote to memory of 876	1796	spoolsv.exe	70
PID 1796 wrote to memory of 876	1796	spoolsv.exe	70
PID 1900 wrote to memory of 2760	1900	WScript.exe	71

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe
"C:\Users\Admin\AppData\Local\Temp\2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0bN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\MSOCache\All Users\spoolsv.exe
  "C:\MSOCache\All Users\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2600
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b89acd66-c016-4bf7-af3d-028b3b31646f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\MSOCache\All Users\spoolsv.exe
      "C:\MSOCache\All Users\spoolsv.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b762d3-c6f3-4241-8e92-0d95e7c04955.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5ea4966-79c0-49be-a63b-72fa42c5a7d5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0ea3bac-16c3-43b1-91fc-f9f84830bd4e.vbs"
        9⤵
        
        PID:2976
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d39159-5ce2-4d2e-b744-6507c95fce02.vbs"
        11⤵
        
        PID:900
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25807f83-3a7a-4d1c-b9db-0a0f75cbf6d7.vbs"
        13⤵
        
        PID:2576
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c19781-566c-4a68-9f5d-44c93249299b.vbs"
        15⤵
        
        PID:1328
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95e7a595-b350-487b-809b-e7df9bdd45f4.vbs"
        17⤵
        
        PID:2008
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1083acf3-71b8-450b-bc40-c3523bfa1158.vbs"
        19⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\166b330d-bded-4023-b8ef-076b656f0446.vbs"
        19⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3b2998c-ed91-4027-bfd7-34d09146374c.vbs"
        17⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba21048-f051-43da-8fde-73414c56c2ad.vbs"
        15⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0381ff4e-c1b8-45af-9105-78fe53204d7f.vbs"
        13⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2db84e0-df25-4599-8f60-083c4b898f6e.vbs"
        11⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6cc9afc-b622-4e8e-9af2-bb8a8528e79d.vbs"
        9⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcfec50-1143-48db-94b9-abf279c9560b.vbs"
        7⤵
        
        PID:876
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546442b4-de91-4607-bf1b-92468c432f76.vbs"
        5⤵
        
        PID:2192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\febcef6d-aded-41bd-8413-ee8c095d9157.vbs"
    3⤵
    PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\spoolsv.exe

Filesize
4.9MB

MD5
13b6da3b2c4cb91d305cf9bf20998000

SHA1
99c9b99ae564f1861ee2994eb345c16b2d505048

SHA256
2605947a3a2ab7267eea6f0de3e433eee2b03ebd53155d64a05044d27458de0b

SHA512
853e2a327e2a1c5708d5ea12a48c8ebedf7ccea9ba14d2d693681ec892222bdbc1ac23af21d03f1d3cf11273f9a0f15a6577c385d27c4a5868ee9a567295d6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1083acf3-71b8-450b-bc40-c3523bfa1158.vbs

Filesize
709B

MD5
dcf7b2cd1ab04a649ee6a40fe8ee5f3f

SHA1
62fff7f3552631965321180055d571a5e01ee58b

SHA256
f215726aa69fff35fc8e20ae9a3ea512bddb3c021fdcff8a8b9a93edc7566714

SHA512
ae9e5781f8b7887825349a73a8db1c06f03e0eebd633b0b6a67160552be6c8f5a363b19fc8e8abf23cc34c980634d4f4877678c8fafc706678cf8c5968c27d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\22c19781-566c-4a68-9f5d-44c93249299b.vbs

Filesize
709B

MD5
c3340830a0f3fe69623f5cbabd3732a5

SHA1
3aeb259d97929b3426c8a36f717bdf6598835176

SHA256
6c2faa16ac80cecd4fde24aa6a6c7e4e26bc0b11bc55e2100ea5ced8e3a3436b

SHA512
ac3615b5b5b048f88333203e00cd976cc2054a275308f2d69ddc2c011521cac61e8c68aae8d9e7b2bde047065a574fbd7764425bee8e8e31a99c5196ca1bac1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\25807f83-3a7a-4d1c-b9db-0a0f75cbf6d7.vbs

Filesize
709B

MD5
8e609646e41e3e9586f5f6c66340f164

SHA1
eef9b581fbe28e0a0e765d5cbb061ba4778d7a25

SHA256
a216c9260af9ad4a63c15b43b0c296f87940a61324e54d3d0aff5460aea6424e

SHA512
e5f813553b6623937417f8d0a730fe5b1c9d0e2e9371b8c8360c2660794eb5563735a2cdea29ee5acfbba31c175671b914d7009644c50cfc97f867fdd1edb576

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b762d3-c6f3-4241-8e92-0d95e7c04955.vbs

Filesize
709B

MD5
56f60bf9b68508280c61a98d40316198

SHA1
1f99b864a73a3a06b53ec7d7c42af22042cfea95

SHA256
4e0f40d44c7b109242a5e37055c4f90a5e24392aafc415fc2e9d7991f8d04b46

SHA512
956abd9975bec2b200c4db6b0408cfd5bc1ee7d7f2943cdee087710b629b9f8bae1facb252f572f3f11f1574bd656a502b11e54cd5138d92e7a69a090771ac9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\95e7a595-b350-487b-809b-e7df9bdd45f4.vbs

Filesize
709B

MD5
2a64792bef073f01c64c794f36dfa59e

SHA1
40b5c8eb7c50c35c65077684ed430a27a7f0a1da

SHA256
167b7da0a34242b7d4aaf606a7000099a1f526586f3bcc40fe7643a530911825

SHA512
701160fb5ff9ec1461dc883ae725234f703b9081eb7218eb07483b192a15f730f3979f8b240f57d77292787d102997cea798cf530abd3aa8e34f7d80381dfa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b89acd66-c016-4bf7-af3d-028b3b31646f.vbs

Filesize
709B

MD5
345bf6cdbe44b6d90a48c8b5fa610f0a

SHA1
4074addf0faecc61cfdcc486367dc5e080f289c1

SHA256
df0615cd12a6b1cc29c4fa16c3bf2f38bede42baf9e3a686333d026ce51ff31d

SHA512
ddc4f4606e83fb116747fef80f9aa3bcb73891a5696fb29b4408cbe90871cdfe199d34932308343c94263a6484055ebf6b3d9059cd84886dac02a949f43c53a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5ea4966-79c0-49be-a63b-72fa42c5a7d5.vbs

Filesize
709B

MD5
d7dd9138d151e8223519a671c8ecb506

SHA1
fa6d7a4634701242cd0cdc8ed284ada50cbec2e5

SHA256
bd85344add2f1a458d34b31294b5341ed4ae7e5dee0bc07dc4a5540d0ae1d437

SHA512
993ad5ad56179d818b142df8c0de083c79641c90e9fdc8b98f2234cf8c444c1ace9128add5b3502d3b716e4f867b3ab5ad0574afdfaaabe5e0a6403bf991f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0ea3bac-16c3-43b1-91fc-f9f84830bd4e.vbs

Filesize
709B

MD5
7fd1ee5d5da2b5690dfca83ae4eee495

SHA1
5a6ae9c75e752cbe9133c53375f6256cda7d59b0

SHA256
a2786e3de434d017828e25ae4e860e69b91205598ed6043595f70c57808b4d31

SHA512
efc1eee53e4c1f9c92d2bead1a7aba273e5cb232d17cc294e0d32443f6fa25383f7187e2d9ab6362605f37ead180326dddb172122ab176fbb0f4a1c1e9986d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2d39159-5ce2-4d2e-b744-6507c95fce02.vbs

Filesize
709B

MD5
27a976e9be204073c1fc36e5e7a07241

SHA1
3af6b4be37501e5f8a6c663bf1540242e9dcff44

SHA256
023e30153faaa129166b8e79cb109b353c89c4866cc33a7a36fb135cd7845fd8

SHA512
e214703c538352d16efacc11b4201ce8beb7ce4e3a25f961502e7d944a19c79fd75e3c62f58ba16264a4155b375ecdf3091830515b404b0980a7620f8bdc35aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\febcef6d-aded-41bd-8413-ee8c095d9157.vbs

Filesize
485B

MD5
13100a90486d77a38c059a7638dc06a5

SHA1
eaf9f6cc43d8f24b4bba5052550fcf4336297a12

SHA256
db6ed00e9d4a1482cefef54f21650d3ba80a2edd223e32c0f5acca2767e76d64

SHA512
730690fd896aca065040c32ba20877b3ae8c3f3d2ae86f4c994173703e96cacc37c47a6daf0f585c0d568775a0c05cef223c2d6d99dec09e06a3a5b11513da0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BA2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
123674536bae3fd62ee91936badfe819

SHA1
370a6570081460acc0ec49922aa1d7d9a6dd1641

SHA256
7b96e3b12d711e343fdec8657a70f00c3c8d2fc86410e57a7bee18dddb8a8855

SHA512
be2f08188b16ae609468ab5dc4b8e3e774b858f733dddd7eaf852c7afc3ad5b44ae1f371c2f240b10888c855c50c1167daeccf99c027dc72c2cbe9f29322a98e

Download Submit
C:\Users\Public\Downloads\dwm.exe

Filesize
4.9MB

MD5
57cae5ee7e13e4069542a0e4af679b61

SHA1
7efc8fe18429de3ea23a8761a997f6342d947c7a

SHA256
27a69f0a6155807db6e42b5ab7da8da2cca67cc496eddad3200ba3567fd37054

SHA512
616a879a3d674b04f59a8fbe89d83e9b6bee941380cbd352363b0b40fa4b49941b09f54da2f9a21e3f16617b5bc47729d8d1ca470b871c8d1561551856d1df8f

Download Submit
memory/1052-162-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/1796-133-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download
memory/2024-7-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/2024-6-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2024-10-0x000000001AF80000-0x000000001AF92000-memory.dmp

Filesize
72KB

Download
memory/2024-14-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/2024-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-62-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-3-0x000000001B310000-0x000000001B43E000-memory.dmp

Filesize
1.2MB

Download
memory/2024-13-0x000000001B1B0000-0x000000001B1BE000-memory.dmp

Filesize
56KB

Download
memory/2024-12-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

Filesize
56KB

Download
memory/2024-9-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2024-4-0x00000000009D0000-0x00000000009EC000-memory.dmp

Filesize
112KB

Download
memory/2024-1-0x0000000000F50000-0x0000000001444000-memory.dmp

Filesize
5.0MB

Download
memory/2024-11-0x000000001B090000-0x000000001B09A000-memory.dmp

Filesize
40KB

Download
memory/2024-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2024-8-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/2024-16-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

Filesize
48KB

Download
memory/2024-15-0x000000001B1D0000-0x000000001B1D8000-memory.dmp

Filesize
32KB

Download
memory/2024-5-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2420-57-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2420-56-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2544-118-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/2568-177-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/2600-51-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download