dcrat | c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Size

4.9MB
MD5

7bcee51d69d6f7f7872dade20a2c5916
SHA1

4ad1278f8368527aa02d08c6ee86da5b22be2cab
SHA256

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2
SHA512

8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8u:G

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2944-3-0x000000001B770000-0x000000001B89E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
572	powershell.exe
2412	powershell.exe
1872	powershell.exe
904	powershell.exe
2168	powershell.exe
3060	powershell.exe
996	powershell.exe
352	powershell.exe
1748	powershell.exe
1672	powershell.exe
2240	powershell.exe
560	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid process

1116 lsass.exe
1700 lsass.exe
2760 lsass.exe
1624 lsass.exe
2636 lsass.exe
2108 lsass.exe
1532 lsass.exe
1480 lsass.exe
2060 lsass.exe
2796 lsass.exe

pid	process
1116	lsass.exe
1700	lsass.exe
2760	lsass.exe
1624	lsass.exe
2636	lsass.exe
2108	lsass.exe
1532	lsass.exe
1480	lsass.exe
2060	lsass.exe
2796	lsass.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exec24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 16 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Services\lsass.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXBD57.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Common Files\Services\6203df4a6bafc7	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCXCF89.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c273408a226d09	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Media Player\it-IT\886983d96e3d3e	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXD20A.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\24dbde2999530e	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Program Files\Windows Media Player\it-IT\csrss.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXCB81.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\lsass.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\csrss.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Drops file in Windows directory 4 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\smss.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File created	C:\Windows\Logs\CBS\69ddcba757bf72	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Logs\CBS\RCXC910.tmp	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
File opened for modification	C:\Windows\Logs\CBS\smss.exe	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2512	schtasks.exe
2648	schtasks.exe
1956	schtasks.exe
2452	schtasks.exe
2868	schtasks.exe
552	schtasks.exe
2392	schtasks.exe
1284	schtasks.exe
340	schtasks.exe
2972	schtasks.exe
2584	schtasks.exe
2864	schtasks.exe
1344	schtasks.exe
2716	schtasks.exe
1516	schtasks.exe
2592	schtasks.exe
2700	schtasks.exe
2408	schtasks.exe
2228	schtasks.exe
2136	schtasks.exe
2952	schtasks.exe
2788	schtasks.exe
2680	schtasks.exe
2688	schtasks.exe
2440	schtasks.exe
1820	schtasks.exe
1652	schtasks.exe
2664	schtasks.exe
2796	schtasks.exe
1060	schtasks.exe
2400	schtasks.exe
1712	schtasks.exe
2084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
1672	powershell.exe
904	powershell.exe
996	powershell.exe
572	powershell.exe
560	powershell.exe
2240	powershell.exe
3060	powershell.exe
1872	powershell.exe
2168	powershell.exe
352	powershell.exe
2412	powershell.exe
1748	powershell.exe
1116	lsass.exe
1700	lsass.exe
2760	lsass.exe
1624	lsass.exe
2636	lsass.exe
2108	lsass.exe
1532	lsass.exe
1480	lsass.exe
2060	lsass.exe
2796	lsass.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1116	lsass.exe
Token: SeDebugPrivilege	1700	lsass.exe
Token: SeDebugPrivilege	2760	lsass.exe
Token: SeDebugPrivilege	1624	lsass.exe
Token: SeDebugPrivilege	2636	lsass.exe
Token: SeDebugPrivilege	2108	lsass.exe
Token: SeDebugPrivilege	1532	lsass.exe
Token: SeDebugPrivilege	1480	lsass.exe
Token: SeDebugPrivilege	2060	lsass.exe
Token: SeDebugPrivilege	2796	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.execmd.exelsass.exeWScript.exelsass.exeWScript.exelsass.exe

description	pid	process	target process
PID 2944 wrote to memory of 996	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 996	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 996	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 560	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 560	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 560	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2240	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2240	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2240	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2412	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2412	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2412	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 572	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 572	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 572	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 352	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 352	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 352	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1872	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1872	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1872	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 904	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 904	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 904	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1672	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1672	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1672	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2168	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2168	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2168	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1748	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1748	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 1748	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 3060	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 3060	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 3060	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	powershell.exe
PID 2944 wrote to memory of 2976	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 2944 wrote to memory of 2976	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 2944 wrote to memory of 2976	2944	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe	cmd.exe
PID 2976 wrote to memory of 1856	2976	cmd.exe	w32tm.exe
PID 2976 wrote to memory of 1856	2976	cmd.exe	w32tm.exe
PID 2976 wrote to memory of 1856	2976	cmd.exe	w32tm.exe
PID 2976 wrote to memory of 1116	2976	cmd.exe	lsass.exe
PID 2976 wrote to memory of 1116	2976	cmd.exe	lsass.exe
PID 2976 wrote to memory of 1116	2976	cmd.exe	lsass.exe
PID 1116 wrote to memory of 796	1116	lsass.exe	WScript.exe
PID 1116 wrote to memory of 796	1116	lsass.exe	WScript.exe
PID 1116 wrote to memory of 796	1116	lsass.exe	WScript.exe
PID 1116 wrote to memory of 484	1116	lsass.exe	WScript.exe
PID 1116 wrote to memory of 484	1116	lsass.exe	WScript.exe
PID 1116 wrote to memory of 484	1116	lsass.exe	WScript.exe
PID 796 wrote to memory of 1700	796	WScript.exe	lsass.exe
PID 796 wrote to memory of 1700	796	WScript.exe	lsass.exe
PID 796 wrote to memory of 1700	796	WScript.exe	lsass.exe
PID 1700 wrote to memory of 1848	1700	lsass.exe	WScript.exe
PID 1700 wrote to memory of 1848	1700	lsass.exe	WScript.exe
PID 1700 wrote to memory of 1848	1700	lsass.exe	WScript.exe
PID 1700 wrote to memory of 1592	1700	lsass.exe	WScript.exe
PID 1700 wrote to memory of 1592	1700	lsass.exe	WScript.exe
PID 1700 wrote to memory of 1592	1700	lsass.exe	WScript.exe
PID 1848 wrote to memory of 2760	1848	WScript.exe	lsass.exe
PID 1848 wrote to memory of 2760	1848	WScript.exe	lsass.exe
PID 1848 wrote to memory of 2760	1848	WScript.exe	lsass.exe
PID 2760 wrote to memory of 1672	2760	lsass.exe	WScript.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe
"C:\Users\Admin\AppData\Local\Temp\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXkPT9VgOb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1856
- - C:\Program Files (x86)\Common Files\Services\lsass.exe
    "C:\Program Files (x86)\Common Files\Services\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1116
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a8cf0dd-661d-4e6b-b968-011ec153b850.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3778926-f66a-402b-8e12-64d5da658767.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca5d6d8-a559-416e-8225-eaa1c839bce7.vbs"
        8⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8b9672f-652e-462e-a994-8362cc1a58d7.vbs"
        10⤵
        
        PID:2640
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\193b3fc2-b395-42a4-a78f-74e4a2631f38.vbs"
        12⤵
        
        PID:2292
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dc86af6-2b8c-46dc-9889-6710d98e06ee.vbs"
        14⤵
        
        PID:2624
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21fde5ce-20af-4e85-8cc2-8df75452ae56.vbs"
        16⤵
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cc7e16c-fb73-4e90-924b-8522868a8d35.vbs"
        18⤵
        
        PID:352
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660de2e9-6a01-42bd-9794-31599cc3a54e.vbs"
        20⤵
        
        PID:1048
        
        C:\Program Files (x86)\Common Files\Services\lsass.exe
        
        "C:\Program Files (x86)\Common Files\Services\lsass.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba89bb5-6ec9-4877-9dc3-9279f774f9c5.vbs"
        22⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e0b0c51-6d1f-47a5-a215-d77b07681d7c.vbs"
        22⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7371396a-6e78-420e-b53d-25003db51224.vbs"
        20⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45ba56a-9b22-4e2d-baad-94bf11cf0e59.vbs"
        18⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87b36ba5-cc2a-498a-9b46-9c2a34e498ae.vbs"
        16⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3d5933-ca74-4f19-80b2-18994a1024cb.vbs"
        14⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546cdf47-bd0f-403f-a053-48fc91f93090.vbs"
        12⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060bd7f6-a3a4-41ce-adf4-6ab3702cc7a7.vbs"
        10⤵
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bca25c8f-62bd-433a-8d87-0096750cf4a5.vbs"
        8⤵
        
        PID:1816
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e3b7ac-0d94-42c1-a4c1-2d89973f7dfb.vbs"
        6⤵
        
        PID:1592
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537f3ccc-332e-4933-bbbe-8527bf2d5d90.vbs"
      4⤵
      PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2c" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2c" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\RCXCB81.tmp

Filesize
4.9MB

MD5
d471b800e5ed5b57cded567c0ab212a5

SHA1
b6ed2fa6fea2addf1e9855ab17f7f30d9677893f

SHA256
dcdb7187e85d10defb3b3eecd9e6cb07f83c9b794baa0ba4758379945fce8c5e

SHA512
3c5a5f1590de439ade84ac3a88a2a1f57a629e6819c571aa57b319ea032d599df43a2200bc993adc39f0853cf67c35a3584e1484d656aac17e8590b393e1f205

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe

Filesize
4.9MB

MD5
7bcee51d69d6f7f7872dade20a2c5916

SHA1
4ad1278f8368527aa02d08c6ee86da5b22be2cab

SHA256
c24f2fb77a06cdfe4e9c074b1e2accb305b0ad091c1668372cc1f5249612b8b2

SHA512
8da8506093074361776f8b1693a2058fc6775be636034237c8ef7f5a03d422b881a9c8ea047b8d89bc314c649ba0c3bd7a16ac8dcd4c41d788135845bd151e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\193b3fc2-b395-42a4-a78f-74e4a2631f38.vbs

Filesize
730B

MD5
c4c1fc61733af67fc5763fea607b7824

SHA1
0566d03a60e3d0604ad068c9936eaa939af047db

SHA256
03903ad8b9b747b3027d2de94cc748b90bfd942ec6711d833661b1032e6ff14d

SHA512
e2e2274ad0372c6df8d34faca67597a214ccc4bb47f5d6ce30d2228188a00e0c64231af2213322ef7e10eea17bce97693904fb560dddd222b6836c745e049b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dc86af6-2b8c-46dc-9889-6710d98e06ee.vbs

Filesize
730B

MD5
db2500d81378059207c0e724049bea12

SHA1
9128f8a7cb3a98b75c9a84c814eb29cde234c2a5

SHA256
671ebcca0956a79f5ae68cbf67a24b46e230637b64878fd229672f6b9cb37037

SHA512
c865ace0b69e242041d3e67eff27acf5a3bc7a341d1cad47a7f07328bb8a80ac4743620e5ae090e3116ba39c8af8936667d03cf082b4818afd2fd401b308c606

Download Submit
C:\Users\Admin\AppData\Local\Temp\21fde5ce-20af-4e85-8cc2-8df75452ae56.vbs

Filesize
730B

MD5
126bb8edc65673f2d21d2e2dd549674a

SHA1
cbea975b526530a46b01abdc8bf697293ed9022a

SHA256
39a4b4855a04e6165a837d38cf96f7c213cc1c05beca79c73346f54a845cfe47

SHA512
9e50831236b26747527be5b431a9a0227e31eaf81e612a78cd696a6e0424ccd72cda510b57b617eea62b29288c085a83d2477fdeab4f021d9912ff106b78e82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\537f3ccc-332e-4933-bbbe-8527bf2d5d90.vbs

Filesize
506B

MD5
9458fa370597708f0b4b2bf26150a7ce

SHA1
26a3a98269989df0e4c93be125df6a5f2d0bc1a9

SHA256
cb446efdbbdb8260fd22aeaaf3a6ce159aebb2da3a2251f038a13e25f7ad4c6c

SHA512
1975bf031b8a05ac88cf62236074958e51828740c33ee7742892de396edfa4ea26473abb4f89b3a9ddd42551a9fe12aacbae0a4452eaab8f36cbe37402b007ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a8cf0dd-661d-4e6b-b968-011ec153b850.vbs

Filesize
730B

MD5
31eb3a7122b7b7a0c98185adab726788

SHA1
93373737f83b3b02bda7f175e30df14409c2f5a7

SHA256
743761c2910802d1b961163910c121d953d449d8400323b46888967730238bcf

SHA512
4a9fe50514e059d837177f010897331c1c3fe38abdd04b3e6d00994d48254439282f2f2bb40b29f549c37ab815889ab020fb611ff074b7ebb0bf34a565fc7210

Download Submit
C:\Users\Admin\AppData\Local\Temp\660de2e9-6a01-42bd-9794-31599cc3a54e.vbs

Filesize
730B

MD5
2693a7d68073271b0d589be697c10c89

SHA1
7db288be666b99da2b574ec20d7ae800aa4df0c8

SHA256
911645ae695bd3c9612dd5c277227d332b899c7f1dca55cb87133cd071e27145

SHA512
213ce4eb0d6016f4fb7fb1b5a07bf60a69ca0e1ef2e8ab947430952970f0ca68fe7bbb9b894f8e29b9cfcd61dde9afd063e5f091c9b3e7cb2893ff57d9a27518

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ca5d6d8-a559-416e-8225-eaa1c839bce7.vbs

Filesize
730B

MD5
7e0473a062787831ebc7adc99f6c9b69

SHA1
ef108384fc0c44047cc41c0a6339d7cb2cd89fb4

SHA256
93445d24ceb0cf7bdd728a2d681dc03aba2db2d81f005bab6fe9aae8c2229f7d

SHA512
ab698af7c0da22573a40066966ec49c034956eb8c9f09d6d7c9df449fb126ed203eb1eca0da06bdb333ee052ea7b2bbdcb4d59c286cd9a36fcb572a14ea97cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cc7e16c-fb73-4e90-924b-8522868a8d35.vbs

Filesize
730B

MD5
3883b38af3de63b693c24e4cd56beba8

SHA1
3ff6b202d5057b951918cba5852eb7f61f2b84f2

SHA256
213c27a011910a1e7f93ddf074040801dde77dbce3783d93297405db3c7bf20f

SHA512
a448bc64bd98fc92a57d8a13d707bb888bddcce6eb3461470bd87cb873579d832261f1d5a0a14c4194685b782fed1bc6ad0d6171a83eff0c7d1ba981c78783b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VXkPT9VgOb.bat

Filesize
219B

MD5
c51dae164f12700f226c003acfd4e0b2

SHA1
9c9611517b9a2b09df5d1cd7cb504e7c0d164c69

SHA256
28536acc1a0786f800cfb4f623deabd2fcc78b313f1414554a3d26d46349242c

SHA512
40f0e604ab1047c41a9ae54166dcbf98e5dbff6325529001c7e19921623198c94a1594deb5eb60113b84a2385a843797a748cf56abbb86727e30fb7134e3db4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8b9672f-652e-462e-a994-8362cc1a58d7.vbs

Filesize
730B

MD5
02206cc4cf14018a4bb1620550376aa1

SHA1
c3be24e0f968b28b8a37f8cf1f28f7d14d44e039

SHA256
d0f0a18cb07ad42deaf008aeb0c9482a0f18e75969b9a945e3731ac13dd169e0

SHA512
8ba406c9321fbeec92bcd8a4f8fc6246bb6c233da5c7e8e5aa6f87878b241fb5ceffb851a23f13788d1d38a193f7380bf442ea14fea79176c56c97fdb16a5682

Download Submit
C:\Users\Admin\AppData\Local\Temp\dba89bb5-6ec9-4877-9dc3-9279f774f9c5.vbs

Filesize
730B

MD5
cce8ab731f48fbbc271e6cb7faf8aa99

SHA1
4fa841e4d7f4c38470aad6e40bd9d74ab70b4f73

SHA256
c2ad1a74aeee9a12bd64b4fa00cdf0631011b9fe8ea750994b2bd3d9ec9c6c75

SHA512
fcecd29f02e2896020417741b356d8948fea2bb69eed20a06e85b8e9b00829b73353b644dd216925a927775b2bd2b02db99e31d9cf2c4e45d08543bbcdcd5bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3778926-f66a-402b-8e12-64d5da658767.vbs

Filesize
730B

MD5
6bd220eaa089fc69efb8dd59bffbc783

SHA1
9a7df78295b18a97a973474cb65c36c527472308

SHA256
513780d88cfd2674f3c4669bba88e1a13903a8bd44ec69dd79abd57811a1c430

SHA512
8505310292fcd8776862c18af58c350e67e0820c1aa9826965ecfd091751ced38b68fe67eace60fb194432970805b141fb85e03ab6727b64c3e8f9647b2a8ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB8E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
734e2bf0c359aa48a37d49b9210645af

SHA1
6dfb94eaa1f9a292944fa63081ac2a168f013e3b

SHA256
940510acb9d03d6cabfdb4774ad2313854e9da288e50a211c49b8aa5f0dbe35a

SHA512
a283316ad2396d5938735deeacde1fbcb38f7090e9ef2e0fda2f0277c3e53d2a3e4da99918d01a4f8ee45875953efcdc4e2ec8523e7ea39118d3ecb0caffae8b

Download Submit
memory/572-135-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/904-152-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/1116-187-0x0000000000F00000-0x00000000013F4000-memory.dmp

Filesize
5.0MB

Download
memory/1480-291-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/1532-276-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/1624-231-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/1700-201-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2108-261-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/2636-246-0x0000000000A60000-0x0000000000F54000-memory.dmp

Filesize
5.0MB

Download
memory/2760-216-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2796-320-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/2944-8-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2944-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2944-4-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2944-7-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2944-9-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2944-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-10-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2944-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2944-11-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2944-3-0x000000001B770000-0x000000001B89E000-memory.dmp

Filesize
1.2MB

Download
memory/2944-12-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/2944-136-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-13-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/2944-1-0x0000000000A10000-0x0000000000F04000-memory.dmp

Filesize
5.0MB

Download
memory/2944-14-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2944-15-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2944-5-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2944-16-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download