dcrat | 15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Size

4.9MB
MD5

0ebd2dc160f7d5627aef291ba8fe1723
SHA1

f19f6aae9588fa548e768924114b4a6ca6021c9e
SHA256

15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5
SHA512

aa5dd361118de60d42e5cb1fec62011cda145d721c04f736d2e27984e7eb478e884bacc5f5ac7b957d3e2786035341d1906886a0eed511ec3e54278e68dbc161
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx82:u

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2576	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1560-3-0x000000001B540000-0x000000001B66E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
2208	powershell.exe
1592	powershell.exe
2092	powershell.exe
1828	powershell.exe
3016	powershell.exe
1508	powershell.exe
1716	powershell.exe
2032	powershell.exe
2440	powershell.exe
2528	powershell.exe
2972	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2572	WMIADAP.exe
1692	WMIADAP.exe
2460	WMIADAP.exe
1792	WMIADAP.exe
844	WMIADAP.exe
2644	WMIADAP.exe
1748	WMIADAP.exe
960	WMIADAP.exe
2992	WMIADAP.exe
1800	WMIADAP.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\dllhost.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File created	C:\Windows\ModemLogs\5940a34987c991	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\ModemLogs\RCXFEAC.tmp	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
File opened for modification	C:\Windows\ModemLogs\dllhost.exe	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
2588	schtasks.exe
1400	schtasks.exe
1544	schtasks.exe
1680	schtasks.exe
588	schtasks.exe
768	schtasks.exe
1944	schtasks.exe
2240	schtasks.exe
1504	schtasks.exe
1404	schtasks.exe
264	schtasks.exe
2972	schtasks.exe
2976	schtasks.exe
2644	schtasks.exe
1644	schtasks.exe
2224	schtasks.exe
964	schtasks.exe
1704	schtasks.exe
2728	schtasks.exe
2988	schtasks.exe
1768	schtasks.exe
1916	schtasks.exe
1748	schtasks.exe
680	schtasks.exe
1600	schtasks.exe
1960	schtasks.exe
2616	schtasks.exe
1856	schtasks.exe
1240	schtasks.exe
2412	schtasks.exe
2900	schtasks.exe
896	schtasks.exe
816	schtasks.exe
2308	schtasks.exe
2912	schtasks.exe
1604	schtasks.exe
1952	schtasks.exe
2088	schtasks.exe
2152	schtasks.exe
1608	schtasks.exe
2484	schtasks.exe
2732	schtasks.exe
2556	schtasks.exe
2136	schtasks.exe
2352	schtasks.exe
1512	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
2524	powershell.exe
1508	powershell.exe
1592	powershell.exe
2972	powershell.exe
1716	powershell.exe
2032	powershell.exe
2208	powershell.exe
2440	powershell.exe
2528	powershell.exe
2092	powershell.exe
3016	powershell.exe
1828	powershell.exe
2572	WMIADAP.exe
1692	WMIADAP.exe
2460	WMIADAP.exe
1792	WMIADAP.exe
844	WMIADAP.exe
2644	WMIADAP.exe
1748	WMIADAP.exe
960	WMIADAP.exe
2992	WMIADAP.exe
1800	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2572	WMIADAP.exe
Token: SeDebugPrivilege	1692	WMIADAP.exe
Token: SeDebugPrivilege	2460	WMIADAP.exe
Token: SeDebugPrivilege	1792	WMIADAP.exe
Token: SeDebugPrivilege	844	WMIADAP.exe
Token: SeDebugPrivilege	2644	WMIADAP.exe
Token: SeDebugPrivilege	1748	WMIADAP.exe
Token: SeDebugPrivilege	960	WMIADAP.exe
Token: SeDebugPrivilege	2992	WMIADAP.exe
Token: SeDebugPrivilege	1800	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2528	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	80
PID 1560 wrote to memory of 2528	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	80
PID 1560 wrote to memory of 2528	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	80
PID 1560 wrote to memory of 1828	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	81
PID 1560 wrote to memory of 1828	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	81
PID 1560 wrote to memory of 1828	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	81
PID 1560 wrote to memory of 3016	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	83
PID 1560 wrote to memory of 3016	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	83
PID 1560 wrote to memory of 3016	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	83
PID 1560 wrote to memory of 2972	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	84
PID 1560 wrote to memory of 2972	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	84
PID 1560 wrote to memory of 2972	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	84
PID 1560 wrote to memory of 1716	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	86
PID 1560 wrote to memory of 1716	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	86
PID 1560 wrote to memory of 1716	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	86
PID 1560 wrote to memory of 1508	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	87
PID 1560 wrote to memory of 1508	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	87
PID 1560 wrote to memory of 1508	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	87
PID 1560 wrote to memory of 2524	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	89
PID 1560 wrote to memory of 2524	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	89
PID 1560 wrote to memory of 2524	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	89
PID 1560 wrote to memory of 2032	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	92
PID 1560 wrote to memory of 2032	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	92
PID 1560 wrote to memory of 2032	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	92
PID 1560 wrote to memory of 2092	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	94
PID 1560 wrote to memory of 2092	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	94
PID 1560 wrote to memory of 2092	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	94
PID 1560 wrote to memory of 2440	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	95
PID 1560 wrote to memory of 2440	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	95
PID 1560 wrote to memory of 2440	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	95
PID 1560 wrote to memory of 1592	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	96
PID 1560 wrote to memory of 1592	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	96
PID 1560 wrote to memory of 1592	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	96
PID 1560 wrote to memory of 2208	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	97
PID 1560 wrote to memory of 2208	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	97
PID 1560 wrote to memory of 2208	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	97
PID 1560 wrote to memory of 1708	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	104
PID 1560 wrote to memory of 1708	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	104
PID 1560 wrote to memory of 1708	1560	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe	104
PID 1708 wrote to memory of 2308	1708	cmd.exe	106
PID 1708 wrote to memory of 2308	1708	cmd.exe	106
PID 1708 wrote to memory of 2308	1708	cmd.exe	106
PID 1708 wrote to memory of 2572	1708	cmd.exe	107
PID 1708 wrote to memory of 2572	1708	cmd.exe	107
PID 1708 wrote to memory of 2572	1708	cmd.exe	107
PID 2572 wrote to memory of 984	2572	WMIADAP.exe	108
PID 2572 wrote to memory of 984	2572	WMIADAP.exe	108
PID 2572 wrote to memory of 984	2572	WMIADAP.exe	108
PID 2572 wrote to memory of 2076	2572	WMIADAP.exe	109
PID 2572 wrote to memory of 2076	2572	WMIADAP.exe	109
PID 2572 wrote to memory of 2076	2572	WMIADAP.exe	109
PID 984 wrote to memory of 1692	984	WScript.exe	110
PID 984 wrote to memory of 1692	984	WScript.exe	110
PID 984 wrote to memory of 1692	984	WScript.exe	110
PID 1692 wrote to memory of 1784	1692	WMIADAP.exe	111
PID 1692 wrote to memory of 1784	1692	WMIADAP.exe	111
PID 1692 wrote to memory of 1784	1692	WMIADAP.exe	111
PID 1692 wrote to memory of 2516	1692	WMIADAP.exe	112
PID 1692 wrote to memory of 2516	1692	WMIADAP.exe	112
PID 1692 wrote to memory of 2516	1692	WMIADAP.exe	112
PID 1784 wrote to memory of 2460	1784	WScript.exe	113
PID 1784 wrote to memory of 2460	1784	WScript.exe	113
PID 1784 wrote to memory of 2460	1784	WScript.exe	113
PID 2460 wrote to memory of 2020	2460	WMIADAP.exe	114

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WMIADAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WMIADAP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe
"C:\Users\Admin\AppData\Local\Temp\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gGyfAl4BFq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2308
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c2a062-7eec-4f87-a53a-0167d4dd16f5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1692
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c078370b-9a30-495a-aed8-40b6ce74c6e1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b81d17-9455-4b9c-968c-5d7c7303be37.vbs"
        8⤵
        
        PID:2020
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e10a24-3d74-4c0f-aade-b9666060e193.vbs"
        10⤵
        
        PID:2148
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a7cf21-b5a2-44e1-9ab0-83002f581339.vbs"
        12⤵
        
        PID:572
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d936df5a-1362-49a2-8602-f1310699ebc3.vbs"
        14⤵
        
        PID:1604
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d314d8-896f-44cd-a641-2183e81f8fd1.vbs"
        16⤵
        
        PID:2300
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b04b9e-7274-46d3-9982-e18d1448e463.vbs"
        18⤵
        
        PID:2220
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc448833-8a4b-4410-99e7-62fe5d0ce8c1.vbs"
        20⤵
        
        PID:2468
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79c64a6-bc1b-4ccf-bde3-e5445d10d69b.vbs"
        20⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9273a077-428b-4595-881f-ab801c2d24f9.vbs"
        18⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e4a62f-2e59-412c-bf6a-f629534532b2.vbs"
        16⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eed09a5-d2fe-426e-adc1-d93e1f25ccff.vbs"
        14⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5570f98-de80-46dd-8861-f21ab5ba3cf6.vbs"
        12⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31a2151-4787-44f3-ad62-c7b36a372368.vbs"
        10⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401d4a22-35c8-4c5f-a690-503fa33eb6ca.vbs"
        8⤵
        
        PID:2120
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c9b40b-8d24-46ce-81f4-723e69d0773e.vbs"
        6⤵
        
        PID:2516
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6d71b2c-f901-460b-a60f-9a82b9631218.vbs"
      4⤵
      PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f51" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5" /sc ONLOGON /tr "'C:\Users\Admin\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f51" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\dwm.exe

Filesize
4.9MB

MD5
0ebd2dc160f7d5627aef291ba8fe1723

SHA1
f19f6aae9588fa548e768924114b4a6ca6021c9e

SHA256
15fd90bfb776a44c67a43066c4e4bf093bf0b724c7c1ca9c3379e9b94ea270f5

SHA512
aa5dd361118de60d42e5cb1fec62011cda145d721c04f736d2e27984e7eb478e884bacc5f5ac7b957d3e2786035341d1906886a0eed511ec3e54278e68dbc161

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\dwm.exe

Filesize
4.9MB

MD5
0e7f0ee3c616ccca474183d141ddc6af

SHA1
65d8cc419d56a2b37abeaf6f8a83cd568b831463

SHA256
fbd0c0c78d5e4ccfe2509c31f6509e9e831d14e0a65b9077bf21a1b750c07899

SHA512
40982cc9ecd1ba28f0ceb4e59ef52ab7bde7beca9149c138d7a20e62815a7f46a5992ad4f68c512e70a561f7cf498bf7f03c9035a83bbea36e47ee4d5ccf9ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\05c2a062-7eec-4f87-a53a-0167d4dd16f5.vbs

Filesize
736B

MD5
430df7b8c0fa42be7941294336900b3c

SHA1
1323de7302480cf767368f5a3c53b1426ad2de04

SHA256
838d63dde23ce810f6c4f632c14d06b73177f01f40381c9f707cc2f06757769d

SHA512
0da53a4cd7f3f594f9dc64534a432d34f553ecba4ba62a35343d5a314b9a534cc41e1cadb348ded3c2862fb899dd4ab8981cb33285031db2da19dac70ee35448

Download Submit
C:\Users\Admin\AppData\Local\Temp\59b04b9e-7274-46d3-9982-e18d1448e463.vbs

Filesize
735B

MD5
d605edd8ee108cfc2c3d6e10ba2136f4

SHA1
2817c8e02095d6cb105bec84b46efa8daf56ab46

SHA256
3f1f91d06ad68218e2181a23c5b20f136f7a9d2596f16fdda05523843b5f01f5

SHA512
8a09fd2d97f4f219e9aa367825a03be3729bd5284d5138469bdbdef2f5f667a94886fcab48a3ed084568cdafdecfe8392dd4e909298212b7d1aa2e16c7a295f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\59b81d17-9455-4b9c-968c-5d7c7303be37.vbs

Filesize
736B

MD5
10b8313569a42cb808b43bbbf3865389

SHA1
cd31e819e5fb6e1300e917291594e70ee9569008

SHA256
bfbb90a4e21d10e2653c72b2f55d56a18e428a209790f4eaf5e01f7c46a4ffe1

SHA512
aae1b4846f39f6ed85ae94901fa7d7e3cf20d802ca7a486360a105265218e2e40f410c67358e37ec52798ed1f3d5b4bec7adb640950b0fbbf651104834e35200

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6d71b2c-f901-460b-a60f-9a82b9631218.vbs

Filesize
512B

MD5
ca976b5c30a7a3da5e499650469f0448

SHA1
68c2011e9512f408e8dbf8d91586c4a84c83a875

SHA256
2b07a7d2b9f7315a7c25763a48aff7d5a652282eb000d111293ce34ea154d36a

SHA512
f496d832804f9e345ace6c6e730290e75f2f8145fd7ea62227e426699bd91f13af33774173b174970aeed2ce166f0798b766def45a3b462a9fcbd4d159050cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c078370b-9a30-495a-aed8-40b6ce74c6e1.vbs

Filesize
736B

MD5
59f2312c48bf032e5672e267a08afe53

SHA1
38df1ba7f7d292166ca44941636c23008eb0893e

SHA256
7b4363af97f0c5cdc28a2bb7dcc50a6c42ef8b01a77559fbdb050b06877aba2e

SHA512
8e93979b1cbdd3874ca0ae9df9949e47647cd50587f68e63aa3243f5b8678980582501e24c518a64db71ecc1e423fea10b39168b601e4a50d709e2ef91d6c356

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0d314d8-896f-44cd-a641-2183e81f8fd1.vbs

Filesize
736B

MD5
2bd0b0f551e9baac0b46b33a98ff33c5

SHA1
ab7be5cbbaa204ae3d7f9820954bf2ed6ab01efd

SHA256
a92d63992b70119cb7685b1a3a6043d8bac573c5454b1d707ae1ce9a634b7ae0

SHA512
e0434c1bd7dd043cd034364f64983ff8695d642d8fb75f6a0b6b04018dc520ddfe521b47c5d5d1822cfcc6ad368a835ea1eb2ae9b8131327e4d516181aba3422

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4a7cf21-b5a2-44e1-9ab0-83002f581339.vbs

Filesize
735B

MD5
af1c0df302fd2f55503960525224ea69

SHA1
4c1c497a09f35b7467345866d78f9cc983b3e667

SHA256
85d1eee7d6b40948a4af6422ce0a172208e5bd2bf4fa8fb040c2dc32477330f5

SHA512
d4797d8351e5f7b405900f24c5ffa662602a202b51c778717271de3f139a5e3f543e74f91ecc05fc07db26ad7af209102a954def54d821931bfc401f13ecaf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\d936df5a-1362-49a2-8602-f1310699ebc3.vbs

Filesize
736B

MD5
59c4b6fd9a2fa3798a6a186daedd3bc4

SHA1
c0673cc78f5d94c616746ad236d856942f113764

SHA256
dc97f8b4285b99722639463c4274fdccfaab2f9853c416e36ce5d22d8b61227c

SHA512
2cf2a1c3e736881923c462e4d02fad10a9ccf3b8b2203392bf9e6f1d80f7bee8e04cedc92e9b3e0224b6ed38596c641f953ee61d6f8c21911ab8933affc49b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc448833-8a4b-4410-99e7-62fe5d0ce8c1.vbs

Filesize
736B

MD5
585025702a39981b5d840e20ec2b6f7e

SHA1
86c3f382275695f00aee33806ac3bb6516af63ca

SHA256
e1af816e6009eb7b050c1c5c5bf0e2b340c16cfc54a9b89bbb352d5938a6aaf5

SHA512
14714e1ccc50a2ed093bdef730ebf97e407119a90ccd99020d4bab920fcc9552ebfb2b4430c8c66443934715e0ea679b288d7e69fb40f16026262fc4c3aa65e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6e10a24-3d74-4c0f-aade-b9666060e193.vbs

Filesize
736B

MD5
7d1500d00eaebad1965e5f16f32329be

SHA1
8808664b88ca799654a795722c1096bff2a68467

SHA256
7c73e5c1fb1d0e2c2dbdd51d815f1fa1c1c511822e162e43cc5c2603f00bf36f

SHA512
71a72a60dce7b693386cc5a68f765a84575a8a10630e1ec7cfe450cef6c64c1629792c7adfb93a15751994db4cb9d36452a7151dba0edcb1566afbc6f28ea556

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGyfAl4BFq.bat

Filesize
225B

MD5
2e4379949160dab96929abc3a89407fa

SHA1
ae18444ab466bc05f9b4572aedd0c837efc7eef2

SHA256
4de0e06fca388aa703a147a42ef8896e97f0466f0cb3b0fb679c5f2268bbf10f

SHA512
be787250b2b63b9a839f258a4df8b60eac2e1a60ebf7f426589964a52b6801bebf3c0ee9aa169fe8f2b72d8701a67f215052e9b893c3498c871bfe2bf5577a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp48B4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1LTBWLZUWBMYXZO924YF.temp

Filesize
7KB

MD5
50fb21a85d275435266f9d8bb3c16c27

SHA1
f3092251540a7c966532e6dfca9e74b08f37ce2f

SHA256
506baef8fb0834a9de9fbfa367fb97d471ea0882f3aeb43e889d3dcee9fa4e53

SHA512
50057d0ec03baf3e0726d935abf8eed56065826c6bc4e512e8d8a0b51a1522ee54bbe3e21214f3750aa978fa71831176a22c27a02a07a176e7f7929f38360f2b

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
4.9MB

MD5
f537f78f3958bd90b141e35b7d8b78ce

SHA1
e9dfc9ea37465168eb976d59e6e20fe7f76bf119

SHA256
7a09e89aa03155b64a620744769297b1afbaee5d6a55939057b841fbfef7c4c7

SHA512
4d3e527da1f2dd7fe57c90f282da55b06a513bc473a9c2662271cca51d92c7ef2669a19128ce106559c377dcd70f1e4371610fecccb1d0ab5d34618119126b03

Download Submit
memory/844-284-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/960-329-0x0000000000D20000-0x0000000001214000-memory.dmp

Filesize
5.0MB

Download
memory/1560-12-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/1560-10-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1560-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1560-148-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1560-1-0x0000000000F60000-0x0000000001454000-memory.dmp

Filesize
5.0MB

Download
memory/1560-186-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/1560-3-0x000000001B540000-0x000000001B66E000-memory.dmp

Filesize
1.2MB

Download
memory/1560-4-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/1560-13-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/1560-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

Filesize
4KB

Download
memory/1560-11-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1560-5-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1560-140-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

Filesize
4KB

Download
memory/1560-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1560-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1560-8-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/1560-7-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/1692-240-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/1748-314-0x0000000000C40000-0x0000000001134000-memory.dmp

Filesize
5.0MB

Download
memory/1800-359-0x0000000000D30000-0x0000000001224000-memory.dmp

Filesize
5.0MB

Download
memory/2460-255-0x0000000000F90000-0x0000000001484000-memory.dmp

Filesize
5.0MB

Download
memory/2524-183-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2524-191-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/2572-226-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2572-225-0x0000000000C20000-0x0000000001114000-memory.dmp

Filesize
5.0MB

Download
memory/2644-299-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download
memory/2992-344-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download