dcrat | 501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Size

1.4MB
MD5

181d043c0617914801548f09d5b776d4
SHA1

757f042065a3dc2c9f73e635b41f83591c8ad647
SHA256

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
SHA512

c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574
SSDEEP

24576:6oIREGQw97lGTIYskQyxNtGSKERqWzAcqGv+3spCElJz009I+LU:gRdGcHkBxNYARdzAcqGv+cphlJzxV

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 34 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		2732	schtasks.exe
		2828	schtasks.exe
		2696	schtasks.exe
		2552	schtasks.exe
		848	schtasks.exe
		1372	schtasks.exe
		2928	schtasks.exe
		340	schtasks.exe
		2560	schtasks.exe
		2532	schtasks.exe
		1028	schtasks.exe
		1288	schtasks.exe
		1792	schtasks.exe
		2764	schtasks.exe
		2900	schtasks.exe
		1756	schtasks.exe
		1860	schtasks.exe
		2848	schtasks.exe
		1864	schtasks.exe
		2768	schtasks.exe
		2796	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
		768	schtasks.exe
		2624	schtasks.exe
		3068	schtasks.exe
		3000	schtasks.exe
		2956	schtasks.exe
		3048	schtasks.exe
		2100	schtasks.exe
		2584	schtasks.exe
		1748	schtasks.exe
		2088	schtasks.exe
		1884	schtasks.exe
		1472	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\DPX\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Users\\Admin\\taskhost.exe\", \"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\", \"C:\\Windows\\Logs\\DPX\\WmiPrvSE.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\ja-JP\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1260	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1260	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exe501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2336-1-0x0000000000940000-0x0000000000AA8000-memory.dmp	dcrat
behavioral1/files/0x00050000000195a7-18.dat	dcrat
behavioral1/memory/1420-38-0x0000000000FA0000-0x0000000001108000-memory.dmp	dcrat
behavioral1/memory/2988-61-0x00000000013B0000-0x0000000001518000-memory.dmp	dcrat
behavioral1/memory/2904-73-0x0000000000390000-0x00000000004F8000-memory.dmp	dcrat
behavioral1/memory/2100-85-0x0000000001220000-0x0000000001388000-memory.dmp	dcrat
behavioral1/memory/1676-97-0x0000000000140000-0x00000000002A8000-memory.dmp	dcrat
behavioral1/memory/1448-109-0x0000000000980000-0x0000000000AE8000-memory.dmp	dcrat
behavioral1/memory/2108-120-0x0000000000FF0000-0x0000000001158000-memory.dmp	dcrat
behavioral1/memory/852-143-0x00000000003B0000-0x0000000000518000-memory.dmp	dcrat
behavioral1/memory/1252-155-0x0000000000950000-0x0000000000AB8000-memory.dmp	dcrat
behavioral1/memory/2848-167-0x0000000000090000-0x00000000001F8000-memory.dmp	dcrat
behavioral1/memory/2968-179-0x0000000000FD0000-0x0000000001138000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
1420	spoolsv.exe
788	spoolsv.exe
2988	spoolsv.exe
2904	spoolsv.exe
2100	spoolsv.exe
1676	spoolsv.exe
1448	spoolsv.exe
2108	spoolsv.exe
2940	spoolsv.exe
852	spoolsv.exe
1252	spoolsv.exe
2848	spoolsv.exe
2968	spoolsv.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Logs\\DPX\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Links\\sppsvc.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\taskhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Links\\sppsvc.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\ja-JP\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\ja-JP\\csrss.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Windows Mail\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad = "\"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad = "\"C:\\Windows\\Resources\\Ease of Access Themes\\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\audiodg.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Google\\CrashReports\\OSPPSVC.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Logs\\DPX\\WmiPrvSE.exe\""	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 10 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\1610b97d3ab4a7	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\csrss.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\1610b97d3ab4a7	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\Windows Mail\WmiPrvSE.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\Windows Mail\24dbde2999530e	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5940a34987c991	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\886983d96e3d3e	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Drops file in Windows directory 4 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Resources\Ease of Access Themes\3ded2dc5e7e2cc	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Logs\DPX\WmiPrvSE.exe	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
File created	C:\Windows\Logs\DPX\24dbde2999530e	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2532	schtasks.exe
2796	schtasks.exe
2732	schtasks.exe
2088	schtasks.exe
2828	schtasks.exe
1864	schtasks.exe
1884	schtasks.exe
3068	schtasks.exe
2560	schtasks.exe
2100	schtasks.exe
2696	schtasks.exe
1472	schtasks.exe
2900	schtasks.exe
1860	schtasks.exe
1028	schtasks.exe
1792	schtasks.exe
848	schtasks.exe
1748	schtasks.exe
2956	schtasks.exe
2928	schtasks.exe
768	schtasks.exe
2584	schtasks.exe
2768	schtasks.exe
1288	schtasks.exe
1372	schtasks.exe
1756	schtasks.exe
340	schtasks.exe
2624	schtasks.exe
2764	schtasks.exe
3048	schtasks.exe
3000	schtasks.exe
2848	schtasks.exe
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
1420	spoolsv.exe
788	spoolsv.exe
2988	spoolsv.exe
2904	spoolsv.exe
2100	spoolsv.exe
1676	spoolsv.exe
1448	spoolsv.exe
2108	spoolsv.exe
2940	spoolsv.exe
852	spoolsv.exe
1252	spoolsv.exe
2848	spoolsv.exe
2968	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Token: SeDebugPrivilege	1420	spoolsv.exe
Token: SeDebugPrivilege	788	spoolsv.exe
Token: SeDebugPrivilege	2988	spoolsv.exe
Token: SeDebugPrivilege	2904	spoolsv.exe
Token: SeDebugPrivilege	2100	spoolsv.exe
Token: SeDebugPrivilege	1676	spoolsv.exe
Token: SeDebugPrivilege	1448	spoolsv.exe
Token: SeDebugPrivilege	2108	spoolsv.exe
Token: SeDebugPrivilege	2940	spoolsv.exe
Token: SeDebugPrivilege	852	spoolsv.exe
Token: SeDebugPrivilege	1252	spoolsv.exe
Token: SeDebugPrivilege	2848	spoolsv.exe
Token: SeDebugPrivilege	2968	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exespoolsv.exe

description	pid	Process	procid_target
PID 2336 wrote to memory of 1420	2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	64
PID 2336 wrote to memory of 1420	2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	64
PID 2336 wrote to memory of 1420	2336	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe	64
PID 1420 wrote to memory of 1592	1420	spoolsv.exe	65
PID 1420 wrote to memory of 1592	1420	spoolsv.exe	65
PID 1420 wrote to memory of 1592	1420	spoolsv.exe	65
PID 1420 wrote to memory of 1848	1420	spoolsv.exe	66
PID 1420 wrote to memory of 1848	1420	spoolsv.exe	66
PID 1420 wrote to memory of 1848	1420	spoolsv.exe	66
PID 1592 wrote to memory of 788	1592	WScript.exe	68
PID 1592 wrote to memory of 788	1592	WScript.exe	68
PID 1592 wrote to memory of 788	1592	WScript.exe	68
PID 788 wrote to memory of 592	788	spoolsv.exe	69
PID 788 wrote to memory of 592	788	spoolsv.exe	69
PID 788 wrote to memory of 592	788	spoolsv.exe	69
PID 788 wrote to memory of 1768	788	spoolsv.exe	70
PID 788 wrote to memory of 1768	788	spoolsv.exe	70
PID 788 wrote to memory of 1768	788	spoolsv.exe	70
PID 592 wrote to memory of 2988	592	WScript.exe	71
PID 592 wrote to memory of 2988	592	WScript.exe	71
PID 592 wrote to memory of 2988	592	WScript.exe	71
PID 2988 wrote to memory of 2752	2988	spoolsv.exe	72
PID 2988 wrote to memory of 2752	2988	spoolsv.exe	72
PID 2988 wrote to memory of 2752	2988	spoolsv.exe	72
PID 2988 wrote to memory of 2568	2988	spoolsv.exe	73
PID 2988 wrote to memory of 2568	2988	spoolsv.exe	73
PID 2988 wrote to memory of 2568	2988	spoolsv.exe	73
PID 2752 wrote to memory of 2904	2752	WScript.exe	74
PID 2752 wrote to memory of 2904	2752	WScript.exe	74
PID 2752 wrote to memory of 2904	2752	WScript.exe	74
PID 2904 wrote to memory of 2240	2904	spoolsv.exe	75
PID 2904 wrote to memory of 2240	2904	spoolsv.exe	75
PID 2904 wrote to memory of 2240	2904	spoolsv.exe	75
PID 2904 wrote to memory of 1156	2904	spoolsv.exe	76
PID 2904 wrote to memory of 1156	2904	spoolsv.exe	76
PID 2904 wrote to memory of 1156	2904	spoolsv.exe	76
PID 2240 wrote to memory of 2100	2240	WScript.exe	77
PID 2240 wrote to memory of 2100	2240	WScript.exe	77
PID 2240 wrote to memory of 2100	2240	WScript.exe	77
PID 2100 wrote to memory of 1864	2100	spoolsv.exe	78
PID 2100 wrote to memory of 1864	2100	spoolsv.exe	78
PID 2100 wrote to memory of 1864	2100	spoolsv.exe	78
PID 2100 wrote to memory of 1472	2100	spoolsv.exe	79
PID 2100 wrote to memory of 1472	2100	spoolsv.exe	79
PID 2100 wrote to memory of 1472	2100	spoolsv.exe	79
PID 1864 wrote to memory of 1676	1864	WScript.exe	80
PID 1864 wrote to memory of 1676	1864	WScript.exe	80
PID 1864 wrote to memory of 1676	1864	WScript.exe	80
PID 1676 wrote to memory of 1732	1676	spoolsv.exe	81
PID 1676 wrote to memory of 1732	1676	spoolsv.exe	81
PID 1676 wrote to memory of 1732	1676	spoolsv.exe	81
PID 1676 wrote to memory of 1424	1676	spoolsv.exe	82
PID 1676 wrote to memory of 1424	1676	spoolsv.exe	82
PID 1676 wrote to memory of 1424	1676	spoolsv.exe	82
PID 1732 wrote to memory of 1448	1732	WScript.exe	83
PID 1732 wrote to memory of 1448	1732	WScript.exe	83
PID 1732 wrote to memory of 1448	1732	WScript.exe	83
PID 1448 wrote to memory of 2192	1448	spoolsv.exe	84
PID 1448 wrote to memory of 2192	1448	spoolsv.exe	84
PID 1448 wrote to memory of 2192	1448	spoolsv.exe	84
PID 1448 wrote to memory of 2588	1448	spoolsv.exe	85
PID 1448 wrote to memory of 2588	1448	spoolsv.exe	85
PID 1448 wrote to memory of 2588	1448	spoolsv.exe	85
PID 2108 wrote to memory of 2768	2108	spoolsv.exe	87

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe
"C:\Users\Admin\AppData\Local\Temp\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1420
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514551be-7538-4ff7-a025-8ba063d8d33c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
      "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eefdb11-6fb4-4d9b-aaef-40ee181a8d2b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf5af8b-3b05-4eda-b283-b49517c915d4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d8f0ca-9e2e-4b3d-a411-1c1b998d87dd.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67f976e1-96e9-4619-b17b-4be40278e96e.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c386cd-d984-456a-9a26-021c86b8a2ff.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c8f5a50-54e9-45b8-bb11-2f7a631ed2ed.vbs"
        15⤵
        
        PID:2192
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12c33ea2-001e-47f5-ac76-038329e3a364.vbs"
        17⤵
        
        PID:2768
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a54f3ff-ebd6-4a16-a744-599d665c07d2.vbs"
        19⤵
        
        PID:2188
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3c2549d-e65f-4a75-86e2-86c7c26d17f1.vbs"
        21⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d0ad67-a094-42b0-9ca9-f15fead2560f.vbs"
        23⤵
        
        PID:2980
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e86da2-37b0-475b-b254-38f422fd0721.vbs"
        25⤵
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2490d6ca-36c2-42d3-9d14-cdd69c2be555.vbs"
        27⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37104f70-4f3f-439b-989f-a5e7b5aa3122.vbs"
        27⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90a6b8d1-d269-432f-99ed-84ac4527ee61.vbs"
        25⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc7faa47-2871-4e48-8c75-47f455ca8f43.vbs"
        23⤵
        
        PID:700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd7cff4-d611-46c1-b208-13290d5a033a.vbs"
        21⤵
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a489bb17-c9ce-41e2-a5d2-f36aad8cc696.vbs"
        19⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7baa4ecd-d331-448b-8e51-803b92670149.vbs"
        17⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c7f9c15-33b7-4f97-b5a6-62cf917990e1.vbs"
        15⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a21f6212-a00f-471b-bc6b-802ede1057e5.vbs"
        13⤵
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\532e63a2-608a-40b7-910e-3a246cee1add.vbs"
        11⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fc2d927-cf97-46fe-8bf9-244e47efafc6.vbs"
        9⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799b7a11-3e07-47a6-8df9-4b23b7a16145.vbs"
        7⤵
        
        PID:2568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f491e29b-0ca0-4b80-a25e-af9064a947a1.vbs"
        5⤵
        
        PID:1768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3afae6-294a-4597-87c5-153810f3cd9c.vbs"
    3⤵
    PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad5" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad5" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\WmiPrvSE.exe

Filesize
1.4MB

MD5
181d043c0617914801548f09d5b776d4

SHA1
757f042065a3dc2c9f73e635b41f83591c8ad647

SHA256
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad

SHA512
c56897c04b11db7c09ef21be8fe6a541c3c9ffb428b3e1340fce5b035f9f74bb133b57e7cc0852730efd20b4a49da0e8a79b6390f105d18f9fb39461559be574

Download Submit
C:\Users\Admin\AppData\Local\Temp\00d8f0ca-9e2e-4b3d-a411-1c1b998d87dd.vbs

Filesize
750B

MD5
9950896932e044e8a074d01f1e4f3321

SHA1
f271e57f77c0c7457a30d36255fc92f5428034b9

SHA256
1a79c2b32de8bc9f343ae91bd67a0a1a30e8dbd9f2c6532f1f2bfadc415291f9

SHA512
0514796b812014f96865f57a74f843f7e240b9de5cb5fa05a43a0a5ed35f05ade4216e3bb365f36ee40f11990edb59d89f5f012fd696c30038e6d60df6a8fd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\08e86da2-37b0-475b-b254-38f422fd0721.vbs

Filesize
750B

MD5
c7a0be43c07cedbcd4c94679838550a6

SHA1
185fc69ba2f8d16ada56a66fbb003a99bc976e5f

SHA256
c89594727839716dd18d47b9e147a69bb6e3484f662247830112433da3d5dc32

SHA512
3a66c07228e50684114893be692c7e67fd825584e3cd77d09bf0e97edb7635b0db7a003c9c532d753ffba66fe2530575d2a2670425e745edc10530f4cc5df5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0eefdb11-6fb4-4d9b-aaef-40ee181a8d2b.vbs

Filesize
749B

MD5
2acb33a14157e32c6918de207b2ebac4

SHA1
60fcce052b80bbed632df4f63a9fda63a36d63e7

SHA256
db2ec5fdf157328ffa85d8e322c397c7128c8121f028d9b0bd5ec22a43f7f60f

SHA512
76800fb6a006d2f6a7a2660a2ad0d27bdb1140291180167ffa3dafec6e5fc60d3da72e9a145bc30fd24836c4ce4808fea19eac980421a15da66b42d8c867ca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\12c33ea2-001e-47f5-ac76-038329e3a364.vbs

Filesize
750B

MD5
65049f505853cb04177a2cdcfd029761

SHA1
d4b4d86d8bf56ae2b7e362a697815821d4eed8c2

SHA256
d3f06aa9a9838afc1ee28e57e6cb84a6f2dc7612a450f393a9935be5b4e2a2c7

SHA512
c0a4be629bd23d7ca7a672eb8358f7d20c3e5b7832c60da11bd1fec270dfa180c1c766ca62dd1eecaf1c6bc4f1f00838b13bd04bf9dd7abd3b028bd8bcd2694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2490d6ca-36c2-42d3-9d14-cdd69c2be555.vbs

Filesize
750B

MD5
a71cd048dfb20ee8f55ab506e070351b

SHA1
d09ed99e287e5a16198527a1b951aa57dd53436e

SHA256
f941016d41092c03ab238f3bb2346b1360434ab51276739482d6997f19f4f150

SHA512
739ef99b7e6e6b056c03aad7dcef586be8b794459bb8fd6c158bc761f7e7fd7f409cffc3e28c610f0901c805f020e165b3745498d101575d083a6acabf63babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c3afae6-294a-4597-87c5-153810f3cd9c.vbs

Filesize
526B

MD5
b0c06e050f81feb30ce9a42655037e6e

SHA1
1a14b4ada3691fb30fa1dff68633f3f0cb517734

SHA256
ac32c8ca790dde18af88d1eade7565048ad143895baf4dadd4b72a2ca3f1a646

SHA512
7f492141b2cb2437f822361cffff7409c4bd0c7566ddd33e0c85b8efccda6446640d0f0b5adf6c766d368567e6ddacc6cf22465d514e4ff1eae2eab838547832

Download Submit
C:\Users\Admin\AppData\Local\Temp\514551be-7538-4ff7-a025-8ba063d8d33c.vbs

Filesize
750B

MD5
daff80c8ee34d2a85d27bed221286563

SHA1
94f14968e42de6f18df6db2260867d06a4917acd

SHA256
ea244aea98378c740a3c95add1e0a99f2d748f5aa25c9695ba2a6a5a884f0b1c

SHA512
cb8fbb5af2a3b1623838ad0b111e737a829642a09cd939e62adee5d0a593edab5dad4ac868c1956717cfa6ef813fce8dfdf094a29e45efeb218490190cb95801

Download Submit
C:\Users\Admin\AppData\Local\Temp\67f976e1-96e9-4619-b17b-4be40278e96e.vbs

Filesize
750B

MD5
b169a4e22354a571c54b9276c3e78319

SHA1
66c6804825db6c916feb4711dd7b7489b2ae65af

SHA256
87f56dcba7c916988339b2e03f8343900ab8e35dd6cbba76cb827fc5b3bdf10a

SHA512
260a30f82902b6a52e7c3156be003a0c4a45d6028218547a1e40c5660b5ea9b6f437caf9836625f76ae24279b89e3fce2b230f6d877986954ee938b21f8dcd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a54f3ff-ebd6-4a16-a744-599d665c07d2.vbs

Filesize
750B

MD5
8e4e1ac329cc489f0f540d5fa130ba02

SHA1
808dff2fbd99a1a82c4e6f35bfbd043bab1cdf8e

SHA256
cf8dc45154c66977cebc9b61e104e72edf9d9205feb28acdfe9324862f91d171

SHA512
fa7a5395e309475d084608e7f76e29e42750166ab65dafd5820caabb5c47c9bad5df5e6dd0d263d6ff8d85ce465d88f300ba69cca3f8f7895723a4f777b3ff47

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d0ad67-a094-42b0-9ca9-f15fead2560f.vbs

Filesize
750B

MD5
17bfdfa79065e1ee00eb0fbc3600e207

SHA1
d71fa1b645fb2496dac2baccbee78d3a3319fc0d

SHA256
b85630d71946bd25bd99b6dba5fe7b1a6c50fdcf22760444273b68de69cdbceb

SHA512
7b774b9303ba0d8617f821846a53b7b6cf3b94d58ecce72263ecf7fe2f0ed7c7b4a26cdee8b46959de30b555547149f7a29dfb5f50e3c098f01bbaa72d90c9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcf5af8b-3b05-4eda-b283-b49517c915d4.vbs

Filesize
750B

MD5
8103d1928c155b17f52af6e976222034

SHA1
eaf8cd9bdcc8504dfd7de56fa8b69efe5d71f489

SHA256
fbc1135e31606a371d5feb47540683b1b023d15205bac6f4262b76b028200f05

SHA512
979775a44116e05be2517979d4c47fb58c6f6f6b787f6f2ebc6d9a38c0ec1bf69ee5b2ad84101a354f749c68e88452a2128cdd2e9679c9e0bbac49fceec8a649

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3c2549d-e65f-4a75-86e2-86c7c26d17f1.vbs

Filesize
749B

MD5
5e3248989eb8f9a8b6b36d2b879bff6c

SHA1
80159853f98d5732e54b59fa12eb6bcaf80e4d2f

SHA256
5b2e645bc16e787f60187bfd2cd4e653272bd99fa082b489177ee13ad991ab15

SHA512
4729ef902cc26def0efb7e373f1b6a41cef77b37d989e24390bcae86ebaf8d8bed8cdf47265b337308029542ffea3d1a8dbfcaaf7e2b1bf9336ee33e9de56dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3c386cd-d984-456a-9a26-021c86b8a2ff.vbs

Filesize
750B

MD5
46518055228c2716a529b5bb519b1f88

SHA1
e19c0bf20df2d9c848a6917397d04b3d3b51055a

SHA256
0a9ceba17c77cc11b79e4d438ea1c3f1a02c6e3517e240ee62842e83a6fc0fe8

SHA512
7dabbe917e92f1187e6551fb58f42b2749f0631b88543c3f1b7d176dc328b5a5727bd61d6dbcac053a8ce7bf5d02e56d1a891585348efcbd3b88d40e215eee08

Download Submit
memory/852-143-0x00000000003B0000-0x0000000000518000-memory.dmp

Filesize
1.4MB

Download
memory/1252-155-0x0000000000950000-0x0000000000AB8000-memory.dmp

Filesize
1.4MB

Download
memory/1420-38-0x0000000000FA0000-0x0000000001108000-memory.dmp

Filesize
1.4MB

Download
memory/1448-109-0x0000000000980000-0x0000000000AE8000-memory.dmp

Filesize
1.4MB

Download
memory/1676-97-0x0000000000140000-0x00000000002A8000-memory.dmp

Filesize
1.4MB

Download
memory/2100-85-0x0000000001220000-0x0000000001388000-memory.dmp

Filesize
1.4MB

Download
memory/2108-120-0x0000000000FF0000-0x0000000001158000-memory.dmp

Filesize
1.4MB

Download
memory/2336-9-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/2336-6-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2336-1-0x0000000000940000-0x0000000000AA8000-memory.dmp

Filesize
1.4MB

Download
memory/2336-39-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2336-7-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2336-2-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-4-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2336-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2848-167-0x0000000000090000-0x00000000001F8000-memory.dmp

Filesize
1.4MB

Download
memory/2904-73-0x0000000000390000-0x00000000004F8000-memory.dmp

Filesize
1.4MB

Download
memory/2968-179-0x0000000000FD0000-0x0000000001138000-memory.dmp

Filesize
1.4MB

Download
memory/2988-61-0x00000000013B0000-0x0000000001518000-memory.dmp

Filesize
1.4MB

Download