dcrat | ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Size

4.9MB
MD5

e971629e36a2f21bee6fe62b7a1f4b90
SHA1

43b66bb199d2d5aa4344a8f209578ded14d969fd
SHA256

ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373b
SHA512

70ae95e50548977ac1ceeaae65d0a80c911121aa7831bc0dc9edfa6d975feb11d0239966d2875c9dc238850220fa4d9f22ee45125ebc5f6a45a64befc0e9547b
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2872	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2872	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
564	powershell.exe
1132	powershell.exe
2840	powershell.exe
2324	powershell.exe
2412	powershell.exe
2176	powershell.exe
2020	powershell.exe
1316	powershell.exe
2592	powershell.exe
2792	powershell.exe
592	powershell.exe
1504	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2052	WmiPrvSE.exe
1944	WmiPrvSE.exe
2044	WmiPrvSE.exe
2472	WmiPrvSE.exe
2148	WmiPrvSE.exe
1696	WmiPrvSE.exe
1804	WmiPrvSE.exe
1336	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX2458.tmp	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsass.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6203df4a6bafc7	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\886983d96e3d3e	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX1F76.tmp	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\lsass.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppCompat\Programs\csrss.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Windows\Registration\RCX39F5.tmp	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Windows\Registration\taskhost.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Windows\AppCompat\Programs\csrss.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Windows\AppCompat\Programs\886983d96e3d3e	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Windows\Registration\taskhost.exe	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File created	C:\Windows\Registration\b75386f1303e64	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX3178.tmp	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2412	schtasks.exe
2460	schtasks.exe
1924	schtasks.exe
2384	schtasks.exe
2472	schtasks.exe
1788	schtasks.exe
2564	schtasks.exe
564	schtasks.exe
580	schtasks.exe
320	schtasks.exe
1856	schtasks.exe
1960	schtasks.exe
2100	schtasks.exe
2816	schtasks.exe
2632	schtasks.exe
3004	schtasks.exe
2852	schtasks.exe
2732	schtasks.exe
2528	schtasks.exe
1872	schtasks.exe
940	schtasks.exe
1140	schtasks.exe
2652	schtasks.exe
992	schtasks.exe
1144	schtasks.exe
2320	schtasks.exe
632	schtasks.exe
944	schtasks.exe
1784	schtasks.exe
1076	schtasks.exe
1624	schtasks.exe
752	schtasks.exe
2424	schtasks.exe
1908	schtasks.exe
1964	schtasks.exe
1716	schtasks.exe
1968	schtasks.exe
2728	schtasks.exe
2960	schtasks.exe
1852	schtasks.exe
884	schtasks.exe
2984	schtasks.exe
1260	schtasks.exe
2624	schtasks.exe
1520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
1316	powershell.exe
592	powershell.exe
2592	powershell.exe
2324	powershell.exe
1504	powershell.exe
564	powershell.exe
2020	powershell.exe
1132	powershell.exe
2176	powershell.exe
2792	powershell.exe
2412	powershell.exe
2840	powershell.exe
2052	WmiPrvSE.exe
1944	WmiPrvSE.exe
2044	WmiPrvSE.exe
2472	WmiPrvSE.exe
2148	WmiPrvSE.exe
1696	WmiPrvSE.exe
1804	WmiPrvSE.exe
1336	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2052	WmiPrvSE.exe
Token: SeDebugPrivilege	1944	WmiPrvSE.exe
Token: SeDebugPrivilege	2044	WmiPrvSE.exe
Token: SeDebugPrivilege	2472	WmiPrvSE.exe
Token: SeDebugPrivilege	2148	WmiPrvSE.exe
Token: SeDebugPrivilege	1696	WmiPrvSE.exe
Token: SeDebugPrivilege	1804	WmiPrvSE.exe
Token: SeDebugPrivilege	1336	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	76
PID 2364 wrote to memory of 2592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	76
PID 2364 wrote to memory of 2592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	76
PID 2364 wrote to memory of 2324	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	77
PID 2364 wrote to memory of 2324	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	77
PID 2364 wrote to memory of 2324	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	77
PID 2364 wrote to memory of 592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	78
PID 2364 wrote to memory of 592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	78
PID 2364 wrote to memory of 592	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	78
PID 2364 wrote to memory of 2792	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	80
PID 2364 wrote to memory of 2792	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	80
PID 2364 wrote to memory of 2792	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	80
PID 2364 wrote to memory of 2840	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	83
PID 2364 wrote to memory of 2840	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	83
PID 2364 wrote to memory of 2840	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	83
PID 2364 wrote to memory of 2412	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	85
PID 2364 wrote to memory of 2412	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	85
PID 2364 wrote to memory of 2412	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	85
PID 2364 wrote to memory of 1504	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	86
PID 2364 wrote to memory of 1504	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	86
PID 2364 wrote to memory of 1504	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	86
PID 2364 wrote to memory of 1132	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	87
PID 2364 wrote to memory of 1132	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	87
PID 2364 wrote to memory of 1132	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	87
PID 2364 wrote to memory of 2020	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	88
PID 2364 wrote to memory of 2020	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	88
PID 2364 wrote to memory of 2020	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	88
PID 2364 wrote to memory of 2176	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	89
PID 2364 wrote to memory of 2176	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	89
PID 2364 wrote to memory of 2176	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	89
PID 2364 wrote to memory of 564	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	90
PID 2364 wrote to memory of 564	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	90
PID 2364 wrote to memory of 564	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	90
PID 2364 wrote to memory of 1316	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	91
PID 2364 wrote to memory of 1316	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	91
PID 2364 wrote to memory of 1316	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	91
PID 2364 wrote to memory of 2052	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	100
PID 2364 wrote to memory of 2052	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	100
PID 2364 wrote to memory of 2052	2364	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe	100
PID 2052 wrote to memory of 2056	2052	WmiPrvSE.exe	101
PID 2052 wrote to memory of 2056	2052	WmiPrvSE.exe	101
PID 2052 wrote to memory of 2056	2052	WmiPrvSE.exe	101
PID 2052 wrote to memory of 2392	2052	WmiPrvSE.exe	102
PID 2052 wrote to memory of 2392	2052	WmiPrvSE.exe	102
PID 2052 wrote to memory of 2392	2052	WmiPrvSE.exe	102
PID 2056 wrote to memory of 1944	2056	WScript.exe	103
PID 2056 wrote to memory of 1944	2056	WScript.exe	103
PID 2056 wrote to memory of 1944	2056	WScript.exe	103
PID 1944 wrote to memory of 632	1944	WmiPrvSE.exe	104
PID 1944 wrote to memory of 632	1944	WmiPrvSE.exe	104
PID 1944 wrote to memory of 632	1944	WmiPrvSE.exe	104
PID 1944 wrote to memory of 848	1944	WmiPrvSE.exe	105
PID 1944 wrote to memory of 848	1944	WmiPrvSE.exe	105
PID 1944 wrote to memory of 848	1944	WmiPrvSE.exe	105
PID 632 wrote to memory of 2044	632	WScript.exe	106
PID 632 wrote to memory of 2044	632	WScript.exe	106
PID 632 wrote to memory of 2044	632	WScript.exe	106
PID 2044 wrote to memory of 272	2044	WmiPrvSE.exe	107
PID 2044 wrote to memory of 272	2044	WmiPrvSE.exe	107
PID 2044 wrote to memory of 272	2044	WmiPrvSE.exe	107
PID 2044 wrote to memory of 2844	2044	WmiPrvSE.exe	108
PID 2044 wrote to memory of 2844	2044	WmiPrvSE.exe	108
PID 2044 wrote to memory of 2844	2044	WmiPrvSE.exe	108
PID 272 wrote to memory of 2472	272	WScript.exe	109

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe
"C:\Users\Admin\AppData\Local\Temp\ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9e396de-4504-4292-8c2b-7acc5573acaa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
      C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1944
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ade09310-beca-4b3c-b0fd-173431fd09db.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a137ac0-c6b5-40b2-b8bd-9b85c4581181.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c4469a2-21b6-449c-b52f-0794a194615a.vbs"
        9⤵
        
        PID:1264
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be138519-f02e-4591-a66f-d1eb8205c4cf.vbs"
        11⤵
        
        PID:1248
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49ee9dd3-745a-4652-8a93-532fe4a718f6.vbs"
        13⤵
        
        PID:2540
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f93d7b31-21d9-40a8-a662-4902cd059738.vbs"
        15⤵
        
        PID:2680
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d209203d-4762-4d83-8a03-19415d266273.vbs"
        17⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6d53d12-64fb-413a-b892-c7da77678dc5.vbs"
        17⤵
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13798650-b12a-44b3-9382-b6251fe591a9.vbs"
        15⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d37c80-d7d9-4155-805e-c4f13329176e.vbs"
        13⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97145679-e0db-470e-a3fe-6c70ff4035d2.vbs"
        11⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045e4d91-5902-43e9-b0b4-5addee1e483d.vbs"
        9⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9492a400-cdb1-4e8c-97f9-b1ef2fa5b3ff.vbs"
        7⤵
        
        PID:2844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fa32930-abd1-4584-9e1b-5ed8dbc4474a.vbs"
        5⤵
        
        PID:848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74778bbf-9faa-4c08-9a6a-ee20f9c95c7d.vbs"
    3⤵
    PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bNe" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bNe" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373bN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Vault\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Vault\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Vault\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Registration\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX2458.tmp

Filesize
4.9MB

MD5
4ba30d8dca2c3bf1cb65c654ffeb90ec

SHA1
9b9ef131f6e50c9769ca3f36c49f58e7e3e7092f

SHA256
1eaa0d33fa94532d075840b23e8a0b851150139afd1cca5913f7686845e0a188

SHA512
293cf8fef597bc35a23fd92129c14a722c644896ccaec232bf22b122900c46a702d66bcbad37db8005de6f5f0a88e065d5090c80d6f3ef56bfb45b776f22624c

Download Submit
C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe

Filesize
4.9MB

MD5
e971629e36a2f21bee6fe62b7a1f4b90

SHA1
43b66bb199d2d5aa4344a8f209578ded14d969fd

SHA256
ecfedbbe4065c1006af6e42d4fb8d2ca3795610bd6b01fc81a8e93694e62373b

SHA512
70ae95e50548977ac1ceeaae65d0a80c911121aa7831bc0dc9edfa6d975feb11d0239966d2875c9dc238850220fa4d9f22ee45125ebc5f6a45a64befc0e9547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\49ee9dd3-745a-4652-8a93-532fe4a718f6.vbs

Filesize
737B

MD5
ba6ea96789451291558383a6593448cd

SHA1
bf4bc196999dadac8260a32d0800afaf6609a663

SHA256
7def2221c75dc8689b553f4921e8a6f5b48712eefe2cd336a63041bcad12c6d8

SHA512
49b8c0ded0edbfdf0850b3d878db7df5eccad3c7d0e96b6d1c3c252d16e330018abdcbeee01a10da79baa495225678e0800f060ae83f1504da4f4f13e4be6813

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c4469a2-21b6-449c-b52f-0794a194615a.vbs

Filesize
737B

MD5
494115d9ac3f33c745f831a7139763fb

SHA1
9ab63cd9bc049a741410ed24a2fcd3a58123c617

SHA256
c6d0969a9adb1e9413123799da0d10a595bf68127b62f73754e411702f83d195

SHA512
7aab4498a4b19b5e44b50c3c0734a90075c73112a79bb644b353402b801b4f5fbfccebb5345012611852c7cd65756b6fc4cc01c093170909c1358b7c32be3fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\74778bbf-9faa-4c08-9a6a-ee20f9c95c7d.vbs

Filesize
513B

MD5
c832240f1e432f97889d3d0c7f120a47

SHA1
2e809279fae038d560d3fb3d6c5fea77b24c4c6e

SHA256
62962c201ef1bfe0341847a6cd1587170a9ba70ca8a47c946604999d94e15159

SHA512
0e95dfa3cd43d759898b002b2190a3b4823dfb59d2587d185bd38feddf9a0f8ef86eb79cfdec59dc28d64b662214653508a409357d148edf0b26f0bd9ca00246

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a137ac0-c6b5-40b2-b8bd-9b85c4581181.vbs

Filesize
737B

MD5
f1257bdeab531e6b24bf9e2305e78d00

SHA1
832ba363c2672d10f58fa2401dcabeb8a03ed676

SHA256
10078dfc903994549b6e12b717cf3e0e8e7d7498a52a689fc646080a0c48419e

SHA512
d632b5e791de006342004972dec900a2ca0ae8eb32d0249783db837748cf9367fe68106670631ea33014e530340a6a282516aeb29a9f5bf1f2ea0ba454867c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ade09310-beca-4b3c-b0fd-173431fd09db.vbs

Filesize
737B

MD5
34ea3ed1f75e2cf84dbd5a6cb32670bd

SHA1
5bc2f6f815d9e2b64796d6afd7a0d057070f3d06

SHA256
a28c2f32df78cf6c7b815cdb160174b409497f23af56db957664aec130bcbe4b

SHA512
627c8a178eb2df0066a2c81427451ff31e080609a5bebb3d946c14d3c1956b923040063b25dd4bcbba0f5d0873d7fbd16ebb30cd9f8c50b98a65e253c095803f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9e396de-4504-4292-8c2b-7acc5573acaa.vbs

Filesize
737B

MD5
f59ce44b41c04655d88b7a300558cfe4

SHA1
54a1f54ae980be60ec75dc9000196cd044ca42f9

SHA256
3e5850502bd23964e0f9a38069f5185352615798be49a27f5c1f96e4b6e043bc

SHA512
48de305764de958a392a63f90697e584c9c536c93ba3e74a81fa08e2faed5047064d462c446d8c8d2ad0d22f283de49337c39587673118453ef150f4c1a29577

Download Submit
C:\Users\Admin\AppData\Local\Temp\be138519-f02e-4591-a66f-d1eb8205c4cf.vbs

Filesize
737B

MD5
8916caef3a25074aa319c24b8eef93ed

SHA1
e47b46b33083410d5dfa0c4b3fd852ebd7410d54

SHA256
762e7c3e9d09703f71a13873fdedc1900421fed76e5504ecafc90bcfec64f983

SHA512
7e6a74a6b4c3bf611ae8652c236b9323b228e53ed167707b140991fe86f989f1eac5e68036f334e78d306485d1c494fe905dc307954f99e354d6f4108ac26c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d209203d-4762-4d83-8a03-19415d266273.vbs

Filesize
737B

MD5
738eded04d87697397c781a0a6691cad

SHA1
064dc6aea69549d013df2248476c15edbce24470

SHA256
d256ee2dad3f94caf1152db018313ebd3270fe4e4c9a761e2ba7823b68a80afe

SHA512
947d5fd80246961cdf290dc8415eefe112aff44e71b1138eebf6d2292c57d47c9a8196647525e458090bf11d112ad77fe9a39d97163a6f57537275310509787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f93d7b31-21d9-40a8-a662-4902cd059738.vbs

Filesize
737B

MD5
e43d7bb87704b0f835e13e8dc3e31cd9

SHA1
26a642ebb56ec23b6c862c7b34808e69ea732dfe

SHA256
a65679b25793a88241c28b27c06e9a2b887713bea0b64872b5190c58dffd1990

SHA512
3fef92d1b5bf7fd64d164ffe06c8351217bf545df977ef47839a36b51efd70952370fce02211826cc4331f33a729f42a58108997be974e2c1ff8d7f4b8428d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BB0.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d8b02aff341206b21fe91f5b0802f1e

SHA1
7a88eafb5158d7853b228c88de9421adcabeaa13

SHA256
1bdb16349344505fd85cbd345598ef016d9d5d641508483a3c908399a855e78b

SHA512
d8bda6463890524f771adfe2b7759961cc037c5bcae7e7242e38f308ef29f4b7dfa83da5d2540b3e8aca7b9e330617a142aa4fb437c615ca67d36cbcdd48bf96

Download Submit
C:\Windows\Registration\RCX39F5.tmp

Filesize
4.9MB

MD5
d3c7aa854a2ae40c0e51e1f2a331a1c0

SHA1
b93d6c29678980ff4a79599b22d8311fbfb4cb80

SHA256
6aed0850a7e40b419834e4c81b043c92b39a6990b3a8435bf850198049345a29

SHA512
581520f3cf1e912182385772a4dfe351348f371a0df00a6c82b13a3baa018acddcaa94b8980a83da774ba9bbf768cc201ea85c992c7925ce393629af47d542e8

Download Submit
memory/592-163-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1316-180-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1336-326-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/1696-294-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/1696-295-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1804-311-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1804-310-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download
memory/1944-234-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2052-189-0x0000000000D80000-0x0000000001274000-memory.dmp

Filesize
5.0MB

Download
memory/2148-279-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2364-11-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/2364-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-152-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-137-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/2364-15-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2364-14-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2364-13-0x0000000000D80000-0x0000000000D8E000-memory.dmp

Filesize
56KB

Download
memory/2364-12-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2364-1-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2364-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-220-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-10-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2364-9-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2364-8-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2364-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/2364-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2364-5-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2364-4-0x00000000009E0000-0x00000000009FC000-memory.dmp

Filesize
112KB

Download
memory/2364-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp

Filesize
1.2MB

Download
memory/2472-264-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/2472-263-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download