dcrat | ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7

Analysis

max time kernel
148s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Size

4.9MB
MD5

364f9aa7879d48ffeb12ca794d1a1fb6
SHA1

7c5e4c6237881d714d43a95cfe69a4d15d8ff641
SHA256

ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7
SHA512

a6175b2facffdc57a98e77791cff47cf3b4ffba13e0ae433052bb70bdf94948a2724d0ba7e993094bb63f248dae9f78b8f615b7676299442b37aee61efc5492d
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8O:O

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2880	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1680-3-0x000000001B980000-0x000000001BAAE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
3020	powershell.exe
1368	powershell.exe
2944	powershell.exe
2140	powershell.exe
2464	powershell.exe
1144	powershell.exe
2936	powershell.exe
2284	powershell.exe
2520	powershell.exe
852	powershell.exe
1968	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2348	System.exe
2948	System.exe
2296	System.exe
2108	System.exe
1752	System.exe
2788	System.exe
2500	System.exe
556	System.exe
2704	System.exe
1460	System.exe
1800	System.exe
3056	System.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files\Windows Sidebar\1610b97d3ab4a7	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBB49.tmp	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\RCXCAAB.tmp	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXC83A.tmp	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files\Windows Sidebar\OSPPSVC.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\f3b6ecef712a24	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\Idle.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\6ccacd8608530f	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\Idle.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\cc11b995f2a76d	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Program Files\Windows Sidebar\OSPPSVC.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXB397.tmp	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\ja-JP\42af1c969fbb7b	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\RCXC3C5.tmp	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\audiodg.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
File created	C:\Windows\DigitalLocker\ja-JP\audiodg.exe	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1592	schtasks.exe
2624	schtasks.exe
1092	schtasks.exe
2652	schtasks.exe
2192	schtasks.exe
2572	schtasks.exe
1952	schtasks.exe
1992	schtasks.exe
2804	schtasks.exe
624	schtasks.exe
2456	schtasks.exe
748	schtasks.exe
2752	schtasks.exe
2452	schtasks.exe
2724	schtasks.exe
2116	schtasks.exe
980	schtasks.exe
2392	schtasks.exe
2868	schtasks.exe
1784	schtasks.exe
2768	schtasks.exe
2756	schtasks.exe
2156	schtasks.exe
2696	schtasks.exe
1148	schtasks.exe
1724	schtasks.exe
2872	schtasks.exe
2640	schtasks.exe
2552	schtasks.exe
972	schtasks.exe
1080	schtasks.exe
1044	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
2284	powershell.exe
2140	powershell.exe
1368	powershell.exe
3020	powershell.exe
2464	powershell.exe
1968	powershell.exe
1144	powershell.exe
852	powershell.exe
2936	powershell.exe
2520	powershell.exe
2944	powershell.exe
1728	powershell.exe
2348	System.exe
2948	System.exe
2296	System.exe
2108	System.exe
1752	System.exe
2788	System.exe
2500	System.exe
556	System.exe
2704	System.exe
1460	System.exe
1800	System.exe
3056	System.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2348	System.exe
Token: SeDebugPrivilege	2948	System.exe
Token: SeDebugPrivilege	2296	System.exe
Token: SeDebugPrivilege	2108	System.exe
Token: SeDebugPrivilege	1752	System.exe
Token: SeDebugPrivilege	2788	System.exe
Token: SeDebugPrivilege	2500	System.exe
Token: SeDebugPrivilege	556	System.exe
Token: SeDebugPrivilege	2704	System.exe
Token: SeDebugPrivilege	1460	System.exe
Token: SeDebugPrivilege	1800	System.exe
Token: SeDebugPrivilege	3056	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2936	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	64
PID 1680 wrote to memory of 2936	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	64
PID 1680 wrote to memory of 2936	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	64
PID 1680 wrote to memory of 3020	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	65
PID 1680 wrote to memory of 3020	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	65
PID 1680 wrote to memory of 3020	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	65
PID 1680 wrote to memory of 1368	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	66
PID 1680 wrote to memory of 1368	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	66
PID 1680 wrote to memory of 1368	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	66
PID 1680 wrote to memory of 1144	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	68
PID 1680 wrote to memory of 1144	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	68
PID 1680 wrote to memory of 1144	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	68
PID 1680 wrote to memory of 2284	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	69
PID 1680 wrote to memory of 2284	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	69
PID 1680 wrote to memory of 2284	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	69
PID 1680 wrote to memory of 1968	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	71
PID 1680 wrote to memory of 1968	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	71
PID 1680 wrote to memory of 1968	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	71
PID 1680 wrote to memory of 2944	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	72
PID 1680 wrote to memory of 2944	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	72
PID 1680 wrote to memory of 2944	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	72
PID 1680 wrote to memory of 1728	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	74
PID 1680 wrote to memory of 1728	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	74
PID 1680 wrote to memory of 1728	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	74
PID 1680 wrote to memory of 2464	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	75
PID 1680 wrote to memory of 2464	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	75
PID 1680 wrote to memory of 2464	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	75
PID 1680 wrote to memory of 852	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	76
PID 1680 wrote to memory of 852	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	76
PID 1680 wrote to memory of 852	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	76
PID 1680 wrote to memory of 2520	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	77
PID 1680 wrote to memory of 2520	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	77
PID 1680 wrote to memory of 2520	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	77
PID 1680 wrote to memory of 2140	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	78
PID 1680 wrote to memory of 2140	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	78
PID 1680 wrote to memory of 2140	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	78
PID 1680 wrote to memory of 2348	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	86
PID 1680 wrote to memory of 2348	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	86
PID 1680 wrote to memory of 2348	1680	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe	86
PID 2348 wrote to memory of 1048	2348	System.exe	90
PID 2348 wrote to memory of 1048	2348	System.exe	90
PID 2348 wrote to memory of 1048	2348	System.exe	90
PID 2348 wrote to memory of 1532	2348	System.exe	91
PID 2348 wrote to memory of 1532	2348	System.exe	91
PID 2348 wrote to memory of 1532	2348	System.exe	91
PID 1048 wrote to memory of 2948	1048	WScript.exe	92
PID 1048 wrote to memory of 2948	1048	WScript.exe	92
PID 1048 wrote to memory of 2948	1048	WScript.exe	92
PID 2948 wrote to memory of 1720	2948	System.exe	93
PID 2948 wrote to memory of 1720	2948	System.exe	93
PID 2948 wrote to memory of 1720	2948	System.exe	93
PID 2948 wrote to memory of 2576	2948	System.exe	94
PID 2948 wrote to memory of 2576	2948	System.exe	94
PID 2948 wrote to memory of 2576	2948	System.exe	94
PID 1720 wrote to memory of 2296	1720	WScript.exe	95
PID 1720 wrote to memory of 2296	1720	WScript.exe	95
PID 1720 wrote to memory of 2296	1720	WScript.exe	95
PID 2296 wrote to memory of 2580	2296	System.exe	96
PID 2296 wrote to memory of 2580	2296	System.exe	96
PID 2296 wrote to memory of 2580	2296	System.exe	96
PID 2296 wrote to memory of 1508	2296	System.exe	97
PID 2296 wrote to memory of 1508	2296	System.exe	97
PID 2296 wrote to memory of 1508	2296	System.exe	97
PID 2580 wrote to memory of 2108	2580	WScript.exe	98

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe
"C:\Users\Admin\AppData\Local\Temp\ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\MSOCache\All Users\System.exe
  "C:\MSOCache\All Users\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe41b16-f0a5-4d26-b5f9-59e8947b6d9c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\MSOCache\All Users\System.exe
      "C:\MSOCache\All Users\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\383f91f6-511b-4427-be80-ba1f84fbf7fe.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0bfb5f-d306-419e-b6a6-9a623b03ee2e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156efdda-08a9-49cb-9e1a-2fb6101f057e.vbs"
        9⤵
        
        PID:1368
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5059f32a-8ea3-4a7c-8e4c-60cf83033c9a.vbs"
        11⤵
        
        PID:1972
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00483aea-6f2f-48c1-80b1-7a4ec60ec3f1.vbs"
        13⤵
        
        PID:1784
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208264db-9234-4dd9-8478-f5ddc68e8585.vbs"
        15⤵
        
        PID:1592
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73a7a3c-9249-43cf-b063-36732b9961b0.vbs"
        17⤵
        
        PID:2248
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68c086c1-3f07-4928-998e-6e725773289f.vbs"
        19⤵
        
        PID:1344
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7748a35-5d00-412d-a1e8-036673204770.vbs"
        21⤵
        
        PID:2488
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c8123d-c38f-4e3e-80f4-c21e5dcaf3b2.vbs"
        23⤵
        
        PID:1784
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb1a2b51-76d1-403b-b6dc-177156de88f7.vbs"
        25⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18fe0be5-164e-4908-9a60-55ee9bdcd4b8.vbs"
        25⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2172ed3-896f-4ff6-931c-9ed2b8bdeab9.vbs"
        23⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d13b3edf-da0d-4c60-b4ea-dca2e02ac9aa.vbs"
        21⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34683006-1b8c-4451-b62f-ed06ad67ffc0.vbs"
        19⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2323edc3-6d63-40a8-9a08-ff2209d6a8d9.vbs"
        17⤵
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a59ef78c-8117-40c9-adae-16aacf02c287.vbs"
        15⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb5fe223-6252-4f23-b4fc-470813beccbb.vbs"
        13⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e598d0b0-f1a1-4836-9dfe-2d27f1ace87f.vbs"
        11⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adc16c6c-51b3-47de-a728-8c02816abc0d.vbs"
        9⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d648885a-d10a-46f7-94dd-af1c7d2cf3d5.vbs"
        7⤵
        
        PID:1508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e09e76a0-1dc3-4f70-9b08-2e32ec1ebf63.vbs"
        5⤵
        
        PID:2576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e46baa2-22ea-4c38-a5e6-f75aebfa3c1e.vbs"
    3⤵
    PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\attachments\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\attachments\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lib\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lib\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\lib\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
4.9MB

MD5
2cbd6417848ff0c6a7e12b70403a8b7d

SHA1
91d9c4f7bb21c03098bcbeb8de85f16b17167942

SHA256
de3ae1c7a29820191aa400320fbe1c3272f658837236b24b673e610f8466f0da

SHA512
079864dc76ce0a8baaa0e24f2cb24e617acf1208b4d03ea8804a35786a0cf59e010bb6be2b78e644c8c2df0d881c11ec71e2eed7dea3c43769350168f6b14c4c

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe

Filesize
4.9MB

MD5
364f9aa7879d48ffeb12ca794d1a1fb6

SHA1
7c5e4c6237881d714d43a95cfe69a4d15d8ff641

SHA256
ef4bdcb7a4565b7a4879d30ba9ed8c0466f82ca8695dcb7942479e2105b562d7

SHA512
a6175b2facffdc57a98e77791cff47cf3b4ffba13e0ae433052bb70bdf94948a2724d0ba7e993094bb63f248dae9f78b8f615b7676299442b37aee61efc5492d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00483aea-6f2f-48c1-80b1-7a4ec60ec3f1.vbs

Filesize
708B

MD5
c42a3f299394961ea87f783f494a80c3

SHA1
e290e36f2a0fafccb8950664ff24b50f0bd2805b

SHA256
e0e1d09888a093f4dc8bd4f6d490d838e7aa318ac9a2204ffad1382ea47a91ef

SHA512
5f64cad5b3b5f1446b5349ccdf39fac28770df8912b5c54206c2c74adc2916ac3f829d9c6ccafa105f26953655ed19396e1e6a6fe5483be5d9e6dd9d6218e9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\156efdda-08a9-49cb-9e1a-2fb6101f057e.vbs

Filesize
708B

MD5
22e670f07e38af19d813c63c222064dc

SHA1
d3f110fb26d023c51c5336d33d816ee1c691ed49

SHA256
e61d8cd046ae450410f33699ee083f4958e65833c0ae7c15da76ce252aba9cef

SHA512
1fd99c03082c46c52ec67c605e68738a361969075dfe89b43aaaf3b8c720213bf5104a44eb76a3c706be7c0c67ecb1a8fc8599310fd0925eda2e03734670e114

Download Submit
C:\Users\Admin\AppData\Local\Temp\208264db-9234-4dd9-8478-f5ddc68e8585.vbs

Filesize
708B

MD5
c88044e2359ffbfe36f69b3cbb2be0f6

SHA1
58d7f10b359bceba3dde0030ccad8b9e486392bd

SHA256
0211a7c0642014fe20cfe6a6ba64043f6d159f5db07ce5099a4d93775f9c546b

SHA512
9f9b74fc88cc5903edfa85f8986a5944c1cc121d5c8f279787cef9b494b53154178a2c6bbfd77ac486dd6c8e89a85862c6d9808d7192c76a6201a7e1374bef02

Download Submit
C:\Users\Admin\AppData\Local\Temp\383f91f6-511b-4427-be80-ba1f84fbf7fe.vbs

Filesize
708B

MD5
338e3d518d31ceeb85a54121ec0b6164

SHA1
2d1c9fd11026f8ce30a9349e2f4d59693cef18a1

SHA256
78a0fd3697242fc1261d0fd0f1444fc4353694ff187b44f1206735aef550dd2b

SHA512
85a1c03e59d55fe93dc6e6949d9a754f28317aee6148f61bafedbff53c1fe61a21901c293e16ee2fc99a2c377585bc643da0ceda65eb3b4eae5b0181de5babae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5059f32a-8ea3-4a7c-8e4c-60cf83033c9a.vbs

Filesize
708B

MD5
d9cfe41f7b9fa771f8ae2e88a14343c0

SHA1
5a47f5d0aae322f8625a2b01a7c84ebdfd6c6bfe

SHA256
c1f87ba0d0d585a89dc46ee5d9ce51ce63cac74ac045c7eed5613b13d041fdbd

SHA512
22370d44a16d6cd819893792c4d2a5a673a3c0e6f4a3db86ffc46f30e0a593e7a38b5ca565feb7f5bf95ee563aefd38a8070204232cfa5910a0a363a58dc156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e46baa2-22ea-4c38-a5e6-f75aebfa3c1e.vbs

Filesize
484B

MD5
e5f6ff42422c1a5ddf1ed1f5e0fe1c1c

SHA1
29eba4c63c82449700c5ef612bf05f5d63992d48

SHA256
412fbf9e4db47f28d8a306ffa3d86a752580730db02c2fe329a30a5746b681ed

SHA512
1b415b94d267355b4c7ae771f2628cf7dfe480e160ed09e66f535ad839d30c505d59bbbe7f204dd9281fc05cbc4cac95eb20b602dcaa63046dfd680eae3dd6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\68c086c1-3f07-4928-998e-6e725773289f.vbs

Filesize
708B

MD5
af51b073b0ff5096443ae22307c4a57d

SHA1
ac556df61b4d7f0468649fed21304018ae1aa90a

SHA256
f52c88858ef603093ba18ce46723f29427eb9a6447034717610a3465a073ed9d

SHA512
969afd2d37468e684e06fe340648f1683a9116943aad5be4fcde0409e67f90db96d91b3cf43e7e631c5cf47237ebad759abf63542cef7d7a5db4f1d204622df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fe41b16-f0a5-4d26-b5f9-59e8947b6d9c.vbs

Filesize
708B

MD5
5a1f92fd190d723d1d2d6e9e55ef2dd6

SHA1
110018694f426882aff078d84dd1251db45977e9

SHA256
5a13ea0969fda2b25744c4e5b58d4f6a6ee45aee433233cecbf49eab2985f486

SHA512
cca8d80dab5e4c6f412c879641289ba9fa68d04472d4eb30cfbedfbdb720a92a3d6f98500c1dab6a1a88032b11dd17751d1fa0e03aa34300bc6b5fc321fa5a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7c8123d-c38f-4e3e-80f4-c21e5dcaf3b2.vbs

Filesize
708B

MD5
45df6799b52cd61764aef933a9df23f7

SHA1
afbfdecf98f717adc2348be674127211c99349a3

SHA256
d4d6488d46e8c45a398be3495064aeda4c1e928866e453e335bf2303f19324e2

SHA512
d624914d6869457062c9b7ce614c99ceaf369d6dc76cd65522d8995ef5125088952e2f3edd004d88ce897116bc43b88948c6ae6c0d27c9a786826dff1113b295

Download Submit
C:\Users\Admin\AppData\Local\Temp\e73a7a3c-9249-43cf-b063-36732b9961b0.vbs

Filesize
707B

MD5
ba20db92429f7de378ec59ad34ce693d

SHA1
de93a3fb0724529137a0ee880bf4691b83614210

SHA256
9b51af361fabd7314da9393fc5c9db3c32629af4638731b0575778a3ac2d977b

SHA512
939f16ef5edbbe0818f3cae92f7a0d44105e636fc337abf1cafae35b2e8fd6132132bb610aa466cf213675d3b91a801d66cdaf8bc5cb398f8ef04b5e851ee96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb1a2b51-76d1-403b-b6dc-177156de88f7.vbs

Filesize
708B

MD5
5989facc465485812f7dfdc248d15128

SHA1
ea39d18ec8c8946fdca9be6018296952c08ceafa

SHA256
1efd89d11f782c9dd2aa89289123f14e349d19b51b5003c8000366898f46c4c9

SHA512
3ef84813921428b509fd9c1dbc3028cfa62577988ea69fe4b2d0d56f8b55a96657f06b991d79a2d8a23ee3701d6b840ee13f24e23808d8d4554e2226c95bf0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0bfb5f-d306-419e-b6a6-9a623b03ee2e.vbs

Filesize
708B

MD5
48918776dec4236f06ad4ef02209c144

SHA1
bfae7711f1f223ebd7b1cc0cb1ea1d7ac1b74b77

SHA256
1c5bded506200e1479e42ec56e97d90398b664adf9800474e99898d1518f1709

SHA512
32555bcd2a6b50ff6fb870581ca99080c9bad31a773b4ba0675e26b3bf1d3fc507dcb25428b891b9a9bd9c9d2cf4f5c59b89b246f4060de571e7ce154a804bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7748a35-5d00-412d-a1e8-036673204770.vbs

Filesize
708B

MD5
bba9891637591c582f133d77d1468c59

SHA1
03629a0d469795d23392900509864758a4d940d7

SHA256
f64ffa87577758cac81fb2c383447cd92be7267fb896e1fe3bc0dd86a11ab26d

SHA512
efe18ebedb188d8ced6eae3a46ac44528ebd0b82034072c2788c3ab508313f47d0cc2dfd6cc3ee640b0cc6b45fa26c8be732ac0c99f846dce533e7b3b32cfff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC2C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
be20806ec9b51553a94b0c8f63feccaa

SHA1
5b54d6c62623b0414cde52a02d2d72992eec3c0d

SHA256
6b94c48716a0d0158d3262a85aabfe0a164d2ec3009f2637dbf5bcd02d16e0ab

SHA512
a17683f33218f63e94cfa6b9b3f448fdb43e09b7d911e15b5a9c9b59f1949b2a0dd72d08b93834f974f32f8ebae24de56d813a900845cda76bacde1d2115ffe9

Download Submit
memory/556-290-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/1680-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1680-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1680-8-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1680-177-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-11-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/1680-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/1680-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/1680-9-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/1680-0-0x000007FEF5083000-0x000007FEF5084000-memory.dmp

Filesize
4KB

Download
memory/1680-7-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/1680-1-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/1680-15-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/1680-10-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/1680-2-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-3-0x000000001B980000-0x000000001BAAE000-memory.dmp

Filesize
1.2MB

Download
memory/1680-16-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/1680-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1680-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/1752-246-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/1800-334-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/1800-335-0x0000000002480000-0x0000000002492000-memory.dmp

Filesize
72KB

Download
memory/2108-230-0x00000000010D0000-0x00000000015C4000-memory.dmp

Filesize
5.0MB

Download
memory/2108-231-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2284-178-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2284-132-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2296-215-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2296-214-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/2348-184-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2348-125-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/2704-305-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2788-261-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/2948-198-0x0000000000D90000-0x0000000001284000-memory.dmp

Filesize
5.0MB

Download
memory/2948-199-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/3056-350-0x0000000000B70000-0x0000000001064000-memory.dmp

Filesize
5.0MB

Download