dcrat | 8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Size

1.2MB
MD5

e96b9e17da08c5a64c26dc666402c64f
SHA1

cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee
SHA256

8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
SHA512

dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040
SSDEEP

24576:QGZn/lA+WQi7Tw3d3pI0eqZb/bte1aMiL/8LLKwi/TIRk:QGzAy1Sob6CsL8

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
		2716	schtasks.exe
		2632	schtasks.exe
		1720	schtasks.exe
		1068	schtasks.exe
		2172	schtasks.exe
		2724	schtasks.exe
		2680	schtasks.exe
		2652	schtasks.exe
		2128	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\", \"C:/Users/Admin/AppData/Local/\\csrss.exe\", \"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2044	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2044	schtasks.exe	30

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2136-1-0x0000000000970000-0x0000000000AB4000-memory.dmp	dcrat
behavioral1/memory/2668-17-0x0000000000CD0000-0x0000000000E14000-memory.dmp	dcrat
behavioral1/memory/1268-27-0x0000000001280000-0x00000000013C4000-memory.dmp	dcrat
behavioral1/files/0x00060000000194e7-33.dat	dcrat
behavioral1/memory/2916-38-0x0000000000820000-0x0000000000964000-memory.dmp	dcrat
behavioral1/memory/1796-49-0x0000000000900000-0x0000000000A44000-memory.dmp	dcrat
behavioral1/memory/1512-61-0x0000000000140000-0x0000000000284000-memory.dmp	dcrat
behavioral1/memory/1420-73-0x0000000001070000-0x00000000011B4000-memory.dmp	dcrat
behavioral1/memory/796-118-0x00000000012A0000-0x00000000013E4000-memory.dmp	dcrat
behavioral1/memory/2232-130-0x00000000000E0000-0x0000000000224000-memory.dmp	dcrat
behavioral1/memory/2332-142-0x0000000000340000-0x0000000000484000-memory.dmp	dcrat
behavioral1/memory/1872-154-0x0000000000A10000-0x0000000000B54000-memory.dmp	dcrat
behavioral1/memory/288-177-0x00000000012C0000-0x0000000001404000-memory.dmp	dcrat
behavioral1/memory/2116-189-0x00000000003E0000-0x0000000000524000-memory.dmp	dcrat
behavioral1/memory/2688-201-0x0000000000B80000-0x0000000000CC4000-memory.dmp	dcrat

Executes dropped EXE 15 IoCs

pid	Process
2916	spoolsv.exe
1796	spoolsv.exe
1512	spoolsv.exe
1420	spoolsv.exe
2848	spoolsv.exe
1092	spoolsv.exe
3008	spoolsv.exe
796	spoolsv.exe
2232	spoolsv.exe
2332	spoolsv.exe
1872	spoolsv.exe
300	spoolsv.exe
288	spoolsv.exe
2116	spoolsv.exe
2688	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:/Users/Admin/AppData/Local/\\WmiPrvSE.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:/Users/Admin/AppData/Local/\\csrss.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:/Users/Admin/AppData/Local/\\spoolsv.exe\""	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe
1720	schtasks.exe
1068	schtasks.exe
2716	schtasks.exe
2172	schtasks.exe
2724	schtasks.exe
2680	schtasks.exe
2632	schtasks.exe
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2136	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
2668	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
1268	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
2916	spoolsv.exe
1796	spoolsv.exe
1512	spoolsv.exe
1420	spoolsv.exe
2848	spoolsv.exe
1092	spoolsv.exe
3008	spoolsv.exe
796	spoolsv.exe
2232	spoolsv.exe
2332	spoolsv.exe
1872	spoolsv.exe
300	spoolsv.exe
288	spoolsv.exe
2116	spoolsv.exe
2688	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Token: SeDebugPrivilege	2668	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Token: SeDebugPrivilege	1268	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Token: SeDebugPrivilege	2916	spoolsv.exe
Token: SeDebugPrivilege	1796	spoolsv.exe
Token: SeDebugPrivilege	1512	spoolsv.exe
Token: SeDebugPrivilege	1420	spoolsv.exe
Token: SeDebugPrivilege	2848	spoolsv.exe
Token: SeDebugPrivilege	1092	spoolsv.exe
Token: SeDebugPrivilege	3008	spoolsv.exe
Token: SeDebugPrivilege	796	spoolsv.exe
Token: SeDebugPrivilege	2232	spoolsv.exe
Token: SeDebugPrivilege	2332	spoolsv.exe
Token: SeDebugPrivilege	1872	spoolsv.exe
Token: SeDebugPrivilege	300	spoolsv.exe
Token: SeDebugPrivilege	288	spoolsv.exe
Token: SeDebugPrivilege	2116	spoolsv.exe
Token: SeDebugPrivilege	2688	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2780	2136	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	34
PID 2136 wrote to memory of 2780	2136	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	34
PID 2136 wrote to memory of 2780	2136	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	34
PID 2780 wrote to memory of 2892	2780	cmd.exe	36
PID 2780 wrote to memory of 2892	2780	cmd.exe	36
PID 2780 wrote to memory of 2892	2780	cmd.exe	36
PID 2780 wrote to memory of 2668	2780	cmd.exe	38
PID 2780 wrote to memory of 2668	2780	cmd.exe	38
PID 2780 wrote to memory of 2668	2780	cmd.exe	38
PID 2668 wrote to memory of 2488	2668	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	42
PID 2668 wrote to memory of 2488	2668	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	42
PID 2668 wrote to memory of 2488	2668	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	42
PID 2488 wrote to memory of 1088	2488	cmd.exe	44
PID 2488 wrote to memory of 1088	2488	cmd.exe	44
PID 2488 wrote to memory of 1088	2488	cmd.exe	44
PID 2488 wrote to memory of 1268	2488	cmd.exe	45
PID 2488 wrote to memory of 1268	2488	cmd.exe	45
PID 2488 wrote to memory of 1268	2488	cmd.exe	45
PID 1268 wrote to memory of 2916	1268	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	49
PID 1268 wrote to memory of 2916	1268	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	49
PID 1268 wrote to memory of 2916	1268	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe	49
PID 2916 wrote to memory of 2728	2916	spoolsv.exe	50
PID 2916 wrote to memory of 2728	2916	spoolsv.exe	50
PID 2916 wrote to memory of 2728	2916	spoolsv.exe	50
PID 2916 wrote to memory of 2156	2916	spoolsv.exe	51
PID 2916 wrote to memory of 2156	2916	spoolsv.exe	51
PID 2916 wrote to memory of 2156	2916	spoolsv.exe	51
PID 2728 wrote to memory of 1796	2728	WScript.exe	52
PID 2728 wrote to memory of 1796	2728	WScript.exe	52
PID 2728 wrote to memory of 1796	2728	WScript.exe	52
PID 1796 wrote to memory of 1248	1796	spoolsv.exe	53
PID 1796 wrote to memory of 1248	1796	spoolsv.exe	53
PID 1796 wrote to memory of 1248	1796	spoolsv.exe	53
PID 1796 wrote to memory of 1244	1796	spoolsv.exe	54
PID 1796 wrote to memory of 1244	1796	spoolsv.exe	54
PID 1796 wrote to memory of 1244	1796	spoolsv.exe	54
PID 1248 wrote to memory of 1512	1248	WScript.exe	55
PID 1248 wrote to memory of 1512	1248	WScript.exe	55
PID 1248 wrote to memory of 1512	1248	WScript.exe	55
PID 1512 wrote to memory of 2320	1512	spoolsv.exe	56
PID 1512 wrote to memory of 2320	1512	spoolsv.exe	56
PID 1512 wrote to memory of 2320	1512	spoolsv.exe	56
PID 1512 wrote to memory of 2536	1512	spoolsv.exe	57
PID 1512 wrote to memory of 2536	1512	spoolsv.exe	57
PID 1512 wrote to memory of 2536	1512	spoolsv.exe	57
PID 2320 wrote to memory of 1420	2320	WScript.exe	58
PID 2320 wrote to memory of 1420	2320	WScript.exe	58
PID 2320 wrote to memory of 1420	2320	WScript.exe	58
PID 1420 wrote to memory of 1884	1420	spoolsv.exe	59
PID 1420 wrote to memory of 1884	1420	spoolsv.exe	59
PID 1420 wrote to memory of 1884	1420	spoolsv.exe	59
PID 1420 wrote to memory of 2380	1420	spoolsv.exe	60
PID 1420 wrote to memory of 2380	1420	spoolsv.exe	60
PID 1420 wrote to memory of 2380	1420	spoolsv.exe	60
PID 1884 wrote to memory of 2848	1884	WScript.exe	61
PID 1884 wrote to memory of 2848	1884	WScript.exe	61
PID 1884 wrote to memory of 2848	1884	WScript.exe	61
PID 2848 wrote to memory of 2384	2848	spoolsv.exe	62
PID 2848 wrote to memory of 2384	2848	spoolsv.exe	62
PID 2848 wrote to memory of 2384	2848	spoolsv.exe	62
PID 2848 wrote to memory of 2668	2848	spoolsv.exe	63
PID 2848 wrote to memory of 2668	2848	spoolsv.exe	63
PID 2848 wrote to memory of 2668	2848	spoolsv.exe	63
PID 2384 wrote to memory of 1092	2384	WScript.exe	64

System policy modification 1 TTPs 54 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
"C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QuL9Zx9uY7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
    "C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dZVMAJ8uX0.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372.exe"
        5⤵
        Modifies WinLogon for persistence
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1268
      - C:\Users\Admin\AppData\Local\spoolsv.exe
        
        "C:\Users\Admin\AppData\Local\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86edfa83-895e-4750-80ae-17e6137df76b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f83e96-381a-44a1-affc-188f78ffb869.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5f675de-999d-4154-a372-c6b8970f8c73.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd65c0a4-0291-4925-82bc-a105104216b3.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8202a298-833e-4e33-993f-c72615ba1bae.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a34e192-27c7-4746-8276-e91d98e8dca5.vbs"
        17⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b79f705-2cfd-40d7-a33b-0add9bd98863.vbs"
        19⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6623b7d-9fdd-49ec-a92a-2000befa3368.vbs"
        21⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a1b5b4-3116-42df-9f53-fa106073ea13.vbs"
        23⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf3540f3-3de8-4ebb-bc90-a3dd14e11773.vbs"
        25⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48ccde99-9a50-465c-a4b8-7d80153cc2ae.vbs"
        27⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b1fc20b-69a9-4e0d-8312-9b11cbf93349.vbs"
        29⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        30⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe0d8ff-7006-4414-b053-f2ff6b53f3f8.vbs"
        31⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        32⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f34a558-61ce-4a59-9fdf-7cf9d72c8a0a.vbs"
        33⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        
        C:\Users\Admin\AppData\Local\spoolsv.exe
        34⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bf683ff-b0e4-46c8-b65d-04b97c635b19.vbs"
        35⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ad3a713-3e5c-47b7-9aa2-cbbc3eb554b3.vbs"
        35⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35d9932-47fd-46f6-974f-e578ae854241.vbs"
        33⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f159e3f0-876b-4ccb-a5ef-05e8b0b6682f.vbs"
        31⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e5e2bd2-a2b1-47c5-aaf5-211a8b62295b.vbs"
        29⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\586fa45f-62ba-4c82-8a7d-c45645710728.vbs"
        27⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a821fa7d-efa2-432f-b2c9-1957fe7acfc5.vbs"
        25⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a54e62a-12b4-46cb-a1ed-16b4750f3816.vbs"
        23⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caf04f28-2e5c-4821-95cd-a7494665cc19.vbs"
        21⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\491e671c-dd0d-4844-ad97-5a01e76bfe0c.vbs"
        19⤵
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1d71255-ad3e-42c2-b612-6f3832366bad.vbs"
        17⤵
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43054bcc-ed06-4a0b-b22c-37a6af61184c.vbs"
        15⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b5ee61-cb13-4a65-9bf4-11b12203e8ca.vbs"
        13⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce999afd-726e-4859-a3a7-ba4d7cb56dc0.vbs"
        11⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\920976e5-7ada-4b5d-9387-87c19da70c16.vbs"
        9⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df93e412-759a-4205-af8a-e6460b97094c.vbs"
        7⤵
        
        PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:/Users/Admin/AppData/Local/\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b1fc20b-69a9-4e0d-8312-9b11cbf93349.vbs

Filesize
715B

MD5
a4ea35f896c5f7fc5826e8a3c5594045

SHA1
981bfcb6c9e544db29c2917a2eb68826cc8c340e

SHA256
869991c471442c8a7829338151c550a75489b7221c507621de1fb257d242f024

SHA512
38227d5e6871d1710113319b1e06f826448377d687dbe1fbed4cc7291c964fa68b0413a24eadf52451bcb75c045e5649bda8df49ce1b26af7ba6af2fbcf5a43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33f83e96-381a-44a1-affc-188f78ffb869.vbs

Filesize
716B

MD5
ba07049bf8f233540e8ad536b430bb3e

SHA1
494db86c242f232a687a1ccabd65f0c90ed77569

SHA256
2f8767b8822487476c84259900103e168d1db540f5f3aba18803918ae021667e

SHA512
07eb06e751fe78b6f83f374aec4f3da556a84fa19ccaaf65a10814ae98208dfc2f281cd84d3b2da5f91adb1cbfe81b6a267b180febad1dae58f00c0cdbf4ddad

Download Submit
C:\Users\Admin\AppData\Local\Temp\48ccde99-9a50-465c-a4b8-7d80153cc2ae.vbs

Filesize
716B

MD5
02445976ab57b8b0d64545afb9e61cf0

SHA1
a4904ac369229825448cb47f9261e423d7440c24

SHA256
71d98aabe6e8838ee1e55434d89c766d940806c0c5b42e59b3553ff022df219e

SHA512
40ac9cb5f500700fd03f2a338be4ba6480627f2bb6813f880d62f6ed4189aadbe02ddcc2bed06511583c0fe20f9cc581c74022bdd0dfd6b7272086568833364d

Download Submit
C:\Users\Admin\AppData\Local\Temp\53a1b5b4-3116-42df-9f53-fa106073ea13.vbs

Filesize
716B

MD5
383171ccbd38ada8fdf5f6461135a455

SHA1
5c9490e3b4879238c515b482f43ae2fd65214ba9

SHA256
857f0b92c898c7752f2279b7b63d51c3929117dcb8c162a9057ab0d4f97b27f5

SHA512
95760ebe5c9c1f049645c31cafb065e79a9e92064cf8a16b0b26ea6276e697689bd961b33688813c50c917e65675043950c3018c5ca5de2bbda80b4ad814b9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bf683ff-b0e4-46c8-b65d-04b97c635b19.vbs

Filesize
716B

MD5
8503b7e6d3878589479b2f79b71e9ea9

SHA1
1bf30d7279fe76927b38cb69e12075887558c984

SHA256
bfdad996d378b2e429348b7655a9e7e413818187a31c94b3cf60db14b0c36e9f

SHA512
99b52b1aea184ac9c93e2c3289e74fb9fa35c93c6d5b3cad6ac361e7a06e3e456c363789a5181ba4809c6c0d491053be8dca4972ddec0e46c257189fbb1c4592

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b79f705-2cfd-40d7-a33b-0add9bd98863.vbs

Filesize
716B

MD5
0ec128bb6039c925587527eaf8aa7094

SHA1
ed74817b540c900d2be8e22596ebfdb315f9b0da

SHA256
1ffade49f0d2f28be83092e00ef59a2c6c66c39b89c3cba8d6ec862d1a2a2761

SHA512
c4872b7d40203acf6482f22267e000a24c4d698e09dd2154bf92042103013d0c05b26a186fe4a46b22ac62704a0e89ca0f97923c7d150788dcf3bee1a4070b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\8202a298-833e-4e33-993f-c72615ba1bae.vbs

Filesize
716B

MD5
d23172143e977dd74dc947ccc995aae6

SHA1
51c30c464f5f7ca498a3b1ddf02b4ca42ea876ed

SHA256
b94164176092be0d9baed8f58cbd91e485528b53537f43a2d6d0cadd3a359cc3

SHA512
f8eb816e7bfe5576044241d07c2bdc98790cc602a22d71cef67c17d36a565a03a660b10e416aea34aa51a02cc2912ffadf538def1ef59167c6e5ab44dca7b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\86edfa83-895e-4750-80ae-17e6137df76b.vbs

Filesize
716B

MD5
1ac9d449d246f414e29920c37fb8e069

SHA1
3f15270ff11230023c5ffcf2d9e8c47b139256d4

SHA256
d7921dd2616c61500c5f09774515b54e4e97429e8140c6d5070c4be6cb24f262

SHA512
f7d5f53847d74c68101f1f7e721ef4f48b2fabbe4561f1f95f9a295351bbc19044d2d4b00c118b3f7c6379f270d8ae12c17b40f56c7a2c97c5a7acee0c9e6d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a34e192-27c7-4746-8276-e91d98e8dca5.vbs

Filesize
716B

MD5
5ba21a1c786db8a7313f7c203ffcc895

SHA1
e3bd838ee929c9b818af2a29ac94ab384edb9d16

SHA256
8dc5e71dd1d007ba23b1322b2a99bf9aebe43beac8f459b3aa5d6aba2b0fa485

SHA512
bf829fdc7f5577295e9b1fed67da58956f6fd6952b58fc7ec4e0340f90570e2d0491c6e0e35c29ecedf312e55eb524fae478ebf3de55bb3a082230f3809bb2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f34a558-61ce-4a59-9fdf-7cf9d72c8a0a.vbs

Filesize
716B

MD5
80c3a9b2990a932075f7a45b2ddc3f09

SHA1
2f25354365fb471be6b8b2d8efb02f4a57f4da06

SHA256
1407c597ac0cd250b193766fef9c3b7600aff147d96d8e6d06f9c01abb8dfd94

SHA512
a869f252e131bce6b203b99ba52194d0ed8f268b037dfd0a9fa675651cbce4d8e30e14c40accad3fae81a6055906210d4c513014fea8231b4b4f743c085a37bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuL9Zx9uY7.bat

Filesize
267B

MD5
654c0001f1be8bae8128acebf676f1e8

SHA1
35254098585686dccbc661a24c9c81ae87223935

SHA256
2da2dc19cd370c337d3fe73f39e553631510b92b774ee8e1c1afcf30dd1f1681

SHA512
4ede9541ebb6e3e2a57937c1aba49f8858811d393fbf2d92df9d3c3b74d5e518027d430589042ca31ca27fefc173488ba7fa11e081e8e7756e67754b4b7ff705

Download Submit
C:\Users\Admin\AppData\Local\Temp\afe0d8ff-7006-4414-b053-f2ff6b53f3f8.vbs

Filesize
715B

MD5
9688a515d58d931e72631ad37f3f6f3d

SHA1
47778c401d81a0b326a45244aea4e2ad076a53dd

SHA256
f35155aba797d6e0d5576c37682c485de1377335aed379f6a030382d296d3cd3

SHA512
6879d83d39b8f0bf786abe2f7d5104d02b3f05026ac68bf4e8d33ec2cdaedc2e28c4923ad8367d7192b77bc6e16b18c094e186067272f5b52615e9f73d78a933

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd65c0a4-0291-4925-82bc-a105104216b3.vbs

Filesize
716B

MD5
f35c266166d4cb68dff7face4cebf464

SHA1
3ad60e7dde942cfb1f641b5f0430180a1c7a2975

SHA256
10486a876de48673a5d25d69516c896d5465480df4c0c99b76be2a1ae6331fa2

SHA512
48b25130630ff4f50d5796dba6547a6ec6cd37d1d35855f47be2c9b1038cd5e79e8757de587b488e68e8338bcebe1473b331ab71215d0ca0c86103b3b6b0b9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf3540f3-3de8-4ebb-bc90-a3dd14e11773.vbs

Filesize
716B

MD5
aef322e1761c7dfae76648135f4677a4

SHA1
8b5675b5db794f447b74974b9aa46ced593ce6ef

SHA256
0e1dbc88f79907a68af71c316a5298b0fd981af28f2eae03ec97af5fa06ae6c7

SHA512
d6a482330bc41fe6a1e838d2bea8992aa3e46bcc1a3989bf5df51ac7d173482ac5ef64f89e6ea275c72ff70d6dd38675e2379ee8ca127065e8ce23dd39674d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6623b7d-9fdd-49ec-a92a-2000befa3368.vbs

Filesize
715B

MD5
379b986ee457470a90c57bb0ce0a3376

SHA1
184b8a937d592c4b92255a7bbd7eeeab7d789ecb

SHA256
8f05c83cf94e2891fba74d42f1cf2dd5c0e1fee3116e771031725ac37dc1313b

SHA512
2a4a5bb87e32a94295362a17b835d420eace74c79dba433ccce2a88bf88cff2f2f3e211b5ecf37f75d1b139e814aedb420d7d7d7daf807e41b8bfa2e097575ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\dZVMAJ8uX0.bat

Filesize
267B

MD5
e47a587642fcb744f2207428a31f9468

SHA1
a96e33b8f0ed2bdcfff11d576574a7fb7e47d162

SHA256
11f95f1d9878768d53362add1bfdd57a12f6db05ba94c0dbfb57170a78da04ee

SHA512
f954b27d8ab75043d258bff123b81d515b3ff66159320adc7db2b322a5f94f4e47d1ab13f9815d6810897c510afdb8c5d6d041405ddb381e4870f36875d85876

Download Submit
C:\Users\Admin\AppData\Local\Temp\df93e412-759a-4205-af8a-e6460b97094c.vbs

Filesize
492B

MD5
882f92c6bba37be0ea5d535277a47e0c

SHA1
5076f5085987cd30c7e10442a39b3fc60f5919a7

SHA256
71bd89d4e56989c52e57e53ff9e9a97f146fbb80fd5a6c5798ceebeb940894c6

SHA512
293a2ba69734da8648cedab97578c5fda1dd2ba1762217b5f61a67308fb9fa9ee7364399be26ec95312932c920cd333ac04e542d7b1a6e3a985bb1f9a80ec15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5f675de-999d-4154-a372-c6b8970f8c73.vbs

Filesize
716B

MD5
572de791026f4c0f2c6396a70be19c8e

SHA1
360e35c716154e2388f7dd4b687a46b7a5fa2774

SHA256
af425ec93f14dd5ba192891228893844cb43e2df4aa88742c3ab78838c19cea0

SHA512
232a581523a50cfc824deb1d7c587ab482dbef77503d733018a2ab120c79b00d8e0e3584be603b0d80287e0050324bb8fb611b33dfb643a69d128249732ff7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB083E.tmp

Filesize
296B

MD5
87e085f00e864cb1e4091ce7827b6ef3

SHA1
30841e9d0fef8f7d5cc4b80f2f28f77f999ccbc0

SHA256
d1894855591333a236b2011e418364a7beec6d780555d3cafd62a99f6aa54d2f

SHA512
5ffe54356fb2b0b3f7e50477e6b3acdc63c2a9ad31db7124fd496bbbfef9dc93943c1da50d064e65947c9925abab139865ec7be32b0ded94890c0ca58a08a714

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB083E.tmp

Filesize
296B

MD5
8cfa1a20173a9fbaefacd2c7d4ecd0cc

SHA1
22318bfdf2eadd383be562a21df81670c783c33a

SHA256
a2fa40fbcd2da6119e525222456e3a6e08918cd81dca57ea90ffc1d921b88280

SHA512
24e4ce8450ca25caf9f92cf7758bbf1f52224bd684c5f9971deaf0f8c30eea4d7070152c025bc3ebd18878e08e527f694de345ba9a451c4a749dd47b7d49f94e

Download Submit
C:\Users\Admin\AppData\Local\spoolsv.exe

Filesize
1.2MB

MD5
e96b9e17da08c5a64c26dc666402c64f

SHA1
cceec5c7f6f4bbf08c63153a0dea8b5834ed38ee

SHA256
8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372

SHA512
dd71101f1b6b0dcd545bec2e448c6368a8653b599a5b0de3287ac50126b0c380a325e92fa201bdd869d97cf18e63d0795879923e9364abb92adfc57af02d5040

Download Submit
memory/288-177-0x00000000012C0000-0x0000000001404000-memory.dmp

Filesize
1.3MB

Download
memory/796-118-0x00000000012A0000-0x00000000013E4000-memory.dmp

Filesize
1.3MB

Download
memory/1268-27-0x0000000001280000-0x00000000013C4000-memory.dmp

Filesize
1.3MB

Download
memory/1420-73-0x0000000001070000-0x00000000011B4000-memory.dmp

Filesize
1.3MB

Download
memory/1512-61-0x0000000000140000-0x0000000000284000-memory.dmp

Filesize
1.3MB

Download
memory/1796-49-0x0000000000900000-0x0000000000A44000-memory.dmp

Filesize
1.3MB

Download
memory/1872-154-0x0000000000A10000-0x0000000000B54000-memory.dmp

Filesize
1.3MB

Download
memory/2116-189-0x00000000003E0000-0x0000000000524000-memory.dmp

Filesize
1.3MB

Download
memory/2136-4-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/2136-7-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/2136-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2136-3-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2136-5-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2136-6-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2136-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2136-1-0x0000000000970000-0x0000000000AB4000-memory.dmp

Filesize
1.3MB

Download
memory/2136-15-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2232-130-0x00000000000E0000-0x0000000000224000-memory.dmp

Filesize
1.3MB

Download
memory/2332-142-0x0000000000340000-0x0000000000484000-memory.dmp

Filesize
1.3MB

Download
memory/2668-17-0x0000000000CD0000-0x0000000000E14000-memory.dmp

Filesize
1.3MB

Download
memory/2688-201-0x0000000000B80000-0x0000000000CC4000-memory.dmp

Filesize
1.3MB

Download
memory/2916-38-0x0000000000820000-0x0000000000964000-memory.dmp

Filesize
1.3MB

Download