dcrat | 0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Size

4.9MB
MD5

613c17af7e79ea0696b12a8d2a4b99e0
SHA1

3c1fa83f993484fffb9def759879c320750d8ddc
SHA256

0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003
SHA512

3ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	336	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/340-3-0x000000001B610000-0x000000001B73E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1468	powershell.exe
1968	powershell.exe
1936	powershell.exe
1632	powershell.exe
2224	powershell.exe
2664	powershell.exe
2604	powershell.exe
1864	powershell.exe
2432	powershell.exe
3024	powershell.exe
2252	powershell.exe
704	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2900	System.exe
1760	System.exe
804	System.exe
2812	System.exe
2860	System.exe
2392	System.exe
2168	System.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\en-US\wininit.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\spoolsv.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\MSBuild\6203df4a6bafc7	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCXCC3B.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXD8CE.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\DVD Maker\RCXE1B7.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Journal\it-IT\Idle.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Sidebar\6203df4a6bafc7	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsass.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RCXD459.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXD6CA.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\DVD Maker\dwm.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Journal\it-IT\6ccacd8608530f	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Journal\en-US\wininit.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\Idle.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXD042.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Journal\en-US\56085415360792	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\DVD Maker\dwm.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\spoolsv.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\f3b6ecef712a24	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCXC9CA.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Program Files\Windows Sidebar\lsass.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\0a1fd5f707cd16	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\DVD Maker\6cb0b6c459d5d3	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files (x86)\MSBuild\lsass.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Program Files\Windows Sidebar\lsass.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\ja-JP\spoolsv.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\RCXC3BD.tmp	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\wininit.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\wininit.exe	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\56085415360792	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2824	schtasks.exe
1604	schtasks.exe
2348	schtasks.exe
2300	schtasks.exe
344	schtasks.exe
2420	schtasks.exe
936	schtasks.exe
2260	schtasks.exe
2752	schtasks.exe
2892	schtasks.exe
2212	schtasks.exe
2996	schtasks.exe
2404	schtasks.exe
1788	schtasks.exe
1808	schtasks.exe
2356	schtasks.exe
2620	schtasks.exe
2340	schtasks.exe
1648	schtasks.exe
2716	schtasks.exe
2960	schtasks.exe
2144	schtasks.exe
1764	schtasks.exe
464	schtasks.exe
2480	schtasks.exe
2748	schtasks.exe
2664	schtasks.exe
2924	schtasks.exe
2964	schtasks.exe
2676	schtasks.exe
1044	schtasks.exe
2020	schtasks.exe
2000	schtasks.exe
2828	schtasks.exe
2704	schtasks.exe
836	schtasks.exe
348	schtasks.exe
2508	schtasks.exe
2560	schtasks.exe
2648	schtasks.exe
2152	schtasks.exe
1664	schtasks.exe
2656	schtasks.exe
1732	schtasks.exe
2068	schtasks.exe
1084	schtasks.exe
768	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
2604	powershell.exe
704	powershell.exe
1936	powershell.exe
1632	powershell.exe
3024	powershell.exe
2432	powershell.exe
1968	powershell.exe
1468	powershell.exe
1864	powershell.exe
2224	powershell.exe
2252	powershell.exe
2664	powershell.exe
2900	System.exe
1760	System.exe
804	System.exe
2812	System.exe
2860	System.exe
2392	System.exe
2168	System.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2900	System.exe
Token: SeDebugPrivilege	1760	System.exe
Token: SeDebugPrivilege	804	System.exe
Token: SeDebugPrivilege	2812	System.exe
Token: SeDebugPrivilege	2860	System.exe
Token: SeDebugPrivilege	2392	System.exe
Token: SeDebugPrivilege	2168	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2664	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	80
PID 340 wrote to memory of 2664	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	80
PID 340 wrote to memory of 2664	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	80
PID 340 wrote to memory of 2604	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	81
PID 340 wrote to memory of 2604	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	81
PID 340 wrote to memory of 2604	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	81
PID 340 wrote to memory of 1864	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	82
PID 340 wrote to memory of 1864	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	82
PID 340 wrote to memory of 1864	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	82
PID 340 wrote to memory of 3024	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	83
PID 340 wrote to memory of 3024	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	83
PID 340 wrote to memory of 3024	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	83
PID 340 wrote to memory of 2252	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	84
PID 340 wrote to memory of 2252	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	84
PID 340 wrote to memory of 2252	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	84
PID 340 wrote to memory of 1468	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	85
PID 340 wrote to memory of 1468	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	85
PID 340 wrote to memory of 1468	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	85
PID 340 wrote to memory of 704	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	86
PID 340 wrote to memory of 704	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	86
PID 340 wrote to memory of 704	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	86
PID 340 wrote to memory of 1968	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	87
PID 340 wrote to memory of 1968	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	87
PID 340 wrote to memory of 1968	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	87
PID 340 wrote to memory of 1936	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	88
PID 340 wrote to memory of 1936	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	88
PID 340 wrote to memory of 1936	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	88
PID 340 wrote to memory of 2432	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	89
PID 340 wrote to memory of 2432	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	89
PID 340 wrote to memory of 2432	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	89
PID 340 wrote to memory of 2224	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	90
PID 340 wrote to memory of 2224	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	90
PID 340 wrote to memory of 2224	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	90
PID 340 wrote to memory of 1632	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	91
PID 340 wrote to memory of 1632	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	91
PID 340 wrote to memory of 1632	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	91
PID 340 wrote to memory of 1844	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	104
PID 340 wrote to memory of 1844	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	104
PID 340 wrote to memory of 1844	340	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe	104
PID 1844 wrote to memory of 1328	1844	cmd.exe	106
PID 1844 wrote to memory of 1328	1844	cmd.exe	106
PID 1844 wrote to memory of 1328	1844	cmd.exe	106
PID 1844 wrote to memory of 2900	1844	cmd.exe	107
PID 1844 wrote to memory of 2900	1844	cmd.exe	107
PID 1844 wrote to memory of 2900	1844	cmd.exe	107
PID 2900 wrote to memory of 2752	2900	System.exe	108
PID 2900 wrote to memory of 2752	2900	System.exe	108
PID 2900 wrote to memory of 2752	2900	System.exe	108
PID 2900 wrote to memory of 2676	2900	System.exe	109
PID 2900 wrote to memory of 2676	2900	System.exe	109
PID 2900 wrote to memory of 2676	2900	System.exe	109
PID 2752 wrote to memory of 1760	2752	WScript.exe	110
PID 2752 wrote to memory of 1760	2752	WScript.exe	110
PID 2752 wrote to memory of 1760	2752	WScript.exe	110
PID 1760 wrote to memory of 2116	1760	System.exe	111
PID 1760 wrote to memory of 2116	1760	System.exe	111
PID 1760 wrote to memory of 2116	1760	System.exe	111
PID 1760 wrote to memory of 1540	1760	System.exe	112
PID 1760 wrote to memory of 1540	1760	System.exe	112
PID 1760 wrote to memory of 1540	1760	System.exe	112
PID 2116 wrote to memory of 804	2116	WScript.exe	113
PID 2116 wrote to memory of 804	2116	WScript.exe	113
PID 2116 wrote to memory of 804	2116	WScript.exe	113
PID 804 wrote to memory of 1044	804	System.exe	114

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe
"C:\Users\Admin\AppData\Local\Temp\0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ql2ne0wKIa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1328
- - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
    "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3686f696-66ca-4047-ab46-e989236769bb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1760
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d3d16f2-3a2a-4a55-b260-0d51e6e5db6c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d66301c6-3f21-4428-ac7d-df12bf7a0b7c.vbs"
        8⤵
        
        PID:1044
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dff47215-0ea9-408c-a351-8480092e28df.vbs"
        10⤵
        
        PID:2884
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97f596c5-a536-45f5-b8a0-c6d416707564.vbs"
        12⤵
        
        PID:1476
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9ea645-f2ca-483d-8e3e-e47c884b9912.vbs"
        14⤵
        
        PID:916
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\691a4446-fc90-41f8-a298-203ad2022dbc.vbs"
        16⤵
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6833d9a-07b1-40d8-a15e-2858d1f67b76.vbs"
        16⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc462f2-2881-483a-b585-7f1d16617198.vbs"
        14⤵
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53ac160-9dd1-4dda-90c4-87d10a138bd9.vbs"
        12⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6d5db4-dc81-42d3-991e-0e33af71a6dd.vbs"
        10⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14a98d8a-e582-4b7f-a080-210956387fb9.vbs"
        8⤵
        
        PID:1968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444ccf43-6dc1-4da5-92e5-aebd145f74ee.vbs"
        6⤵
        
        PID:1540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b19b1cf7-d80f-4471-bbe9-1a05cf63d7d1.vbs"
      4⤵
      PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\ScanFile\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\en-US\wininit.exe

Filesize
4.9MB

MD5
d9d67dcf852e2850a4086ce274053e8c

SHA1
c101a3137b84b16290aa0e729234449539a8d1be

SHA256
12f881a4ed0a90321af4fe03b9c080115c2ddc148d97ed9e96b5b2ebf3985142

SHA512
89f2b229d9a202ad79ee1ab4cd6af16ed84270fbbee70a60e979d47fedfb74427228b14956d67c2f8f0d6ad4288037aa63d542031c76e06122a59095503c8ceb

Download Submit
C:\Program Files\Windows Journal\it-IT\Idle.exe

Filesize
4.9MB

MD5
613c17af7e79ea0696b12a8d2a4b99e0

SHA1
3c1fa83f993484fffb9def759879c320750d8ddc

SHA256
0a8b61ef492837674d8faf6fd87897dd12857db5645b49c83f0e5d067a6db003

SHA512
3ccc372ca5dc7ca97f6050ae8b42c3b0d839bda5c8237b256a443e9246fa0fc36d256d6ae5b001d298f5e9253a98f68edce0c652d2a9f85bc7af542c00c52f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\3686f696-66ca-4047-ab46-e989236769bb.vbs

Filesize
735B

MD5
0887dc2adbe64c8837e728b13ce66966

SHA1
acf9cdab70b0513a9b060e1646e98d6f12b9e6b2

SHA256
75b0372faced14787979626abda9412b23e3b23fcf2c52a877102b73de3c585d

SHA512
07d530e20f7fbd0d071c32dde85a1a89ef6081de06af851abeb1a5eafbaeb1001594fba2d34fe0a2f09fc63c4229dda54f319ec511d5e8fb473e05da3efdddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d3d16f2-3a2a-4a55-b260-0d51e6e5db6c.vbs

Filesize
735B

MD5
f77334d3d69fb4a98baccbb6683a6ab6

SHA1
c04657e253c86baf94cf90ea677fac271ade183b

SHA256
605b3ea81e79c51975d716d7d05c5cade39d1508fc3d3d3c77d034a43b17188a

SHA512
398dc3249f46cd7226a584c26d8dd4f4608c075e5fd84cb92faf6b565cc2521ea77ec97e7eaf398485ea222bedb716ca31db77fdd4901f78722f0fbb048e4ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\691a4446-fc90-41f8-a298-203ad2022dbc.vbs

Filesize
735B

MD5
7916422db9ead8ae85de361a09dca837

SHA1
564930ccd591f5ecd75181bb3b1e982806c8cbf9

SHA256
caf4785597a4dbb2bdc049faa79aaad3146f68fd25a04fcca67c5965ae282fed

SHA512
ee9bd54a89bdf1ec7045fedc14d78efec990d072575b360c296499946df8e58b6cb3ae4a6b640be9640f392a2d1e8b235db55672f0a04aa20f4c6a9fedc9e90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e9ea645-f2ca-483d-8e3e-e47c884b9912.vbs

Filesize
735B

MD5
dfdca211c83624365750fb8d40031272

SHA1
0b0680448a251ec5d81c5076d73c6e571452bf7f

SHA256
e5b77243c04d3505f2f15a22de946d9982cb0720557e4e82ae89d1a201ff0e71

SHA512
2f2a9019ce771dd9671814a2e1499bfa2cd1a952fbda18408bcebafdc5f10cd6eb9da90e08f15c82cfe5c81905b5fa9b16c1dfcf7ca749d0a6f6117614dcc4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\97f596c5-a536-45f5-b8a0-c6d416707564.vbs

Filesize
735B

MD5
38c63222584f9376c03cdb88646edf8c

SHA1
c4a2f4a453a7d3311af27e971eb88e089b75f994

SHA256
dc7f2c21f893bd021fa61c266d76c278c152bf571278f39f6b9306fb12e7acac

SHA512
98dbdd47fd01b393e15d2a5358a38f1199fc84bf5ada2fa19d9274c6950ffe5fec0a1dad400c6d8b1b19da5e8122b1097879f963b04a98fff80d2e322f4c272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ql2ne0wKIa.bat

Filesize
224B

MD5
f07076f66a0d4eb986eb8bd90c8f9750

SHA1
d57d4effaa851640b9ad3a93344bffbfe37ed62d

SHA256
1c0505cb6fb2d1d18d6605727cdfa2227416ccd295c8f714feaa85937a7a56b8

SHA512
661d7bdc33e478295da1b7daeabbea601abcb124b9d2ec6005d7f4429e7aaf31a46e7aeca38f578377dadd2372c97156840a0bdc7fea6d8225d34019a8c86e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\b19b1cf7-d80f-4471-bbe9-1a05cf63d7d1.vbs

Filesize
511B

MD5
c4f0cf789532da5c4833b879d2c0f395

SHA1
66aad62ee272cc9623c95ff57cfba273e068d0f0

SHA256
03c888dd15e497973348ad715239cb7c6e92bc86c74097b54b7997967a54cc68

SHA512
d1ce8618f3c09963fffed05504867c7d433343d0f5612a36a87090d01b54012a8c3b7463d6d470bc0cce6d916c686f76febcdff29361be641d4e12d2dd222c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d66301c6-3f21-4428-ac7d-df12bf7a0b7c.vbs

Filesize
734B

MD5
f4b985642d859cd301288a189000c748

SHA1
71c5447042d5279457d389c17ee5e4b3d98753e5

SHA256
791582f62bf93a19e35316b991976b8a87d0850435716b17dcd0a81dcea960f4

SHA512
1d0ef69de16124ff6a264f64a76a62081f6fef3ab417cb3ac4151abac1c995a02a373f6064b696fb62fa6cbc695d67d55fd131d38c6c15236f6486b92a19fe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\dff47215-0ea9-408c-a351-8480092e28df.vbs

Filesize
735B

MD5
edbe17e4e665c33809960b3a106aadf0

SHA1
2eaefefc92a4c37e1cb42798bde9ffd73754a657

SHA256
3e2a11f8a0058c5d00e8a6d6e8a5503ec9ca7407a901cb09f69853ecec6e442d

SHA512
afbc3e1797e29304f1bf433430cbaa3f5d867d05513a28aab6dba8a853c9486fd5fbf183e5191993f8f81076114e35a4f0dca7b7c50e87b2632bd821caad2d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d464e155a17d6d8f1ea34e65693c03ad

SHA1
7dd4366b998fc27769f58ebf23f7b5e13d578b27

SHA256
6cd1028a15cadc0272d239410f0bf8094f5c69d6b9414b9742149825f6c8b5c5

SHA512
eb8e586efb9e203d78a576b3b3ffe47344d66cf8508403feafc696bd4a059a6804dd68e1f234a2b12a72b491fd7b8e9fd31448a54be69dfa688afde6a13a351f

Download Submit
memory/340-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/340-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/340-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/340-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/340-13-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/340-12-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/340-137-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/340-151-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-164-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-1-0x0000000000960000-0x0000000000E54000-memory.dmp

Filesize
5.0MB

Download
memory/340-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/340-10-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/340-3-0x000000001B610000-0x000000001B73E000-memory.dmp

Filesize
1.2MB

Download
memory/340-4-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/340-14-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/340-7-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/340-8-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/340-5-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/340-6-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/804-261-0x00000000008A0000-0x0000000000D94000-memory.dmp

Filesize
5.0MB

Download
memory/1760-246-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/1760-245-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/2168-321-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/2392-306-0x0000000001310000-0x0000000001804000-memory.dmp

Filesize
5.0MB

Download
memory/2604-170-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2604-171-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2812-276-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2860-291-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2900-231-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/2900-230-0x0000000000070000-0x0000000000564000-memory.dmp

Filesize
5.0MB

Download