dcrat | 97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

Analysis

max time kernel
119s
max time network
110s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Size

4.9MB
MD5

b0cae33b9c6d513565cffdde8ce50632
SHA1

4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7
SHA256

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64
SHA512

31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2856	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1500-3-0x000000001B3F0000-0x000000001B51E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3032	powershell.exe
2396	powershell.exe
2740	powershell.exe
2540	powershell.exe
2680	powershell.exe
3004	powershell.exe
2552	powershell.exe
3068	powershell.exe
2844	powershell.exe
2816	powershell.exe
2784	powershell.exe
632	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2576	sppsvc.exe
1996	sppsvc.exe
836	sppsvc.exe
2232	sppsvc.exe
2128	sppsvc.exe
2068	sppsvc.exe
1672	sppsvc.exe
3044	sppsvc.exe
1536	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\b75386f1303e64	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCXBD22.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Common Files\Services\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\RCXB409.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\56085415360792	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXC59D.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Common Files\Services\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\f3b6ecef712a24	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Common Files\Services\56085415360792	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXAD90.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXBAFF.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\lsass.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Speech\Engines\Lexicon\es-ES\Idle.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
536	schtasks.exe
2980	schtasks.exe
2664	schtasks.exe
1364	schtasks.exe
1848	schtasks.exe
2912	schtasks.exe
2440	schtasks.exe
2336	schtasks.exe
2860	schtasks.exe
2936	schtasks.exe
1908	schtasks.exe
2852	schtasks.exe
1828	schtasks.exe
2544	schtasks.exe
1084	schtasks.exe
2040	schtasks.exe
2800	schtasks.exe
2988	schtasks.exe
2920	schtasks.exe
2736	schtasks.exe
984	schtasks.exe
828	schtasks.exe
2824	schtasks.exe
2488	schtasks.exe
2504	schtasks.exe
1612	schtasks.exe
1784	schtasks.exe
408	schtasks.exe
2764	schtasks.exe
880	schtasks.exe
2548	schtasks.exe
2576	schtasks.exe
1272	schtasks.exe
2748	schtasks.exe
2696	schtasks.exe
2104	schtasks.exe
1496	schtasks.exe
1920	schtasks.exe
1100	schtasks.exe
976	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
3032	powershell.exe
3068	powershell.exe
2680	powershell.exe
2816	powershell.exe
2740	powershell.exe
2396	powershell.exe
2552	powershell.exe
3004	powershell.exe
2540	powershell.exe
2844	powershell.exe
2784	powershell.exe
632	powershell.exe
2576	sppsvc.exe
1996	sppsvc.exe
836	sppsvc.exe
2232	sppsvc.exe
2128	sppsvc.exe
2068	sppsvc.exe
1672	sppsvc.exe
3044	sppsvc.exe
1536	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2576	sppsvc.exe
Token: SeDebugPrivilege	1996	sppsvc.exe
Token: SeDebugPrivilege	836	sppsvc.exe
Token: SeDebugPrivilege	2232	sppsvc.exe
Token: SeDebugPrivilege	2128	sppsvc.exe
Token: SeDebugPrivilege	2068	sppsvc.exe
Token: SeDebugPrivilege	1672	sppsvc.exe
Token: SeDebugPrivilege	3044	sppsvc.exe
Token: SeDebugPrivilege	1536	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3068	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	73
PID 1500 wrote to memory of 3068	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	73
PID 1500 wrote to memory of 3068	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	73
PID 1500 wrote to memory of 3032	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	74
PID 1500 wrote to memory of 3032	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	74
PID 1500 wrote to memory of 3032	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	74
PID 1500 wrote to memory of 2844	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	75
PID 1500 wrote to memory of 2844	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	75
PID 1500 wrote to memory of 2844	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	75
PID 1500 wrote to memory of 2680	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	77
PID 1500 wrote to memory of 2680	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	77
PID 1500 wrote to memory of 2680	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	77
PID 1500 wrote to memory of 2396	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	78
PID 1500 wrote to memory of 2396	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	78
PID 1500 wrote to memory of 2396	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	78
PID 1500 wrote to memory of 2740	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	80
PID 1500 wrote to memory of 2740	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	80
PID 1500 wrote to memory of 2740	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	80
PID 1500 wrote to memory of 2540	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	81
PID 1500 wrote to memory of 2540	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	81
PID 1500 wrote to memory of 2540	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	81
PID 1500 wrote to memory of 2552	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	82
PID 1500 wrote to memory of 2552	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	82
PID 1500 wrote to memory of 2552	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	82
PID 1500 wrote to memory of 2816	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	83
PID 1500 wrote to memory of 2816	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	83
PID 1500 wrote to memory of 2816	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	83
PID 1500 wrote to memory of 2784	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	84
PID 1500 wrote to memory of 2784	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	84
PID 1500 wrote to memory of 2784	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	84
PID 1500 wrote to memory of 632	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	85
PID 1500 wrote to memory of 632	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	85
PID 1500 wrote to memory of 632	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	85
PID 1500 wrote to memory of 3004	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	86
PID 1500 wrote to memory of 3004	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	86
PID 1500 wrote to memory of 3004	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	86
PID 1500 wrote to memory of 2576	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 1500 wrote to memory of 2576	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 1500 wrote to memory of 2576	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 1500 wrote to memory of 2576	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 1500 wrote to memory of 2576	1500	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 2576 wrote to memory of 1428	2576	sppsvc.exe	99
PID 2576 wrote to memory of 1428	2576	sppsvc.exe	99
PID 2576 wrote to memory of 1428	2576	sppsvc.exe	99
PID 2576 wrote to memory of 2896	2576	sppsvc.exe	100
PID 2576 wrote to memory of 2896	2576	sppsvc.exe	100
PID 2576 wrote to memory of 2896	2576	sppsvc.exe	100
PID 1428 wrote to memory of 1996	1428	WScript.exe	101
PID 1428 wrote to memory of 1996	1428	WScript.exe	101
PID 1428 wrote to memory of 1996	1428	WScript.exe	101
PID 1428 wrote to memory of 1996	1428	WScript.exe	101
PID 1428 wrote to memory of 1996	1428	WScript.exe	101
PID 1996 wrote to memory of 2736	1996	sppsvc.exe	102
PID 1996 wrote to memory of 2736	1996	sppsvc.exe	102
PID 1996 wrote to memory of 2736	1996	sppsvc.exe	102
PID 1996 wrote to memory of 920	1996	sppsvc.exe	103
PID 1996 wrote to memory of 920	1996	sppsvc.exe	103
PID 1996 wrote to memory of 920	1996	sppsvc.exe	103
PID 2736 wrote to memory of 836	2736	WScript.exe	104
PID 2736 wrote to memory of 836	2736	WScript.exe	104
PID 2736 wrote to memory of 836	2736	WScript.exe	104
PID 2736 wrote to memory of 836	2736	WScript.exe	104
PID 2736 wrote to memory of 836	2736	WScript.exe	104
PID 836 wrote to memory of 376	836	sppsvc.exe	105

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
"C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c225c6d4-f246-4c0b-809e-525f047944c2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1996
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689afc2e-9a13-4df6-8153-0162750532c2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e69a7388-7fb9-4eb2-8848-660f20607bd7.vbs"
        7⤵
        
        PID:376
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad9ba937-601f-4908-923c-73521c3b9267.vbs"
        9⤵
        
        PID:2456
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e567ff-3a14-48e6-883b-7afd51955042.vbs"
        11⤵
        
        PID:2588
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0c0aa08-aa71-4f5a-93b1-d09cd20e3db9.vbs"
        13⤵
        
        PID:2932
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0391ae78-ff8f-4c7f-91ee-975bfc15bf8f.vbs"
        15⤵
        
        PID:1524
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78b52e37-9d65-46bf-b6a2-59c501a29bd0.vbs"
        17⤵
        
        PID:688
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9f61261-c283-4769-8f8d-455422d99a02.vbs"
        19⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb12018-3f38-4750-8c45-56edb7347cc6.vbs"
        19⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd97c64-80fa-4395-a451-fd918a5220fd.vbs"
        17⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2592559-fa2a-41c6-87e4-76a7e2913468.vbs"
        15⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1582eb7-46ea-4159-ae50-3f22617221f3.vbs"
        13⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47776a0-4da4-4f29-b4b7-84912b873961.vbs"
        11⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed67e064-a0fc-41f4-a9bb-15e5aea8569d.vbs"
        9⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf47997d-8bf9-4f5c-b43d-49448d44dffd.vbs"
        7⤵
        
        PID:2040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2c6d8d6-9aca-4a60-abbb-6a56ecab0bf9.vbs"
        5⤵
        
        PID:920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fbdc186-2d46-4fc1-a44f-1e4653f1bb07.vbs"
    3⤵
    PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c649" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64" /sc ONLOGON /tr "'C:\Users\All Users\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c649" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
4.9MB

MD5
b0c58e2e8cc731ee2af8bcd7e556c4d4

SHA1
c94cfd2be19e5ae525d909a669f9cd124b1822dd

SHA256
92c9132aa69e65f0bcd7de5f121cae0bed3c71b7d5faf4929019ec55c59c1983

SHA512
ce59e69637095d04d39f33c033401a0d05db73678b08925308780a0e0609c5b5ff9b5a5cf262f50930bd4536536d7dacd72c7ab928f1e537631ef5ffbcb79b45

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe

Filesize
4.9MB

MD5
584f2204b523875c82caed662b102b0f

SHA1
0d1cfb6a84df6c4f9d366e36ec8ce37da7a0712b

SHA256
8c0ff4066f99e1e0e495b6fc94bf1b24682890acfa40543b5f66b320201ed1b6

SHA512
eb3d9219845e1291200ce3a6ccb3f54b23448c14c6ac31a408ba4565478952aed79f82cda58c294314a1f6faaace6c4352f97713b78c9d1d2bc6d3395687154d

Download Submit
C:\Program Files\Microsoft Games\Chess\fr-FR\taskhost.exe

Filesize
4.9MB

MD5
b0cae33b9c6d513565cffdde8ce50632

SHA1
4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7

SHA256
97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

SHA512
31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0391ae78-ff8f-4c7f-91ee-975bfc15bf8f.vbs

Filesize
749B

MD5
953c3c036e0ae66f301f6d80a0f24664

SHA1
522eba3b85d08f45fdb482492ea0b557b8f5ca49

SHA256
0b2cb82b37c6ff64ba8245e85fb5754080c46e228967e09d46114623427451b6

SHA512
16ee52e9bb37d0fc4dd401ce9ada7aa9d15f765325aafad51a5a2076a44b054a89f34f9717aeca4e98928f0c7540e83c4233a98e0b4a464e7b931638df5c36c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\08e567ff-3a14-48e6-883b-7afd51955042.vbs

Filesize
749B

MD5
9ea359a4d1519b2e8f604b16f29ff9f9

SHA1
3b1e3b52adf943b5ed12041556bf696cbb5cbfdb

SHA256
603097b4642be7b59a7906b2161add7d6e02f37aff0537c1576df3f88c69e4fa

SHA512
5113f3171aa5b011524692bc7a46c95533b1507e355a621c7257a99f1a9805f362cb7f058e2031e772d762cfbd58bd93d63bde17c454063137976ee3e8923879

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fbdc186-2d46-4fc1-a44f-1e4653f1bb07.vbs

Filesize
525B

MD5
acd3d0d03fd76d22f8c3763a4de906ed

SHA1
c9e534008221e084731f9acf66cb908eff296bce

SHA256
77a4bd2ddfdbbaf0366ce1a5893665b9a7c9b1b792fde4960d5ad4ad6552e4e2

SHA512
2d7bfb8ab3b8d674877de59a380f4cb3fa77c157238013eaaec7d8f83b3de0189d6476e94f52757410942a88c017978bb330df60a0e58bb8ff3df9f0bf49f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\689afc2e-9a13-4df6-8153-0162750532c2.vbs

Filesize
749B

MD5
e046e03b55c9d9fa8de11d48a2257c1e

SHA1
1e075c21cf9c8c13523250abdcd1a10587509045

SHA256
0ec9d9828723954afba84091a013948436a2f89c3bb61f382218cd339c1d4672

SHA512
55210f2162f1258fdcc653bf628a412c04c297ba6f6a933806c1aa66a474b161713d2b70178ea48865a924c6ee4ec0a92011eb0d6c4d56cf07639d086940bf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\78b52e37-9d65-46bf-b6a2-59c501a29bd0.vbs

Filesize
749B

MD5
d4bdb3f9f1cccdd9f1488d964f9f97b0

SHA1
9e650132df9948919f39c751638cba1f899437f8

SHA256
2a59ffa4ad6185b9114f55862dfd15ea4f539a9427a2171279c293578898dcd7

SHA512
ecd6eaaef6a138f7888950e682f11c3dc2a01019b8ca0d26ae01d3179b46835d8dfe7169dc4a4753d21df9c149663745567be4b9725543f340ad9dc2c252f327

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad9ba937-601f-4908-923c-73521c3b9267.vbs

Filesize
749B

MD5
bb1a926e9ca6304173ad525aaba5a9ae

SHA1
1f7327c23575a0f7ba66297c73d6ceeab2ae0606

SHA256
4606cef4f5bd311d7baa9c649bb660b4d5fa0a5186234f80d76cf26fa0e6b48a

SHA512
cc7dd8d6b96841f2f794e73d6bfe9966496d888153fdaf75d16ece1786a1dee3394fc00c06d3f66daad0b83f31a35d326ef98ef8daada94e77e41fefecf4e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3fc9d1b69621479c44ec6496a02740ca962dd8e.exe

Filesize
4.9MB

MD5
aa201b754870f4eea2b7cc889f266809

SHA1
bdd78a381e5e6095c654e88f78718d91918c2235

SHA256
e7136c3b77d56588c20839a8a34a418dbc6d16a479a62a60c21347e6351da826

SHA512
d235adf91c080e2360a219561d505c6c79b2c4423b79cd66f47be2f421d25110e53d7d0f7a896bd5dbea3385c79b9bc3d4af67c10177e8af33565380c789eb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c225c6d4-f246-4c0b-809e-525f047944c2.vbs

Filesize
749B

MD5
04a95972757796dd91e4074a3ab94fc6

SHA1
f855f7838ef014b22c2f3937f16011b1b60dbe0f

SHA256
937e018bf1ebdb15f724f6191864cda1b5562aa96e2da487c0c6d9a559a6112c

SHA512
fd2f3fb047e07ae418c7df0e13f74e4a8bdf8bd6f2a5d058cebef0e3a544e382a1c400d04348b9cb6ace59edb2ea562e7c151b59fee22b7756aebb347b6377a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9f61261-c283-4769-8f8d-455422d99a02.vbs

Filesize
749B

MD5
b3cf5d330f50f61607e21a1a568e8a74

SHA1
1cb5472bfc2613b20528fb80b17242de83301175

SHA256
294f563d8fb8884db8fa0d066078d9d8ac5ab5203de8f5bfefe1f44632a03ed0

SHA512
d6fffe620d9b27d01767b4ff6d10ab73b7327398094727195ad355dc51d6b9d735f33d423f8b01886fe34ee0c07f8b46789f10e54e352e07ad8c0e87815fba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0c0aa08-aa71-4f5a-93b1-d09cd20e3db9.vbs

Filesize
749B

MD5
94df0246e7b7025f746cfda83807047e

SHA1
82c78a1ec67c478fe01ea89d32bf815d67e28603

SHA256
a1d4f1be125f1252b928c4a241193a78f108d7014fa09416f715b0a955691fcd

SHA512
6cddc11949afdda8f9a63c984fd5d1bf8c7207ec4ff1d04ed46063a0044ad81ce78bd2ae40a1c6741ed8c3a08cdbb8cbb425d0378f53d808f1da87e25e75f474

Download Submit
C:\Users\Admin\AppData\Local\Temp\e69a7388-7fb9-4eb2-8848-660f20607bd7.vbs

Filesize
748B

MD5
526119a82548fcf0316d9ed59ce668a3

SHA1
d6624fa1d381cf4521831e015f16f66ae6333c52

SHA256
4ba011b445c7e30566c3df4e243aec43f4627656f48d8c9d33a72c11913243ba

SHA512
03c4a42474d078aff089435bd046f094a9a74a31af647b657a84167922d66e913ef45c69861f219fffd78f527c0544e9ab7f876d3e954a3ad9816970b945b3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD93F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3725801d53055a6a9a9cc0519a522769

SHA1
3ff39d13b088e58cfaeedeeb6194d96974d1b338

SHA256
9daf8dee52213f2ec5494e027e729e3df2a68d2977b69a8be5fc7559dbe0e26e

SHA512
83d8d22c524485c38eb4849e1c514f24240274cdcd699bd3cba39d96a3464ffd18a33d7f1040731b4f2262f1f57a8ed077b010f2a5579b016c392e34962174f5

Download Submit
memory/836-237-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/1500-13-0x00000000024D0000-0x00000000024DE000-memory.dmp

Filesize
56KB

Download
memory/1500-9-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1500-139-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1500-16-0x0000000002600000-0x000000000260C000-memory.dmp

Filesize
48KB

Download
memory/1500-1-0x0000000000AA0000-0x0000000000F94000-memory.dmp

Filesize
5.0MB

Download
memory/1500-3-0x000000001B3F0000-0x000000001B51E000-memory.dmp

Filesize
1.2MB

Download
memory/1500-11-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/1500-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-192-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1500-12-0x00000000024C0000-0x00000000024CE000-memory.dmp

Filesize
56KB

Download
memory/1500-14-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1500-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1500-4-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/1500-6-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/1500-10-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/1500-15-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/1500-7-0x00000000007E0000-0x00000000007F6000-memory.dmp

Filesize
88KB

Download
memory/1500-5-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/1500-8-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/1536-327-0x0000000000B40000-0x0000000001034000-memory.dmp

Filesize
5.0MB

Download
memory/1672-297-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/1996-222-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/1996-221-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2128-268-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/2232-253-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2232-252-0x00000000008D0000-0x0000000000DC4000-memory.dmp

Filesize
5.0MB

Download
memory/2576-167-0x00000000008C0000-0x0000000000DB4000-memory.dmp

Filesize
5.0MB

Download
memory/3032-158-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/3044-312-0x0000000000850000-0x0000000000D44000-memory.dmp

Filesize
5.0MB

Download
memory/3068-152-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download