dcrat | 97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Size

4.9MB
MD5

b0cae33b9c6d513565cffdde8ce50632
SHA1

4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7
SHA256

97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64
SHA512

31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2568	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2568	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2724-3-0x000000001B400000-0x000000001B52E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1220	powershell.exe
2384	powershell.exe
1712	powershell.exe
2528	powershell.exe
908	powershell.exe
2028	powershell.exe
2848	powershell.exe
2944	powershell.exe
992	powershell.exe
1148	powershell.exe
2376	powershell.exe
2404	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
864	lsass.exe
1188	lsass.exe
308	lsass.exe
2448	lsass.exe
2376	lsass.exe
1960	lsass.exe
1236	lsass.exe
1856	lsass.exe
2056	lsass.exe
2064	lsass.exe
1984	lsass.exe
2068	lsass.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX7CA4.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX85FB.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\6cb0b6c459d5d3	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Common Files\Adobe\6ccacd8608530f	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Uninstall Information\0a1fd5f707cd16	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Microsoft Office\0a1fd5f707cd16	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\cc11b995f2a76d	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX907B.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX7F15.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCX8C73.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\5940a34987c991	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX83F7.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX9984.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Idle.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\27d1bcfc3c54e0	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Uninstall Information\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Idle.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Microsoft Office\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\27d1bcfc3c54e0	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Program Files\Uninstall Information\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCX9E85.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCX7551.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files\Microsoft Office\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PLA\System\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Cursors\RCX9770.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Fonts\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Cursors\886983d96e3d3e	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ieinstal.resources_31bf3856ad364e35_8.0.7600.16385_en-us_708d2790e340090a\winlogon.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Fonts\dwm.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\twain_32\RCX9BF5.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Fonts\6cb0b6c459d5d3	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\PLA\System\sppsvc.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\PLA\System\RCX8A02.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Cursors\csrss.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\PLA\System\0a1fd5f707cd16	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\assembly\audiodg.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\assembly\42af1c969fbb7b	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\assembly\audiodg.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\assembly\RCX8E77.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\twain_32\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\Cursors\csrss.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\twain_32\spoolsv.exe	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File created	C:\Windows\twain_32\f3b6ecef712a24	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
File opened for modification	C:\Windows\Fonts\RCX77C2.tmp	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
676	schtasks.exe
1784	schtasks.exe
3028	schtasks.exe
1096	schtasks.exe
2404	schtasks.exe
1576	schtasks.exe
1844	schtasks.exe
3064	schtasks.exe
1644	schtasks.exe
2464	schtasks.exe
904	schtasks.exe
2940	schtasks.exe
3016	schtasks.exe
2172	schtasks.exe
2484	schtasks.exe
1292	schtasks.exe
2612	schtasks.exe
1356	schtasks.exe
1376	schtasks.exe
2248	schtasks.exe
1776	schtasks.exe
1864	schtasks.exe
1820	schtasks.exe
2184	schtasks.exe
300	schtasks.exe
1860	schtasks.exe
2532	schtasks.exe
1664	schtasks.exe
624	schtasks.exe
2972	schtasks.exe
792	schtasks.exe
2132	schtasks.exe
336	schtasks.exe
2488	schtasks.exe
2108	schtasks.exe
1032	schtasks.exe
1908	schtasks.exe
1796	schtasks.exe
2872	schtasks.exe
1792	schtasks.exe
1720	schtasks.exe
1808	schtasks.exe
2444	schtasks.exe
324	schtasks.exe
532	schtasks.exe
1852	schtasks.exe
1496	schtasks.exe
2068	schtasks.exe
2996	schtasks.exe
1668	schtasks.exe
1148	schtasks.exe
2864	schtasks.exe
1128	schtasks.exe
2860	schtasks.exe
2196	schtasks.exe
1340	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
908	powershell.exe
2384	powershell.exe
1220	powershell.exe
1148	powershell.exe
992	powershell.exe
2528	powershell.exe
2944	powershell.exe
2404	powershell.exe
2028	powershell.exe
2848	powershell.exe
1712	powershell.exe
2376	powershell.exe
864	lsass.exe
1188	lsass.exe
308	lsass.exe
2448	lsass.exe
2376	lsass.exe
1960	lsass.exe
1236	lsass.exe
1856	lsass.exe
2056	lsass.exe
2064	lsass.exe
1984	lsass.exe
2068	lsass.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	864	lsass.exe
Token: SeDebugPrivilege	1188	lsass.exe
Token: SeDebugPrivilege	308	lsass.exe
Token: SeDebugPrivilege	2448	lsass.exe
Token: SeDebugPrivilege	2376	lsass.exe
Token: SeDebugPrivilege	1960	lsass.exe
Token: SeDebugPrivilege	1236	lsass.exe
Token: SeDebugPrivilege	1856	lsass.exe
Token: SeDebugPrivilege	2056	lsass.exe
Token: SeDebugPrivilege	2064	lsass.exe
Token: SeDebugPrivilege	1984	lsass.exe
Token: SeDebugPrivilege	2068	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 908	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	89
PID 2724 wrote to memory of 908	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	89
PID 2724 wrote to memory of 908	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	89
PID 2724 wrote to memory of 2028	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	90
PID 2724 wrote to memory of 2028	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	90
PID 2724 wrote to memory of 2028	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	90
PID 2724 wrote to memory of 2404	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	91
PID 2724 wrote to memory of 2404	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	91
PID 2724 wrote to memory of 2404	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	91
PID 2724 wrote to memory of 2384	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	92
PID 2724 wrote to memory of 2384	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	92
PID 2724 wrote to memory of 2384	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	92
PID 2724 wrote to memory of 2376	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	94
PID 2724 wrote to memory of 2376	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	94
PID 2724 wrote to memory of 2376	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	94
PID 2724 wrote to memory of 2528	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	95
PID 2724 wrote to memory of 2528	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	95
PID 2724 wrote to memory of 2528	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	95
PID 2724 wrote to memory of 1712	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	97
PID 2724 wrote to memory of 1712	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	97
PID 2724 wrote to memory of 1712	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	97
PID 2724 wrote to memory of 1148	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 2724 wrote to memory of 1148	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 2724 wrote to memory of 1148	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	98
PID 2724 wrote to memory of 1220	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	99
PID 2724 wrote to memory of 1220	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	99
PID 2724 wrote to memory of 1220	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	99
PID 2724 wrote to memory of 992	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	100
PID 2724 wrote to memory of 992	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	100
PID 2724 wrote to memory of 992	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	100
PID 2724 wrote to memory of 2944	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	101
PID 2724 wrote to memory of 2944	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	101
PID 2724 wrote to memory of 2944	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	101
PID 2724 wrote to memory of 2848	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	102
PID 2724 wrote to memory of 2848	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	102
PID 2724 wrote to memory of 2848	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	102
PID 2724 wrote to memory of 2424	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	113
PID 2724 wrote to memory of 2424	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	113
PID 2724 wrote to memory of 2424	2724	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe	113
PID 2424 wrote to memory of 2068	2424	cmd.exe	115
PID 2424 wrote to memory of 2068	2424	cmd.exe	115
PID 2424 wrote to memory of 2068	2424	cmd.exe	115
PID 2424 wrote to memory of 864	2424	cmd.exe	116
PID 2424 wrote to memory of 864	2424	cmd.exe	116
PID 2424 wrote to memory of 864	2424	cmd.exe	116
PID 864 wrote to memory of 2312	864	lsass.exe	117
PID 864 wrote to memory of 2312	864	lsass.exe	117
PID 864 wrote to memory of 2312	864	lsass.exe	117
PID 864 wrote to memory of 2492	864	lsass.exe	118
PID 864 wrote to memory of 2492	864	lsass.exe	118
PID 864 wrote to memory of 2492	864	lsass.exe	118
PID 2312 wrote to memory of 1188	2312	WScript.exe	120
PID 2312 wrote to memory of 1188	2312	WScript.exe	120
PID 2312 wrote to memory of 1188	2312	WScript.exe	120
PID 1188 wrote to memory of 336	1188	lsass.exe	121
PID 1188 wrote to memory of 336	1188	lsass.exe	121
PID 1188 wrote to memory of 336	1188	lsass.exe	121
PID 1188 wrote to memory of 2684	1188	lsass.exe	122
PID 1188 wrote to memory of 2684	1188	lsass.exe	122
PID 1188 wrote to memory of 2684	1188	lsass.exe	122
PID 336 wrote to memory of 308	336	WScript.exe	123
PID 336 wrote to memory of 308	336	WScript.exe	123
PID 336 wrote to memory of 308	336	WScript.exe	123
PID 308 wrote to memory of 984	308	lsass.exe	124

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe
"C:\Users\Admin\AppData\Local\Temp\97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I9d2zRl4ZG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2068
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:864
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f06e715-d606-4db1-9dd9-19f1be64c58d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1188
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\151ccd67-5211-4b2b-aec1-e42c3f45ab37.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28ede322-d061-449f-a59d-7cdec5560d62.vbs"
        8⤵
        
        PID:984
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2faad2a6-66a6-40f2-953e-965e6db47d3e.vbs"
        10⤵
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6a29ae2-a408-4c22-990a-0a7f1271aee9.vbs"
        12⤵
        
        PID:2280
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9689b13b-e4a5-4467-99ca-cb50d29f7639.vbs"
        14⤵
        
        PID:2184
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ffd4c7e-af18-4f7d-8217-72cedf8b1835.vbs"
        16⤵
        
        PID:824
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\283989d8-dd24-4b2c-bd86-dbd7f2f10e3c.vbs"
        18⤵
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb97a97-eee6-4860-bb61-a69e4a1ff69d.vbs"
        20⤵
        
        PID:2616
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5be97afa-a380-44b8-be5d-9af80479c931.vbs"
        22⤵
        
        PID:1932
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada71720-221e-425c-b9d4-f089a3868309.vbs"
        24⤵
        
        PID:2184
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e24938-d4bd-4767-9016-8981dcd39bdf.vbs"
        26⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03a7aa81-5d4e-44cd-bc60-8522852fad29.vbs"
        26⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf367f82-edbd-413c-86e9-ed284004911c.vbs"
        24⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64938304-7f31-4656-b6f7-3f8508a67657.vbs"
        22⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3cd06a9-3bf1-4134-9b1c-f07ab1ab3f7f.vbs"
        20⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c18789a3-319a-45af-8227-b28067d654e7.vbs"
        18⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91db7a44-1b16-497f-a555-6ab423639ef3.vbs"
        16⤵
        
        PID:596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0891c73-36f5-455d-9637-948b1764aa61.vbs"
        14⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d007fa94-a4ff-4eda-b2b4-d345ba143192.vbs"
        12⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a7d7daf-f581-437f-874c-4b40f769df55.vbs"
        10⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08e99ac-19d1-4b41-be79-3f225989366a.vbs"
        8⤵
        
        PID:1636
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bed2eca6-118c-4028-a8fe-42e383b63e95.vbs"
        6⤵
        
        PID:2684
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b74fc9-70d7-4d51-b6b5-0c9cfc8f5e7c.vbs"
      4⤵
      PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\System\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PLA\System\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe

Filesize
4.9MB

MD5
e3c1b46e326ac918cf3d035cd2a7a690

SHA1
7f6729ed93be8b4a37e45fd86d4e98a6e07dd39f

SHA256
5f0c2ab461d1af9b0b48f7c7b7db242cdd6536fa91455dff4e7df55a96b2a8d3

SHA512
e28bece085ce553b7bfc3ef9a48e32721c6272fc9d46e25366b1ba6687c9147253469d1d490d8af0770d64797214772c088257938b514e52052feff5976764a0

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe

Filesize
4.9MB

MD5
9bdb1bd67c6d46e30569522d6f03a0de

SHA1
58a7d6a181914180c15bd9eb0a3046d3bbd2913a

SHA256
0b569c3712b07a63381aa0722fd056fe712d04421b2dae22c172db16a84c756d

SHA512
b9f0aabfd2b0785acaef2523eef123ef1290e8376ddabe3668db19f072ed23b3b7239a2e2981edadba686bfa5adc3c601e7ae8bf8e14768d3e1e22f7c06a1130

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCX8C73.tmp

Filesize
4.9MB

MD5
613b017a01edffd262b9c57f66943dbc

SHA1
9d3eea450fec8b91e458d6992515e550650e6add

SHA256
eb3593380a952882a48b970d53153045a9125106f43fc632c736202fdf0d8e75

SHA512
94a4f2b4d2779d6e32df6013d55b17bbb8a0b91ee8e4e8860d957e6ab2e907e2b7182549445c4f5d489c22d59b63a227423c62d96b210f7eb59ca0745321e65f

Download Submit
C:\Program Files\Uninstall Information\sppsvc.exe

Filesize
4.9MB

MD5
b0cae33b9c6d513565cffdde8ce50632

SHA1
4ef0e9fe78968a8bf9162c3da1837f4037dc9cd7

SHA256
97b26b992d5c10de1ed3f9acdcf919956fcd794dbd88c0580f4aa89237b85c64

SHA512
31cef15772189762adcafd268dabeebd8ddde988a8503652fa9d5409d13a6e1ed1a624908e26943c28b9dc5a49477f080eb5d234a9aa68b89f95ee6f01d183e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\151ccd67-5211-4b2b-aec1-e42c3f45ab37.vbs

Filesize
761B

MD5
77dd9794ccc3f6629f9e4ac7100cc5f2

SHA1
8a67c569b26d7bdde83fc1fa5adb90d2ab30f10b

SHA256
f8e99f23b6bde8458727e4149bd97bf5b133d2629f2a377b77b83bbc412cd7ce

SHA512
d22cd95b6f8c4ae259edc01dfe33702b5bb93a7c58330a6a8840c8467bb5e98ebb3212d90ef0c7b37ed83e31d2d86cc523088ea46a65f40b3b60ac9484a56caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ffd4c7e-af18-4f7d-8217-72cedf8b1835.vbs

Filesize
761B

MD5
cbcc4d8d4f7f93befe67d3c0ef6c5b00

SHA1
06dd1f979a9f04205b89cf7accb2bf0f464a5688

SHA256
3032883de903b8d72351678f76138f0a25e0c68c4df275e244313e2dc2f5857e

SHA512
27723f57865923d73caacebdc91c4f49054a2e1de8350add0f2125503cc314ceef9ffd3023627ccd693bd43bb199bc2a6161438089bd77c91845989061ac41e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\283989d8-dd24-4b2c-bd86-dbd7f2f10e3c.vbs

Filesize
761B

MD5
ec933f1dd96b8f264275321a5ab30700

SHA1
c55a42b063fb7a9f6ff75a7600a1d4b021bbbda8

SHA256
4c7981eaff4ab7131153f59370a9de27e9adbe02608fca808f00d41480f6035e

SHA512
366ffb86cbfb7729f69ac8f28746a0179e86e5e9e73626ca24d1e16b0935eee3fbb2d11ea9cf17548d4db45fb66f7662b2d21a8a0fb7e8a24084a526ee801455

Download Submit
C:\Users\Admin\AppData\Local\Temp\28ede322-d061-449f-a59d-7cdec5560d62.vbs

Filesize
760B

MD5
e1fdd4565d87514f39e6d8429eb7c699

SHA1
08adf177f0824a12cc66486b8f5ab413a4c824f4

SHA256
3e15b05d4d26a86ab1cc4bdc69c19215d9d7b918353fe703880270dc2e9185f8

SHA512
c60e416088ffc495d517bab2fe94584bb2517c3972defebc7757629b82a86fa4ecbb8b01be8878bf820bbcfb510c91d8b1e1ad89fbb4d957064da9538d241835

Download Submit
C:\Users\Admin\AppData\Local\Temp\2faad2a6-66a6-40f2-953e-965e6db47d3e.vbs

Filesize
761B

MD5
dd759086fb048f6ac9829a04269f0588

SHA1
645723d29728b9accf8917d979f75f59e244f91d

SHA256
71f35bdaa1e0336777d41b4a41e857723c5f3e181fde30959c6f0a00ba33bb25

SHA512
11f73c9558659d8a84abf9d0fbff327ce32e85f8bf31ab6e470821442f8dca48a03666e7f616a8ec3934cef258ae8511edb6d52fa4379dfb9f204c9ad4f96835

Download Submit
C:\Users\Admin\AppData\Local\Temp\5be97afa-a380-44b8-be5d-9af80479c931.vbs

Filesize
761B

MD5
a58be00f9620f7363b868af7309817d6

SHA1
22144b5cf7a68c1b698b03f28172ef84f6b7d824

SHA256
ae3e9a84bb5dc5913c33d24fbc98a882d304400e1a06a99c9dce87e2aa6b03b4

SHA512
b622beee1c584860294c561fd5810b661ffee582e1e5a789d33d7abb81a36c673866aca3fe9a67a9a7df79e6067abf6b13831cae73c030e2be0a55dc9675acba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9689b13b-e4a5-4467-99ca-cb50d29f7639.vbs

Filesize
761B

MD5
00be25fb6f41857e4b32f5ccc08bd6aa

SHA1
b30bb72a3c7ea54f194ac8626a4c787eebe7c56a

SHA256
5d8cea1279c7fa9ffb32c55b80b52d144e5eb0534303c703d0dc0878f08e1d69

SHA512
6f0e1ab01b979a2500d9ae938330308cc31dcb614f9830dd3db7ae81809ca1e9acd66de64549624bd2ee520bac4a6d0bb214cede3dbdd8f6bf98edb82493f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f06e715-d606-4db1-9dd9-19f1be64c58d.vbs

Filesize
760B

MD5
1a7fd2c0c3a598931c0d6b5209020108

SHA1
5b6baced036c2bda8a9435841e725aa521b89ca8

SHA256
135836c81a3174802481b3794a74149d7b6e46436cdd168f36ede1bbbdd67a7f

SHA512
2efdec012ad14924ca3912542c4641a1270c489b00217cd38990d09ece61f0a986207aa429677b20a122788081bda23875f874a026630c8dbaa9a97e6c8fea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\I9d2zRl4ZG.bat

Filesize
250B

MD5
1448b0acbe14165d096f862aae52fc32

SHA1
960b94c2d1f4bf5eb14a5fb6778990ab0f98bbb0

SHA256
64415c614512d3a5f7951e98ffd3721a58b9f261c8e6110ceecb734176748dc2

SHA512
5091beeb0e5e83c0fcb9d4a4fa983768b281bfbece42f43666d8ab8a975a2e40f0727ef6bb0d5cb7c0b4ade11b7949f3fdf7528b90005c058ff810417269a778

Download Submit
C:\Users\Admin\AppData\Local\Temp\ada71720-221e-425c-b9d4-f089a3868309.vbs

Filesize
761B

MD5
05e47d4a088f3b0df1fe83282f4160d9

SHA1
4174625b1a070df54ab406f266e965ba3630734e

SHA256
b32516ddbb7248cc5d6232628f6f843d54b42ee44f0a4b12b71ffd6e4a7b2315

SHA512
a139daaf56f682efbec62d76ddb0e998479f220dc307f948c94d8070b8da64675d2a418db4b9100221e7178a99e01c4cc6d1c1a4398fc8c6d47b96e38da18e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0b74fc9-70d7-4d51-b6b5-0c9cfc8f5e7c.vbs

Filesize
537B

MD5
0743c2c4c7c29d30d3babd2394c90243

SHA1
f5fa7108638f7034f63faa3f79ade36518e9c5b7

SHA256
b3c5ff1059e7b659b95ae3c30bb86b5cfe9ee97bf1919bf1210fefc4f8f858f8

SHA512
7b31d605c1c62d6e8ec570555a6ee0cc0af063646a4d8d855e047d775970dfde8bb47a33dac333735b00b5772a52c3311e537e08f8f0857ae8114de4d6ace610

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2e24938-d4bd-4767-9016-8981dcd39bdf.vbs

Filesize
761B

MD5
786c50fb8dd0553b85490f562756a67b

SHA1
1c4e58df7744c415fcd4c93c3db9859aa26740db

SHA256
6b1d3642eff50a422d05ad6dc658bed1634fba77aa2c5fe4c4db1294e8ce386e

SHA512
d616299a9a3e24eb2e4bd70c78e931364d8757085856a28fc8143e0b759b21dd29d5ccffbd533d99470cf510f0878574fcdeb3cff41ef9057d4077572e63f2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\edb97a97-eee6-4860-bb61-a69e4a1ff69d.vbs

Filesize
761B

MD5
7fe218c8ff43714c04952b63ccc8db2d

SHA1
f02cb836e5e620ca42b58b7dd1b3e395f874063e

SHA256
8a81802aa9fe1c517d0de170662e0119edfbd00a746abd480b3b5a0a90995022

SHA512
24e1973be251bca5c24f8a65a3747e92104995af64111ad78cfa45a98e55798cea0082c79520899e49f30693d0d13c6f9032ac5398936852ee2b0fddbc6b24b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6a29ae2-a408-4c22-990a-0a7f1271aee9.vbs

Filesize
761B

MD5
06721413dbe721c5a7c725e59cadf42a

SHA1
b6fbdadfb05632be5af2959a7c904fb86422a783

SHA256
770346cc02a54be1a674c158167ff983b0dbf58f64aebf20baabac4394d3cbc5

SHA512
b0894e107204f8b858a676289ca180ace7b953c07c7399bf57fe2903a33c8790486111117c08f4ef1a02ef792a1d1689a65feb30e58b3a44a337cfcbb10b000c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8EA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5772d61dd37940aad0c896d97a60276

SHA1
56fe9e0dd45f92f7b68cb8fe8475319354d68358

SHA256
e91082acd2b67498c91854291fd516fe3f7f0b15f6404f9b31618b27e384e8a1

SHA512
42b1de3a17df47bfcbc38610bd678ffe40738180a6f2a0151eeb223af6e8ee86387dd54b1674b6dd2c900f480bf14ced0cb5d49eaa9216fb14254e304b7f6933

Download Submit
C:\Windows\assembly\RCX8E77.tmp

Filesize
4.9MB

MD5
14c73a9919e17cc06d5c81bd1a2f55e5

SHA1
d79513237ad39d46a4b626a33d0a4662aeba66c9

SHA256
199399d3e520818c1645b252e123b7d5dac2725210a93b2829f5aa5d0ea6f828

SHA512
bf04f15a8bc82e3c6ed5d4ac50106b7cec9e41df07a15094325ed9a7db818d5ff3788759155bdde93fb0df57f812377e48b404ad9e782ed43e48cf54b48aae30

Download Submit
memory/864-255-0x0000000000DA0000-0x0000000001294000-memory.dmp

Filesize
5.0MB

Download
memory/908-194-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/908-200-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1188-269-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/1236-343-0x0000000001170000-0x0000000001664000-memory.dmp

Filesize
5.0MB

Download
memory/1960-328-0x0000000001040000-0x0000000001534000-memory.dmp

Filesize
5.0MB

Download
memory/2376-313-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2448-298-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2724-193-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-131-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-117-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2724-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2724-14-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2724-13-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2724-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2724-12-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/2724-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2724-10-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2724-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2724-8-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2724-7-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2724-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2724-5-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2724-4-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2724-3-0x000000001B400000-0x000000001B52E000-memory.dmp

Filesize
1.2MB

Download
memory/2724-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-1-0x00000000010C0000-0x00000000015B4000-memory.dmp

Filesize
5.0MB

Download