dcrat | 756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1

Analysis

max time kernel
110s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Size

4.9MB
MD5

1bb1f6509357d3d40ecab459efc44290
SHA1

61f543cf1d45c98cc1e9042136537596ff94ed81
SHA256

756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1
SHA512

0cddafaf5705ab544213bec159df6a70aa9e9bc6cef020f2cbb9a24bb40d21ea6220ecbfa49540ae114be0ef3845324c8687927dee594b818b150980fd0c9be7
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2768	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/348-2-0x000000001B0B0000-0x000000001B1DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
2488	powershell.exe
3004	powershell.exe
2660	powershell.exe
2628	powershell.exe
2632	powershell.exe
2700	powershell.exe
3020	powershell.exe
2580	powershell.exe
2848	powershell.exe
1052	powershell.exe
2648	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2552	lsass.exe
2404	lsass.exe
1692	lsass.exe
2444	lsass.exe
2876	lsass.exe
2180	lsass.exe
2656	lsass.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXBEA0.tmp	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\lsass.exe	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
File created	C:\Program Files (x86)\Reference Assemblies\lsass.exe	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
File created	C:\Program Files (x86)\Reference Assemblies\6203df4a6bafc7	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1368	schtasks.exe
2732	schtasks.exe
2784	schtasks.exe
2692	schtasks.exe
2592	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
2632	powershell.exe
3008	powershell.exe
2848	powershell.exe
2648	powershell.exe
2700	powershell.exe
2628	powershell.exe
2488	powershell.exe
2580	powershell.exe
2660	powershell.exe
1052	powershell.exe
3020	powershell.exe
3004	powershell.exe
2552	lsass.exe
2404	lsass.exe
1692	lsass.exe
2444	lsass.exe
2876	lsass.exe
2180	lsass.exe
2656	lsass.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2552	lsass.exe
Token: SeDebugPrivilege	2404	lsass.exe
Token: SeDebugPrivilege	1692	lsass.exe
Token: SeDebugPrivilege	2444	lsass.exe
Token: SeDebugPrivilege	2876	lsass.exe
Token: SeDebugPrivilege	2180	lsass.exe
Token: SeDebugPrivilege	2656	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 2632	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	37
PID 348 wrote to memory of 2632	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	37
PID 348 wrote to memory of 2632	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	37
PID 348 wrote to memory of 2700	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	38
PID 348 wrote to memory of 2700	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	38
PID 348 wrote to memory of 2700	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	38
PID 348 wrote to memory of 2848	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	39
PID 348 wrote to memory of 2848	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	39
PID 348 wrote to memory of 2848	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	39
PID 348 wrote to memory of 2580	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	42
PID 348 wrote to memory of 2580	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	42
PID 348 wrote to memory of 2580	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	42
PID 348 wrote to memory of 2628	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	43
PID 348 wrote to memory of 2628	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	43
PID 348 wrote to memory of 2628	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	43
PID 348 wrote to memory of 2648	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	44
PID 348 wrote to memory of 2648	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	44
PID 348 wrote to memory of 2648	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	44
PID 348 wrote to memory of 2660	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	45
PID 348 wrote to memory of 2660	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	45
PID 348 wrote to memory of 2660	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	45
PID 348 wrote to memory of 3004	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	46
PID 348 wrote to memory of 3004	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	46
PID 348 wrote to memory of 3004	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	46
PID 348 wrote to memory of 2488	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	47
PID 348 wrote to memory of 2488	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	47
PID 348 wrote to memory of 2488	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	47
PID 348 wrote to memory of 3008	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	48
PID 348 wrote to memory of 3008	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	48
PID 348 wrote to memory of 3008	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	48
PID 348 wrote to memory of 1052	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	49
PID 348 wrote to memory of 1052	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	49
PID 348 wrote to memory of 1052	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	49
PID 348 wrote to memory of 3020	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	50
PID 348 wrote to memory of 3020	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	50
PID 348 wrote to memory of 3020	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	50
PID 348 wrote to memory of 1892	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	61
PID 348 wrote to memory of 1892	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	61
PID 348 wrote to memory of 1892	348	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe	61
PID 1892 wrote to memory of 1604	1892	cmd.exe	63
PID 1892 wrote to memory of 1604	1892	cmd.exe	63
PID 1892 wrote to memory of 1604	1892	cmd.exe	63
PID 1892 wrote to memory of 2552	1892	cmd.exe	65
PID 1892 wrote to memory of 2552	1892	cmd.exe	65
PID 1892 wrote to memory of 2552	1892	cmd.exe	65
PID 2552 wrote to memory of 2732	2552	lsass.exe	66
PID 2552 wrote to memory of 2732	2552	lsass.exe	66
PID 2552 wrote to memory of 2732	2552	lsass.exe	66
PID 2552 wrote to memory of 2620	2552	lsass.exe	67
PID 2552 wrote to memory of 2620	2552	lsass.exe	67
PID 2552 wrote to memory of 2620	2552	lsass.exe	67
PID 2732 wrote to memory of 2404	2732	WScript.exe	68
PID 2732 wrote to memory of 2404	2732	WScript.exe	68
PID 2732 wrote to memory of 2404	2732	WScript.exe	68
PID 2404 wrote to memory of 1184	2404	lsass.exe	69
PID 2404 wrote to memory of 1184	2404	lsass.exe	69
PID 2404 wrote to memory of 1184	2404	lsass.exe	69
PID 2404 wrote to memory of 1540	2404	lsass.exe	70
PID 2404 wrote to memory of 1540	2404	lsass.exe	70
PID 2404 wrote to memory of 1540	2404	lsass.exe	70
PID 1184 wrote to memory of 1692	1184	WScript.exe	71
PID 1184 wrote to memory of 1692	1184	WScript.exe	71
PID 1184 wrote to memory of 1692	1184	WScript.exe	71
PID 1692 wrote to memory of 1180	1692	lsass.exe	72

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe
"C:\Users\Admin\AppData\Local\Temp\756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1604
- - C:\Program Files (x86)\Reference Assemblies\lsass.exe
    "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac601c3f-5335-4279-af4f-8013ec148fe2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2404
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b856995-7247-4369-8f5b-f562cb4c6e9b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e357150-b147-4ffb-8a68-a2a04a833f45.vbs"
        8⤵
        
        PID:1180
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c69593-446f-425d-ae55-0936902aa7ea.vbs"
        10⤵
        
        PID:2908
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acc13e8-2dba-408e-941b-e518bd5123ab.vbs"
        12⤵
        
        PID:2064
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb1626c-7ce7-4656-af8c-6f6ab7a18f5b.vbs"
        14⤵
        
        PID:1396
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d07eebf6-918c-4167-8a62-5a79ff401693.vbs"
        16⤵
        
        PID:880
        
        C:\Program Files (x86)\Reference Assemblies\lsass.exe
        
        "C:\Program Files (x86)\Reference Assemblies\lsass.exe"
        17⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6702e724-8fcc-4ab9-80f2-3d2558cbf4cc.vbs"
        18⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35fa6d75-7d91-4093-a9e5-9d71ae7c435a.vbs"
        18⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9afcdea-08bd-4a23-9390-16b2393d1c29.vbs"
        16⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1bf36b-7475-45eb-99c2-a626c1eaadc1.vbs"
        14⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\899f5e65-85a7-4e06-aabd-89361a0f06d4.vbs"
        12⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30138b4e-3bad-4282-89b9-e7fba974e9a1.vbs"
        10⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e26765-4d55-47ee-a56a-277a906debcd.vbs"
        8⤵
        
        PID:1124
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f0bf72d-0613-4d3a-9565-c6cc08e83b33.vbs"
        6⤵
        
        PID:1540
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a96e05b-4fa8-4120-98b0-2473cc0875a0.vbs"
      4⤵
      PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\lsass.exe

Filesize
4.9MB

MD5
646439a30d0fc3db78cd7c1c898875e0

SHA1
ab05d794c49b890f5484f60024be5366464786e4

SHA256
97da4203119544dcff6e6254b25a59a6320c9fb641880c1e22a137024aa2d574

SHA512
eb32b069cbdf97de2185d552aa381c9dd15f55c00ca57274072823da6aa85d375e6a0d829a4c2597f5049de90ae5f8fb77fe0d458b545423b5c5daa9623e47e9

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe

Filesize
4.9MB

MD5
1bb1f6509357d3d40ecab459efc44290

SHA1
61f543cf1d45c98cc1e9042136537596ff94ed81

SHA256
756cbd9f6a66ab84ffb1c78f2d054b61c91797d3e85919aac35d8fbf3ef560b1

SHA512
0cddafaf5705ab544213bec159df6a70aa9e9bc6cef020f2cbb9a24bb40d21ea6220ecbfa49540ae114be0ef3845324c8687927dee594b818b150980fd0c9be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10770bd47368861c1bd3fed1700d203ad75762c4.exe

Filesize
4.5MB

MD5
7b5e1f64391dd08c342a06e9c271acd9

SHA1
3d4ab3377f06c209dbe7a370e9ccaa7ed1ed5abc

SHA256
a14251a1daa3bc5171d7d3a157cad5d4be44dac7aed9a7764cf20da85887b202

SHA512
d24fdd2b8ad6281f77d5d73142a8ce5e0480af1c057973daf422116c237c864592c544898e68978ec95d51932ca9cff9cbddceab6882a4b14a53eb0f1aa845a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e357150-b147-4ffb-8a68-a2a04a833f45.vbs

Filesize
729B

MD5
2c08886e1b4ab8d67b5bb2f28f4f5217

SHA1
5a64a55a4ac1caa02821af556aea87d3303653ff

SHA256
100c2f3fc53e274cffbdc4e60bccca8b864c3bfd51bafdf157a3a2c264653637

SHA512
8d7bb60fe61af2b5d327907badf71758523d39a0ddd056d3c7f62d9d1d425551bb09cf9a6cbaae9ea5c8670cee4f4ea459275db9c4ddf01e646f17e6f10e60f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a96e05b-4fa8-4120-98b0-2473cc0875a0.vbs

Filesize
505B

MD5
df8d328bb8bf327ce034b7476a7764a8

SHA1
b528578f59d7e4cb0e8e45b3ce921c34ddfe66e0

SHA256
0beac2cba3a2b058143e9c4343d4fd08559b44f5855e772d4951eb8b307413e7

SHA512
7a17e5e828c8acb654e4d0e835a44904dd6a50e2f78734e55a313d9e3e9b121338ba9cf2a6e072cfb17ba9c9861031e8d88f811529b346b8207e6c073cb2870e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b856995-7247-4369-8f5b-f562cb4c6e9b.vbs

Filesize
729B

MD5
93f1dac71e4a92f541853e369b9f2f90

SHA1
bcbb67fd1d0641311eb6b6771df4d48d8a0b2627

SHA256
a73a3f50d7a0514346156acabaa0c1e7aefdc26635add618394afec14d40e3a7

SHA512
b615a18e28104bead673af175fa0b16b0a6d6e5dc23ed8fb73d9d0a92ba1807a9747f821d33c00e20402d8ff7de467ea8c390c432b98b881acb61b76597e2255

Download Submit
C:\Users\Admin\AppData\Local\Temp\6702e724-8fcc-4ab9-80f2-3d2558cbf4cc.vbs

Filesize
729B

MD5
279c829acc70aae4071ca1581f34e13d

SHA1
b369d3015eb99b46324afc4de69cd5c2f56d66bf

SHA256
e34fbb78dc5767bfb7ebe4984d6d39975cd23f87300b19fa29a42c6bdab3aa93

SHA512
9aa95d7a024bb0bc342e1122d115bb5e020d07e8ecdb611c25ea299ac4aa976d0dfdbcac19ed2ceea05fe44cce8e6f976fea295dedce747949b59d5123dc505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acc13e8-2dba-408e-941b-e518bd5123ab.vbs

Filesize
729B

MD5
763147f6d3739899d44d69ad75c9dcbc

SHA1
5b138caa740a4bc77a51901ea36a822c6b367d66

SHA256
eaa12b7ea0a266ef93a9d612c9e47e42be95b67b76f2c8780d2c44d6d51799d2

SHA512
dd8216c9780dfd197a01ce336c598f4af93cb9dd91b84e4384dcddf955aad777dbacf57172100e78f427592fe0836d76e615d4d93a770b44bc5f0a68bbea3d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eb1626c-7ce7-4656-af8c-6f6ab7a18f5b.vbs

Filesize
729B

MD5
ab8e2f09b391b4036ed06c9a4b42f9ac

SHA1
0ccc560a4cb712bfed12251622ef0b15c0950913

SHA256
8351ac7ccd5ae6892721315e181e067f403db5f4ef0b191c300823cc195c831a

SHA512
786317e890e756f70324407f94eac07e9bc1a7c5afc8fd85831862df9214cb5da8da1849807c3847bc213b5015bcb86085df31d6f4f4b129bc5935ccf7b71281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac601c3f-5335-4279-af4f-8013ec148fe2.vbs

Filesize
729B

MD5
a4b0f6494821650778ae5a11e74725f9

SHA1
42f9d590dcd953715e49ae086f403a925f6ba0c8

SHA256
52cb8ae15eefe5921ad978bacda21b96a5abab468f8c2056714d408a8c6750c4

SHA512
c875c62b83e2e1ffac82ef84e6609f844fd7d6e90ec8aef809d61461723050ef5e831af2935be2973086edb4b71b2112203dabc5e0c78618241f80044108ab1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d07eebf6-918c-4167-8a62-5a79ff401693.vbs

Filesize
729B

MD5
b9cdf64d619f6f965e55829633e03a98

SHA1
9d567e88a97f17db7cc7888ba34c8dee846978dd

SHA256
53bc3f6737a34ef117e928eac97c6db928e9ba152cd9c2c12331a46740a4bc66

SHA512
45fc8a4eea75909a38bbd6f43a30efb0b37ccb2477a57ac18d13936903a7ae7ed9d58a3840047a8b80610170571f2701f8d944efb809c47b4a94b77a67cb3100

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c69593-446f-425d-ae55-0936902aa7ea.vbs

Filesize
729B

MD5
f8379565dd897361c81ff4f38bd3f37e

SHA1
a3c5178be74a143b6d97a685c80d23f4843a8c13

SHA256
01682a1557e6eccf81224b115356e11a43e644280afabe7dc5abc2d8e0cdf463

SHA512
d008d7a5a975b6a50398acacc6434f6c6a0b77a99092c97f8613f60936b6299c201cdcfd27254f3594e4d4f506542f1ced68648e8ee415746a2291a5259979cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\daHDUzbFiW.bat

Filesize
218B

MD5
3fa52b3d8771964e80b3d52f618b4dee

SHA1
2e5b0a359ddc2a7f04f7f95ca008bb8c18d44093

SHA256
284b3951f65d38099a73535867d391eadb6be38283d952f72530b475a9648867

SHA512
6d0e5714249d378b67b223088414f7043afa7c600e05e085dcb145554ba9d7875ca07a09b2c6df695a32bb91b6f66bbe4ced6f8e2920b3c10ce2c3d21880655d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp146B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
91abb48872bc7f759affd8f9368516d5

SHA1
525b7406b04ff08a8dcaf3161dbb9003444cfcc9

SHA256
547a6afd2dfa63ac3968ec1c91b34eabd3dbc0f614866821739527ffe431e051

SHA512
7c4c398cc5d4b1adf6d46237ea927a69613828174d02af61d142a6b677d566d79dfa82be1c6d6c1da2235b190d305e56d2baa06c043a44d1616ce87a21987315

Download Submit
memory/348-10-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/348-3-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/348-16-0x000000001AB90000-0x000000001AB9C000-memory.dmp

Filesize
48KB

Download
memory/348-1-0x0000000000A90000-0x0000000000F84000-memory.dmp

Filesize
5.0MB

Download
memory/348-14-0x000000001AB70000-0x000000001AB78000-memory.dmp

Filesize
32KB

Download
memory/348-2-0x000000001B0B0000-0x000000001B1DE000-memory.dmp

Filesize
1.2MB

Download
memory/348-13-0x000000001AB60000-0x000000001AB6E000-memory.dmp

Filesize
56KB

Download
memory/348-98-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/348-12-0x000000001AB50000-0x000000001AB5E000-memory.dmp

Filesize
56KB

Download
memory/348-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/348-4-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/348-11-0x000000001AB40000-0x000000001AB4A000-memory.dmp

Filesize
40KB

Download
memory/348-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/348-15-0x000000001AB80000-0x000000001AB88000-memory.dmp

Filesize
32KB

Download
memory/348-9-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/348-8-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/348-5-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/348-7-0x000000001AB20000-0x000000001AB36000-memory.dmp

Filesize
88KB

Download
memory/1692-138-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1692-137-0x0000000000CA0000-0x0000000001194000-memory.dmp

Filesize
5.0MB

Download
memory/2404-122-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2444-153-0x0000000001230000-0x0000000001724000-memory.dmp

Filesize
5.0MB

Download
memory/2552-108-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2552-107-0x0000000000A30000-0x0000000000F24000-memory.dmp

Filesize
5.0MB

Download
memory/2632-52-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2632-46-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download