dcrat | 2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Size

4.9MB
MD5

8be8a5d36bb940a1d6b70d3277ca420a
SHA1

50e6780f3711ab913e56e1f159d34ef4e29e9bea
SHA256

2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f
SHA512

f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8X:v

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1028	schtasks.exe
		2648	schtasks.exe
		1516	schtasks.exe
		316	schtasks.exe
		1232	schtasks.exe
		2636	schtasks.exe
		3028	schtasks.exe
		2460	schtasks.exe
		2456	schtasks.exe
		2204	schtasks.exe
		2852	schtasks.exe
		1572	schtasks.exe
		1008	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
		1208	schtasks.exe
		2128	schtasks.exe
		548	schtasks.exe
		2836	schtasks.exe
		2808	schtasks.exe
		2792	schtasks.exe
		1716	schtasks.exe
		1040	schtasks.exe
		2512	schtasks.exe
		2248	schtasks.exe
		1328	schtasks.exe
		1644	schtasks.exe
File created	C:\Program Files\Windows Defender\en-US\69ddcba757bf72		2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f		2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
		2304	schtasks.exe
		2476	schtasks.exe
		1864	schtasks.exe
		756	schtasks.exe
		2164	schtasks.exe
		1864	schtasks.exe
		2236	schtasks.exe
		1432	schtasks.exe
		848	schtasks.exe
		1576	schtasks.exe
		2668	schtasks.exe
		2536	schtasks.exe
		2900	schtasks.exe
		2408	schtasks.exe
		2468	schtasks.exe
		2592	schtasks.exe
		2080	schtasks.exe
		2364	schtasks.exe
		1512	schtasks.exe
		1780	schtasks.exe
		2452	schtasks.exe
		2828	schtasks.exe
		2064	schtasks.exe
		2616	schtasks.exe
		1320	schtasks.exe
		1096	schtasks.exe
		268	schtasks.exe
		448	schtasks.exe
		2584	schtasks.exe
		2628	schtasks.exe
		1228	schtasks.exe
		2160	schtasks.exe
		352	schtasks.exe
		1980	schtasks.exe
		1148	schtasks.exe
File created	C:\Windows\AppCompat\Programs\5940a34987c991		2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2688	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2688	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2924-3-0x000000001B780000-0x000000001B8AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2812	powershell.exe
316	powershell.exe
2812	powershell.exe
984	powershell.exe
1708	powershell.exe
1636	powershell.exe
1832	powershell.exe
1848	powershell.exe
1052	powershell.exe
2796	powershell.exe
2540	powershell.exe
1040	powershell.exe
1652	powershell.exe
2708	powershell.exe
1920	powershell.exe
2624	powershell.exe
1516	powershell.exe
2752	powershell.exe
976	powershell.exe
1944	powershell.exe
608	powershell.exe
1968	powershell.exe
1700	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
860	lsass.exe
692	lsass.exe
380	lsass.exe
2556	lsass.exe
1576	lsass.exe
2704	lsass.exe
2252	lsass.exe
1748	lsass.exe
1708	lsass.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\AIT\lsass.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\System32\LogFiles\AIT\6203df4a6bafc7	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\System32\LogFiles\AIT\lsass.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX2D9F.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Uninstall Information\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\csrss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\0a1fd5f707cd16	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\Windows Defender\en-US\smss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX258F.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Uninstall Information\5940a34987c991	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\Windows Defender\en-US\69ddcba757bf72	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\smss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\csrss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\886983d96e3d3e	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppCompat\Programs\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\Registration\CRMLog\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\it-IT\1610b97d3ab4a7	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\Cursors\WmiPrvSE.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\it-IT\OSPPSVC.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\AppCompat\Programs\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\AppCompat\Programs\5940a34987c991	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX2793.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\Registration\CRMLog\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\it-IT\OSPPSVC.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\Cursors\24dbde2999530e	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\Cursors\WmiPrvSE.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1208	schtasks.exe
2592	schtasks.exe
2616	schtasks.exe
2536	schtasks.exe
2364	schtasks.exe
2836	schtasks.exe
2168	schtasks.exe
1864	schtasks.exe
1980	schtasks.exe
2080	schtasks.exe
1864	schtasks.exe
2064	schtasks.exe
2164	schtasks.exe
1644	schtasks.exe
2584	schtasks.exe
2248	schtasks.exe
448	schtasks.exe
352	schtasks.exe
2636	schtasks.exe
1432	schtasks.exe
1512	schtasks.exe
2900	schtasks.exe
836	schtasks.exe
1028	schtasks.exe
2648	schtasks.exe
2160	schtasks.exe
2236	schtasks.exe
1516	schtasks.exe
1572	schtasks.exe
2828	schtasks.exe
316	schtasks.exe
1716	schtasks.exe
1232	schtasks.exe
2460	schtasks.exe
2468	schtasks.exe
1040	schtasks.exe
2808	schtasks.exe
2792	schtasks.exe
548	schtasks.exe
1096	schtasks.exe
2512	schtasks.exe
2204	schtasks.exe
2128	schtasks.exe
1576	schtasks.exe
1228	schtasks.exe
756	schtasks.exe
1780	schtasks.exe
2452	schtasks.exe
1008	schtasks.exe
3028	schtasks.exe
2476	schtasks.exe
268	schtasks.exe
1148	schtasks.exe
2852	schtasks.exe
848	schtasks.exe
1320	schtasks.exe
1328	schtasks.exe
2408	schtasks.exe
2456	schtasks.exe
3048	schtasks.exe
2628	schtasks.exe
2304	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1516	powershell.exe
2540	powershell.exe
1040	powershell.exe
984	powershell.exe
2812	powershell.exe
1832	powershell.exe
1700	powershell.exe
1708	powershell.exe
2752	powershell.exe
1652	powershell.exe
2796	powershell.exe
1636	powershell.exe
1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1052	powershell.exe
1920	powershell.exe
608	powershell.exe
1848	powershell.exe
316	powershell.exe
2316	powershell.exe
2624	powershell.exe
1968	powershell.exe
1944	powershell.exe
976	powershell.exe
2708	powershell.exe
2812	powershell.exe
860	lsass.exe
692	lsass.exe
380	lsass.exe
2556	lsass.exe
1576	lsass.exe
2704	lsass.exe
2252	lsass.exe
1748	lsass.exe
1708	lsass.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	860	lsass.exe
Token: SeDebugPrivilege	692	lsass.exe
Token: SeDebugPrivilege	380	lsass.exe
Token: SeDebugPrivilege	2556	lsass.exe
Token: SeDebugPrivilege	1576	lsass.exe
Token: SeDebugPrivilege	2704	lsass.exe
Token: SeDebugPrivilege	2252	lsass.exe
Token: SeDebugPrivilege	1748	lsass.exe
Token: SeDebugPrivilege	1708	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2796	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	58
PID 2924 wrote to memory of 2796	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	58
PID 2924 wrote to memory of 2796	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	58
PID 2924 wrote to memory of 1516	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	59
PID 2924 wrote to memory of 1516	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	59
PID 2924 wrote to memory of 1516	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	59
PID 2924 wrote to memory of 2540	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	60
PID 2924 wrote to memory of 2540	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	60
PID 2924 wrote to memory of 2540	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	60
PID 2924 wrote to memory of 984	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	61
PID 2924 wrote to memory of 984	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	61
PID 2924 wrote to memory of 984	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	61
PID 2924 wrote to memory of 1708	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	62
PID 2924 wrote to memory of 1708	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	62
PID 2924 wrote to memory of 1708	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	62
PID 2924 wrote to memory of 2812	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	63
PID 2924 wrote to memory of 2812	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	63
PID 2924 wrote to memory of 2812	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	63
PID 2924 wrote to memory of 1700	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	64
PID 2924 wrote to memory of 1700	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	64
PID 2924 wrote to memory of 1700	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	64
PID 2924 wrote to memory of 2752	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	65
PID 2924 wrote to memory of 2752	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	65
PID 2924 wrote to memory of 2752	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	65
PID 2924 wrote to memory of 1636	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	66
PID 2924 wrote to memory of 1636	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	66
PID 2924 wrote to memory of 1636	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	66
PID 2924 wrote to memory of 1040	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	67
PID 2924 wrote to memory of 1040	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	67
PID 2924 wrote to memory of 1040	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	67
PID 2924 wrote to memory of 1652	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	68
PID 2924 wrote to memory of 1652	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	68
PID 2924 wrote to memory of 1652	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	68
PID 2924 wrote to memory of 1832	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	69
PID 2924 wrote to memory of 1832	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	69
PID 2924 wrote to memory of 1832	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	69
PID 2924 wrote to memory of 584	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	82
PID 2924 wrote to memory of 584	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	82
PID 2924 wrote to memory of 584	2924	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	82
PID 584 wrote to memory of 2024	584	cmd.exe	84
PID 584 wrote to memory of 2024	584	cmd.exe	84
PID 584 wrote to memory of 2024	584	cmd.exe	84
PID 584 wrote to memory of 1644	584	cmd.exe	85
PID 584 wrote to memory of 1644	584	cmd.exe	85
PID 584 wrote to memory of 1644	584	cmd.exe	85
PID 1644 wrote to memory of 976	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	122
PID 1644 wrote to memory of 976	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	122
PID 1644 wrote to memory of 976	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	122
PID 1644 wrote to memory of 1848	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	123
PID 1644 wrote to memory of 1848	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	123
PID 1644 wrote to memory of 1848	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	123
PID 1644 wrote to memory of 1052	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	124
PID 1644 wrote to memory of 1052	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	124
PID 1644 wrote to memory of 1052	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	124
PID 1644 wrote to memory of 2316	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	125
PID 1644 wrote to memory of 2316	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	125
PID 1644 wrote to memory of 2316	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	125
PID 1644 wrote to memory of 2708	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	126
PID 1644 wrote to memory of 2708	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	126
PID 1644 wrote to memory of 2708	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	126
PID 1644 wrote to memory of 1920	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	127
PID 1644 wrote to memory of 1920	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	127
PID 1644 wrote to memory of 1920	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	127
PID 1644 wrote to memory of 1944	1644	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	128

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
"C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4eL9OoGdXM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
    "C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat"
      4⤵
      PID:1764
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2408
    - - C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        "C:\Windows\System32\LogFiles\AIT\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:860
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9e04ef8-07bf-4b1d-98ab-8096435c1e5c.vbs"
        6⤵
        
        PID:1388
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57483774-2e5c-46f3-8555-fbb313007171.vbs"
        8⤵
        
        PID:2364
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2efbeb7-34d5-4a19-81eb-ff71ac1986ea.vbs"
        10⤵
        
        PID:1968
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\209189c6-43c9-47b5-b8dd-0cbcc691cdb2.vbs"
        12⤵
        
        PID:684
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26d4424f-dc1d-429a-a09b-cf3affa1b6a0.vbs"
        14⤵
        
        PID:2352
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e63834-79e5-4a32-b7e8-4edbd483de9f.vbs"
        16⤵
        
        PID:1972
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0755741-5f30-4652-943e-2dff8e772ad3.vbs"
        18⤵
        
        PID:324
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633e2ece-d152-4198-83f8-fcd5a466b90a.vbs"
        20⤵
        
        PID:1656
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        
        C:\Windows\System32\LogFiles\AIT\lsass.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0cb05f7-b112-4f36-80d5-a42ca4b27fa7.vbs"
        22⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae8603b2-f8b6-4bca-b0a6-4b480b03348c.vbs"
        22⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77213c4a-8dd1-4be0-9da3-e3dd729b048b.vbs"
        20⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0d929c-92ed-4333-b85a-a47c3b041eb9.vbs"
        18⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\671ba2ea-c18a-4dc0-9644-37fbb4c93ff2.vbs"
        16⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6449d58a-94ce-461a-b17b-bc18ea4be16d.vbs"
        14⤵
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2837ed99-9358-481d-8095-b07757dc3b8b.vbs"
        12⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9295a1d-a326-4b8f-b34c-67ebc516627e.vbs"
        10⤵
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29462ba0-6a79-449e-a13c-c21db838d63d.vbs"
        8⤵
        
        PID:1028
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74ba0959-365e-49b4-8216-b64fbd1bd68d.vbs"
        6⤵
        
        PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\LogFiles\AIT\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\LogFiles\AIT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04e63834-79e5-4a32-b7e8-4edbd483de9f.vbs

Filesize
718B

MD5
d64d45d4a9d80c3f8c932da675b6b4fd

SHA1
b409f3020c6251430b3bf8eb19766e42458277bd

SHA256
0309ddb3902c736bdff39356da3bade680bed8fa2bb89828ae4e9ecadc0bb202

SHA512
2a0001eb5b105167b32b5787ec3e90f4659162c896a613d1d96b28b88624f4e09f889f3f50e0ccde62ad9265ad6cbfa7cadf9716f2cb7085acf17d9f1af2e6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\209189c6-43c9-47b5-b8dd-0cbcc691cdb2.vbs

Filesize
718B

MD5
7346e330dabbcf87c7088b24c8c890ca

SHA1
a8f4e656937bf2e0b5e4ee74d2fcbaa838c0e83c

SHA256
ef1a6bc624c3a73333d28f50e619448daf82048d4cf5578becf2b8f7730a37a2

SHA512
ca09b915921730edf0a5e17291abcf7bac7ffc0b8daa09ff0d80773b177ed0cb7eb0c009ddbcbc44abfaf5c015f47d3bb5fd78fbfad9f72f3a404ae277cad26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\26d4424f-dc1d-429a-a09b-cf3affa1b6a0.vbs

Filesize
718B

MD5
2b7b95ab5681d1535e40f7e76e889173

SHA1
01bf9f67c31e25d8d662631a7e266f7da69e78b7

SHA256
4b94df19cb35ddf04a37a1f4cf4182071869f1522610ea48fa6ecba730dfb716

SHA512
81f7f97dd8b7d8f2ab8ef05d1595c871ab6fd9f80211a67ab748926e422015aec560336c883876259d6fe9a39ca5e85b7723ceb653654697cc56c899bed4611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jWrKESR9g.bat

Filesize
207B

MD5
ff43bd9018adb138fe50b07263d3ea05

SHA1
79b9b9d70951b4957ce877415f384716af2c3fda

SHA256
49c236c915abf22391249f398232de725eb43af48dd6f6f87a067c8ac0d78c61

SHA512
1b42d84d73f55937ee973f32fb657490b8dd0bcff4f78103d490efe41c8417193e930afdcb21ef1fee7793f5f8b15c8d58914d6c7db977c8970127628183b57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eL9OoGdXM.bat

Filesize
267B

MD5
6e40b3661d8e8051468b7db414110304

SHA1
43959459071f84ec909d9112875ef6439b49ef98

SHA256
a269e1682fa20afeea4a23974f3fbf2b4d9606dbb1bf72b779b5ec70ac228d96

SHA512
46221d3a75d185f7618c10a2ea91173a0b1b48d5ada73fff9aa4e1dd2f5b3c34fedb05418c817ea1ded3488f63050dca74cc0c9ae21408e4a413f7fc519d5f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\57483774-2e5c-46f3-8555-fbb313007171.vbs

Filesize
717B

MD5
8748ee8ee021240a5a55ba82b6fbcd44

SHA1
e1fa350c6b0509dfebb75fda43fb94abff3a7378

SHA256
6b477225ef3df9a524db05cf716c0850d0a62088d850d645ebf095cc0989df74

SHA512
9baf77e02f482e5f824ff81ae9ce88dde93faa15592ad456930a6020de78450cad56931c688a6f8bdb969564d4e37a8c162565a5092217372be70bbc4b7ea357

Download Submit
C:\Users\Admin\AppData\Local\Temp\633e2ece-d152-4198-83f8-fcd5a466b90a.vbs

Filesize
718B

MD5
1df00589a51a42be05b655c358261606

SHA1
6218dc21563c97bc71ca7a79b15cfed06ae76390

SHA256
22eac39e86980b6611efdd3e01da907243303bfd686a53cf018fd8819bcae709

SHA512
97fad817587dc84b09b2f516c57a9b0677ff927bdd039099b9acc8c802a7c4fcb6497acaf5ba6db0ecbccad37cb7aa54b865f732effafa4886d9b5392b4eaee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\74ba0959-365e-49b4-8216-b64fbd1bd68d.vbs

Filesize
494B

MD5
8798bd614c9f15dab427e887947913fa

SHA1
5ee947f5852b138d85359f512bb43fcb037f2938

SHA256
f12a42fff1c078647b3d6b7d45e6b2ece739b853f97aa3de48cba28756523c5c

SHA512
0c1f86f5a1fa4e28c311e724ca879c2c1095bda7e6d841405d8496f77d115f9d337aba50f6ba7dc451185db92eec663418af25523f6ce8087efe62c17f8a8b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9e04ef8-07bf-4b1d-98ab-8096435c1e5c.vbs

Filesize
717B

MD5
b1050f12c0c9965f11db6f6262dde192

SHA1
364b718722cb9a4bcb6ade6be6adb425d28f9a11

SHA256
7459ef0b581c32e9fa4e79387dbfdb86f695c6edecd925cf8205f0cc221f8c92

SHA512
4bdbac776f7b36f65e69666cb277bf4a702c39b4ce9ca319aae350319a56f2b163049ac40d8ec9be56285d4c97b7065e04a9a1c3ae5590dd7be8ad451ca99b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0755741-5f30-4652-943e-2dff8e772ad3.vbs

Filesize
718B

MD5
713a7faf6cf34a7e8bd78f9702984797

SHA1
5babf8fbc64e000b5f422700e5f1fd78ff68faa5

SHA256
095f349f4b809068b04c59c320bf815db69649e2ca7d8d8c3a82d7a5fd92edab

SHA512
cd3099338dae51464546a2c4fee45f0884803a5f027655d89ca06b2c6675827aaa70e0b942c919f51de8b07beac96385a93d4438cd1b92d3661fd6f2f075eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0cb05f7-b112-4f36-80d5-a42ca4b27fa7.vbs

Filesize
718B

MD5
533f46b98aa62a429317da5f804b3c10

SHA1
e317bee43aed4f7fc03d97de3850f73ca888bed4

SHA256
8441bc052a67828cb13b28adad23ad5a070c4b0362648ec7b03e3139f79996ab

SHA512
46c8a9dd0ac1a5a8bb76af097733f2cc4fd9eb52e35f777b0994e3bc056cced4a30dabf68749f48dc2c8e4d1215f6ce3a23769023f0fed5fb0d7c0b88bd1089d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2efbeb7-34d5-4a19-81eb-ff71ac1986ea.vbs

Filesize
717B

MD5
481ca8f78d59aefd90a4672f58e35a22

SHA1
62e914041e39def70806f777e7d6b9178901a6b3

SHA256
922b286e0d061bd6856aa1742b3047bbbdc5757444e5b285070bf2e2f7bfc005

SHA512
44a17cd1d2a893034d5dd3c5e2ba6a0dede51ec68162ff36556f9f12b6f67ce47858004d3cf6dddf2132dc9f54d46562cbb9fdba6a2e66365e3eca2966048794

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5532.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce1c94e75e28e219c52a65ad649fb740

SHA1
b49b0f2da68ba4f0120926a0e4a4bc95818ade71

SHA256
e727ffddb940d2610f65f0d107860e503bf075d60650f259ab37f2ac4a51e72e

SHA512
ffbe4fe970dfd465205bd17df8dfb44080e4d7540d7b913ddae2b347acc0990ea6e3a46f23303a9f91ec22f4c0448a5fecc8c4c76c9ac2403947fda9b0ab9ec3

Download Submit
C:\Users\Default\Saved Games\RCX2997.tmp

Filesize
4.9MB

MD5
42a4d5d38d6eb86b27fc8456d831f772

SHA1
f9bf844d327a2e047d3135f4fd1b34aa1bef4129

SHA256
ab71d2f64ca168c86fb4a9a828dea33272eb618c955192ab7ceb7f6f3e815dfe

SHA512
21ad0c6f11f0f3e6c0d53013f7643115f93052e4e409e703f242f4910da28c0f233780999e9cd7de776c4a4c13609d2c7f2d26bc44ceca2b717a2d41429281e0

Download Submit
C:\Windows\AppCompat\Programs\dllhost.exe

Filesize
4.9MB

MD5
8be8a5d36bb940a1d6b70d3277ca420a

SHA1
50e6780f3711ab913e56e1f159d34ef4e29e9bea

SHA256
2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

SHA512
f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5

Download Submit
memory/380-317-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/860-289-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/1052-238-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1052-239-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1516-117-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1644-167-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1748-391-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/2252-376-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/2540-116-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2556-332-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/2704-361-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2924-8-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2924-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2924-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/2924-11-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2924-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2924-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2924-127-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-7-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2924-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2924-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2924-5-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2924-16-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2924-4-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2924-15-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2924-3-0x000000001B780000-0x000000001B8AE000-memory.dmp

Filesize
1.2MB

Download
memory/2924-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2924-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-1-0x0000000001160000-0x0000000001654000-memory.dmp

Filesize
5.0MB

Download