dcrat | c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Size

4.9MB
MD5

8e81319277a614e4bdedc32b6b547cf1
SHA1

0804063c7b3af88bec63b02986c1437e576deede
SHA256

c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179
SHA512

a0326ac3aecbf5c5b1b237175c3e09f393cf394eea9824faa66680a154c7c8ad574f4ec63307e7f89d90ed1172841c282220fdd049e79991718521819822f2ff
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2680	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2680	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2616-3-0x000000001B920000-0x000000001BA4E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
1988	powershell.exe
596	powershell.exe
2684	powershell.exe
2676	powershell.exe
2460	powershell.exe
1956	powershell.exe
2624	powershell.exe
3064	powershell.exe
2832	powershell.exe
2444	powershell.exe
2464	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2980	wininit.exe
1668	wininit.exe
1656	wininit.exe
2484	wininit.exe
2568	wininit.exe
1560	wininit.exe
2216	wininit.exe
968	wininit.exe
540	wininit.exe
692	wininit.exe
2416	wininit.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\spoolsv.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\csrss.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Windows Defender\spoolsv.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXF471.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCXFD89.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX67.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXEFDC.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\spoolsv.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\6cb0b6c459d5d3	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Windows Defender\f3b6ecef712a24	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files\Mozilla Firefox\defaults\f3b6ecef712a24	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\csrss.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\69ddcba757bf72	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\886983d96e3d3e	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCX913.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files\Mozilla Firefox\defaults\spoolsv.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\27d1bcfc3c54e0	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX47F.tmp	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File opened for modification	C:\Windows\AppCompat\Programs\System.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
File created	C:\Windows\AppCompat\Programs\System.exe	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3040	schtasks.exe
1656	schtasks.exe
1712	schtasks.exe
1728	schtasks.exe
2632	schtasks.exe
1784	schtasks.exe
2336	schtasks.exe
2212	schtasks.exe
2880	schtasks.exe
2144	schtasks.exe
2796	schtasks.exe
1136	schtasks.exe
2620	schtasks.exe
1356	schtasks.exe
1360	schtasks.exe
2664	schtasks.exe
2768	schtasks.exe
2544	schtasks.exe
1672	schtasks.exe
1268	schtasks.exe
1912	schtasks.exe
868	schtasks.exe
2760	schtasks.exe
1940	schtasks.exe
1628	schtasks.exe
2688	schtasks.exe
1244	schtasks.exe
1744	schtasks.exe
2972	schtasks.exe
2136	schtasks.exe
2596	schtasks.exe
1800	schtasks.exe
1640	schtasks.exe
1692	schtasks.exe
2192	schtasks.exe
2152	schtasks.exe
2928	schtasks.exe
2704	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
2844	powershell.exe
2444	powershell.exe
596	powershell.exe
1956	powershell.exe
1988	powershell.exe
2684	powershell.exe
2676	powershell.exe
2464	powershell.exe
2624	powershell.exe
3064	powershell.exe
2832	powershell.exe
2460	powershell.exe
2980	wininit.exe
1668	wininit.exe
1656	wininit.exe
2484	wininit.exe
2568	wininit.exe
1560	wininit.exe
2216	wininit.exe
968	wininit.exe
540	wininit.exe
692	wininit.exe
2416	wininit.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2980	wininit.exe
Token: SeDebugPrivilege	1668	wininit.exe
Token: SeDebugPrivilege	1656	wininit.exe
Token: SeDebugPrivilege	2484	wininit.exe
Token: SeDebugPrivilege	2568	wininit.exe
Token: SeDebugPrivilege	1560	wininit.exe
Token: SeDebugPrivilege	2216	wininit.exe
Token: SeDebugPrivilege	968	wininit.exe
Token: SeDebugPrivilege	540	wininit.exe
Token: SeDebugPrivilege	692	wininit.exe
Token: SeDebugPrivilege	2416	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2444	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	71
PID 2616 wrote to memory of 2444	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	71
PID 2616 wrote to memory of 2444	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	71
PID 2616 wrote to memory of 2464	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	72
PID 2616 wrote to memory of 2464	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	72
PID 2616 wrote to memory of 2464	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	72
PID 2616 wrote to memory of 2460	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	73
PID 2616 wrote to memory of 2460	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	73
PID 2616 wrote to memory of 2460	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	73
PID 2616 wrote to memory of 1956	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	74
PID 2616 wrote to memory of 1956	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	74
PID 2616 wrote to memory of 1956	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	74
PID 2616 wrote to memory of 2844	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	75
PID 2616 wrote to memory of 2844	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	75
PID 2616 wrote to memory of 2844	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	75
PID 2616 wrote to memory of 1988	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	76
PID 2616 wrote to memory of 1988	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	76
PID 2616 wrote to memory of 1988	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	76
PID 2616 wrote to memory of 2624	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	77
PID 2616 wrote to memory of 2624	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	77
PID 2616 wrote to memory of 2624	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	77
PID 2616 wrote to memory of 3064	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	78
PID 2616 wrote to memory of 3064	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	78
PID 2616 wrote to memory of 3064	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	78
PID 2616 wrote to memory of 2676	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	79
PID 2616 wrote to memory of 2676	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	79
PID 2616 wrote to memory of 2676	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	79
PID 2616 wrote to memory of 2684	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	81
PID 2616 wrote to memory of 2684	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	81
PID 2616 wrote to memory of 2684	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	81
PID 2616 wrote to memory of 2832	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	83
PID 2616 wrote to memory of 2832	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	83
PID 2616 wrote to memory of 2832	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	83
PID 2616 wrote to memory of 596	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	85
PID 2616 wrote to memory of 596	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	85
PID 2616 wrote to memory of 596	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	85
PID 2616 wrote to memory of 2648	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	95
PID 2616 wrote to memory of 2648	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	95
PID 2616 wrote to memory of 2648	2616	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe	95
PID 2648 wrote to memory of 2200	2648	cmd.exe	97
PID 2648 wrote to memory of 2200	2648	cmd.exe	97
PID 2648 wrote to memory of 2200	2648	cmd.exe	97
PID 2648 wrote to memory of 2980	2648	cmd.exe	98
PID 2648 wrote to memory of 2980	2648	cmd.exe	98
PID 2648 wrote to memory of 2980	2648	cmd.exe	98
PID 2980 wrote to memory of 2256	2980	wininit.exe	99
PID 2980 wrote to memory of 2256	2980	wininit.exe	99
PID 2980 wrote to memory of 2256	2980	wininit.exe	99
PID 2980 wrote to memory of 1960	2980	wininit.exe	100
PID 2980 wrote to memory of 1960	2980	wininit.exe	100
PID 2980 wrote to memory of 1960	2980	wininit.exe	100
PID 2256 wrote to memory of 1668	2256	WScript.exe	101
PID 2256 wrote to memory of 1668	2256	WScript.exe	101
PID 2256 wrote to memory of 1668	2256	WScript.exe	101
PID 1668 wrote to memory of 1928	1668	wininit.exe	102
PID 1668 wrote to memory of 1928	1668	wininit.exe	102
PID 1668 wrote to memory of 1928	1668	wininit.exe	102
PID 1668 wrote to memory of 956	1668	wininit.exe	103
PID 1668 wrote to memory of 956	1668	wininit.exe	103
PID 1668 wrote to memory of 956	1668	wininit.exe	103
PID 1928 wrote to memory of 1656	1928	WScript.exe	104
PID 1928 wrote to memory of 1656	1928	WScript.exe	104
PID 1928 wrote to memory of 1656	1928	WScript.exe	104
PID 1656 wrote to memory of 2816	1656	wininit.exe	105

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe
"C:\Users\Admin\AppData\Local\Temp\c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ydDvMf1lEo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2200
- - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
    "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2980
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91476f54-6a5c-47df-8508-ca19a0f989b0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1668
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90d2900a-70e2-4c43-aa85-b8ed754a44fb.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e60be4c-695c-4b56-bed3-442495b1fc34.vbs"
        8⤵
        
        PID:2816
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c10dcc4-48d6-42c2-b18b-e81229c73d01.vbs"
        10⤵
        
        PID:1864
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c39e44dc-fb7c-4cbe-aa72-180f9cae673b.vbs"
        12⤵
        
        PID:2008
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75fa6afd-998e-49ed-90a9-d630b8d4d93a.vbs"
        14⤵
        
        PID:868
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaeba010-c4a6-4402-8a38-247084624c49.vbs"
        16⤵
        
        PID:2780
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc767796-4a94-42b8-bc2e-4f28789d9a8f.vbs"
        18⤵
        
        PID:2316
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4da4835-0477-41de-bc23-33536a7d0f3c.vbs"
        20⤵
        
        PID:1048
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fc7e4ec-f508-43ee-9fdb-47d79e8b9c37.vbs"
        22⤵
        
        PID:1672
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\397a67a6-fab7-442c-9b72-aa9d15230647.vbs"
        24⤵
        
        PID:1640
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe
        25⤵
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3872afa0-3051-476a-89a2-8046175731ef.vbs"
        24⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43fa44a6-8fb8-4e7b-a33c-24eed958a2d9.vbs"
        22⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0704bd9-1a0b-4da6-ae41-339dc1216839.vbs"
        20⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2b9d85b-0198-42b8-a62f-431886982d82.vbs"
        18⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\521bef93-9822-494f-8108-e9454fc7a7fe.vbs"
        16⤵
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367cce24-04ef-4152-a860-f597f936d0b6.vbs"
        14⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09598c58-7097-4573-a54a-0739e02d3cf6.vbs"
        12⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e26e426e-6a50-4a9f-a984-09a47e805435.vbs"
        10⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65398303-4b67-4d93-b425-5faf9135b3ea.vbs"
        8⤵
        
        PID:1680
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa0545e4-5515-4347-9e82-c9972ce9430c.vbs"
        6⤵
        
        PID:956
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1823ea7f-151b-4f2e-817d-d6ef2cd8a35f.vbs"
      4⤵
      PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179c" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179c" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
4.9MB

MD5
99d4a5aed8ac2c36f83c10af92907bc1

SHA1
2ac0cdbbdde1d42c8519a06cdcca73569a8f4f26

SHA256
6cf6206d5d6d747ca4866ce21c7a8c9bf07fd0cac9c51f08f7c8d5fd487086a1

SHA512
42b49e3b694de733613ee2516f98d2399284a7f0091e45820babc9cc93e3cfd84365a61d27172c2613409bbdc6a055dbcbb82f8f3fce1c3efbe3ab07211ad9c9

Download Submit
C:\ProgramData\sppsvc.exe

Filesize
4.9MB

MD5
86af9aa868fe366230eae7fba3c8bebb

SHA1
4f241d3ea3683854a471120649ac1d75ea138fc5

SHA256
23254d494d8455ee344803f64ef6c0afa83381c9ad18cea57cc853e177bc81fc

SHA512
cd5fb4021e5db411c08f1c3f16112c83b2ebdfac02e12c6405c557a57b70702041fc4cfd95275289428be6db584124f00df02d1ef575b990c7e3e1000c545e39

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe

Filesize
4.9MB

MD5
681c0a87d1b513cf264544b1ac3dede5

SHA1
bec9d938781844fd153b072cc3a3bd59c1362d51

SHA256
ff8e4ea156c748029219d7dd502443bf2cb08341c386d8bedc1a79bca466119c

SHA512
8cbbea7255644a64ff1932f69c5c7d96c57e18d5b3c8254cffabc7a69fd29dde560c8db143c9a7ad123e79c72da514356d73967685da0de5dd44ce26e4a7698d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c10dcc4-48d6-42c2-b18b-e81229c73d01.vbs

Filesize
736B

MD5
3d3ffca7ecedc9f44ac254a57ddbefe0

SHA1
d3f7f8b0c9cc39123420ef117ca0cb3d831e08bf

SHA256
12763d4224159f54485e49afc3df1ef1f41b53a9cbfa1361ab881dd2a1fa9120

SHA512
9d474b5e9e5b11fec51eef9d96d38e1b904f29840ba95aae5fdb42847d964f2541dc3fda49d272eabbb3b66bfa0b6c9f89af792aea59066c5f89c7b26d560a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1823ea7f-151b-4f2e-817d-d6ef2cd8a35f.vbs

Filesize
512B

MD5
ca9a34adbda133766c78c2effef40bc5

SHA1
df04f909129abe4353e829d0481194993420006e

SHA256
9eda6f7434adad0459a626de89650647506b44a898522640c6590cc237b89ef1

SHA512
8cf930e7e87efa9bed95eb3181bddc96b7e460a7b0b30465364cefb005ee5ea97f45f0da6485c69b2fb05afcfc3f4b7fba56bcf07456d67a0ad457a949dfaf85

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e60be4c-695c-4b56-bed3-442495b1fc34.vbs

Filesize
736B

MD5
1ee178dd32fee41473ca5bef2127c81e

SHA1
43a64c32efd2fe327fa1b4fe702b022afcff9dc9

SHA256
7e047fbdd5ebe6d9cf8540d9070a17d6c5ee87ad1fc3e9405e0640557fd34e73

SHA512
212efbb811359d719e803d159a1d8033f01c338126e5a9c4de00dcc0722642c946acfa5400100f9104859f47368621e86a57f9152a26c257251ab4c5a2d6eaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\397a67a6-fab7-442c-9b72-aa9d15230647.vbs

Filesize
736B

MD5
8d2ee9c713f35094131be6b2682a8a0f

SHA1
ed70be07c6241af5a9f4c9f34a2a8e9f318a4f65

SHA256
17a0d21d8d5608a1490a3910746050fc609cdcf3103db276a15b1566cb0ef5b9

SHA512
1136e1c7a78b368899cd908aec422098453da501897db7acf69e723a194bd0a65a4f134bd2fa1f31ee121d3fe5725822293951cc50a09b55dc1c89cc7462bbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\75fa6afd-998e-49ed-90a9-d630b8d4d93a.vbs

Filesize
736B

MD5
514026161e762955857864febeab558d

SHA1
639a781234cb412edd4c29c64999f9129f3ffba5

SHA256
e59f4e13dc16b61dcea4d313149233cefb9bf3f82905a1ea219df9e672f0cf0b

SHA512
f66a710c0739cf8b3d619da7561db14e37f26c9351ab9f885e1f03dc322dc7f68d2fd9c61b4078db713c1c1929ab795d793bfb79500318bf7ebe63fafcceafa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fc7e4ec-f508-43ee-9fdb-47d79e8b9c37.vbs

Filesize
735B

MD5
1d50377a0e2cc4554ee0fae983d9f39a

SHA1
09938c4692d3f3c48eb831132a4ee18e3d8e29d5

SHA256
41bf83189bf6f9e6c6ae07237cb048235a3ed4164e70695c33e9170ce6eea02a

SHA512
60d6283e4d8d25ac990737193fdb8e05e0200987804cefaa0f06a00c6035655d6e309cb075e565555c07a242ffb928d42214a641ec7732d2b22e250e8a8487b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\90d2900a-70e2-4c43-aa85-b8ed754a44fb.vbs

Filesize
736B

MD5
f37d30dff83a3c2c0ef3c8ae16433b82

SHA1
4a545054581c87e9a3c44262ff03406c813e9310

SHA256
22cc4048b1d87affe87e9664b28d772e94ac866e6719042000fa3410de3269c9

SHA512
40bf99d24f2f03891fe0579e68187215da45fa3765a484054aedcff9ba68e41d48f111055d78a0e62584c967f4d6d7428b632e26f0f3bb4ad806e0f256989e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\91476f54-6a5c-47df-8508-ca19a0f989b0.vbs

Filesize
736B

MD5
2a66a9456cb2040bd09f912879cffb02

SHA1
d2ae5b29fea14b5e04dc6f867e56e7bca8adc0f8

SHA256
bad1ae69a127102a5964c6d9d63ea0137e60601461552a9e3d1a1b0615577954

SHA512
c50271bf332075dafb2ffa7124b6e60c6d94b6b469ce8bc9efe3a7791525ae45fe5677e9c00b1dce9cf0ccca244a301e80101e412c2549f300b3245813d44756

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaeba010-c4a6-4402-8a38-247084624c49.vbs

Filesize
736B

MD5
fc715e7941d49e447d9c6860ffa23208

SHA1
eadf6e07ddb8edbb0acbfb95606e7096aeb56a7b

SHA256
0b15840080d3adbc488b6cc6d4d11d75869670dcadfee7a33c952b95014c0359

SHA512
37004d628c55d1770183dac2c21dd0e1d62ab6c553e79a2b134ebb954ed45850f3178cb4ee26ae3374bb05f0918433977ab6425d2d4036f5c9afea2344594e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4da4835-0477-41de-bc23-33536a7d0f3c.vbs

Filesize
735B

MD5
4d5611c49a56de237ea57cfd8a7e1873

SHA1
c8338f86809222188d451fe17ef868d48035b190

SHA256
fb0de09a487aede35a0cafc6c247df283bb4a2948060105cbedb0786f30ae233

SHA512
33ac314d498644a4b90693428733a0ad9e28f6058a613d5a0b4c6018ea882dc8413bf94167897e25e229b81c79e7cccc1bbd9371301593cbca8bf332f1584e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c39e44dc-fb7c-4cbe-aa72-180f9cae673b.vbs

Filesize
736B

MD5
d841cc4d1a2e924e99076ba269ce9371

SHA1
f05511b5b9d0ed61b6542ee960630c203f548d24

SHA256
97413659aee9e3db2c59970d4dd71f9853001b84a68da3774824ecbbf93d585a

SHA512
7c47172298332ca9d5309a91aa9250b3d042d77a6dd5f3f211096ef5d971395eebff5571ee0d2c850ec1237f74772a1fdaa65fba3ab26e5e9756766d3cae20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc767796-4a94-42b8-bc2e-4f28789d9a8f.vbs

Filesize
735B

MD5
ab352123ac382c32607d16d26e6d7759

SHA1
066526246a6ac9c374e4cfcd4f1d502a0c9873fe

SHA256
9750b6ab9a9a4ecf075b64388d7190fb1c0a0f71554de30d954854ab66713b04

SHA512
aef141bc39e4b14748f8a2b3b40bc1e8f191fbef6ab8271934b3153924527440e90e8103e88d20e795debf0bc24fd02e1df34c237253f1e1e8713d875ae44921

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37F2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydDvMf1lEo.bat

Filesize
225B

MD5
84ceacd1b3a9b421d7be128c3b5e937c

SHA1
8a33554accb7e07edb638b7c45c694aedf5bb0d0

SHA256
c4e2c07b634da594408f05173f5d57a5c65b51451da190e17c7b5dc5d8e7b3cd

SHA512
103bf55d82caa41d666f7ae8872393bfb416bee33e599d101e1af7b656d0b0d1fbaa31c8ce527b65bf2ab33f2b6efe94f9d74bc11fc6d3155337143593c61ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
19e9eedba38c8cc8cc71f2ebe97fc206

SHA1
bf2dd7da69cc80c4015fe9d0f95b60da2fc0c869

SHA256
a1fa81cdfabb32a8ec058efaf4b61a783569a594d968986e0c592d580929c70a

SHA512
7817474f254905abcbeb7bc5609719b6610786bc03c04847d580f801fbdd6a03f036f67f633796f1c074b8265efd2c66864a6ec9066b397c345b3c0a57a2f9dc

Download Submit
C:\Users\Default\taskhost.exe

Filesize
4.9MB

MD5
8e81319277a614e4bdedc32b6b547cf1

SHA1
0804063c7b3af88bec63b02986c1437e576deede

SHA256
c70cd9f4166ce251a72ae7c176630f6deb17b1dd74854769a381102e77a35179

SHA512
a0326ac3aecbf5c5b1b237175c3e09f393cf394eea9824faa66680a154c7c8ad574f4ec63307e7f89d90ed1172841c282220fdd049e79991718521819822f2ff

Download Submit
memory/948-363-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/1656-234-0x00000000010B0000-0x00000000015A4000-memory.dmp

Filesize
5.0MB

Download
memory/1668-219-0x0000000000ED0000-0x00000000013C4000-memory.dmp

Filesize
5.0MB

Download
memory/2416-348-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2568-263-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download
memory/2616-11-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2616-12-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/2616-1-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/2616-143-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-3-0x000000001B920000-0x000000001BA4E000-memory.dmp

Filesize
1.2MB

Download
memory/2616-142-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-126-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2616-16-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2616-15-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/2616-14-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2616-13-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2616-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2616-10-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2616-9-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2616-7-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2616-8-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2616-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2616-5-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2616-4-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/2844-146-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2844-145-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2980-205-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download