dcrat | 68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Size

1.5MB
MD5

d38d717691c05fac4769e664d6e53248
SHA1

33bef9a88e278cc160f053a9ba87b2a16f7108b7
SHA256

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46
SHA512

811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\", \"C:\\ProgramData\\Microsoft Help\\Idle.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\", \"C:\\ProgramData\\Microsoft Help\\Idle.exe\", \"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\", \"C:\\ProgramData\\Microsoft Help\\Idle.exe\", \"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\", \"C:\\Windows\\System32\\api-ms-win-core-debug-l1-1-0\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\", \"C:\\ProgramData\\Microsoft Help\\Idle.exe\", \"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\", \"C:\\Windows\\System32\\api-ms-win-core-debug-l1-1-0\\spoolsv.exe\", \"C:\\Windows\\System32\\AtBroker\\taskhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Documents\\audiodg.exe\", \"C:\\ProgramData\\Microsoft Help\\Idle.exe\", \"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\", \"C:\\Windows\\System32\\api-ms-win-core-debug-l1-1-0\\spoolsv.exe\", \"C:\\Windows\\System32\\AtBroker\\taskhost.exe\", \"C:\\Windows\\System32\\rasmxs\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2812	schtasks.exe	30

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2712	powershell.exe
2340	powershell.exe
2292	powershell.exe
2860	powershell.exe
2936	powershell.exe
2952	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Executes dropped EXE 14 IoCs

pid	Process
3004	spoolsv.exe
2760	spoolsv.exe
1776	spoolsv.exe
1944	spoolsv.exe
1836	spoolsv.exe
560	spoolsv.exe
976	spoolsv.exe
776	spoolsv.exe
388	spoolsv.exe
1088	spoolsv.exe
2116	spoolsv.exe
2364	spoolsv.exe
2468	spoolsv.exe
2220	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\ProgramData\\Documents\\audiodg.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Microsoft Help\\Idle.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Microsoft Help\\Idle.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\thawbrkr\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\api-ms-win-core-debug-l1-1-0\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\ProgramData\\Documents\\audiodg.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\AtBroker\\taskhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\AtBroker\\taskhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\rasmxs\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\rasmxs\\lsm.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\api-ms-win-core-debug-l1-1-0\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\api-ms-win-core-debug-l1-1-0\RCX9976.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\AtBroker\RCX9BE7.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\api-ms-win-core-debug-l1-1-0\f3b6ecef712a24	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\AtBroker\taskhost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\rasmxs\101b941d020240	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\thawbrkr\RCX9705.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\thawbrkr\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\AtBroker\taskhost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\rasmxs\lsm.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\thawbrkr\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\thawbrkr\f3b6ecef712a24	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\AtBroker\b75386f1303e64	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\rasmxs\lsm.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\rasmxs\RCX9DEB.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2824	schtasks.exe
2728	schtasks.exe
2640	schtasks.exe
2784	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
2340	powershell.exe
2952	powershell.exe
2292	powershell.exe
2936	powershell.exe
2712	powershell.exe
2860	powershell.exe
2700	powershell.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3004	spoolsv.exe
Token: SeDebugPrivilege	2760	spoolsv.exe
Token: SeDebugPrivilege	1776	spoolsv.exe
Token: SeDebugPrivilege	1944	spoolsv.exe
Token: SeDebugPrivilege	1836	spoolsv.exe
Token: SeDebugPrivilege	560	spoolsv.exe
Token: SeDebugPrivilege	976	spoolsv.exe
Token: SeDebugPrivilege	776	spoolsv.exe
Token: SeDebugPrivilege	388	spoolsv.exe
Token: SeDebugPrivilege	1088	spoolsv.exe
Token: SeDebugPrivilege	2116	spoolsv.exe
Token: SeDebugPrivilege	2364	spoolsv.exe
Token: SeDebugPrivilege	2468	spoolsv.exe
Token: SeDebugPrivilege	2220	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2700	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	37
PID 1748 wrote to memory of 2700	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	37
PID 1748 wrote to memory of 2700	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	37
PID 1748 wrote to memory of 2712	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	38
PID 1748 wrote to memory of 2712	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	38
PID 1748 wrote to memory of 2712	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	38
PID 1748 wrote to memory of 2340	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 1748 wrote to memory of 2340	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 1748 wrote to memory of 2340	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	39
PID 1748 wrote to memory of 2292	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 1748 wrote to memory of 2292	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 1748 wrote to memory of 2292	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	40
PID 1748 wrote to memory of 2860	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 1748 wrote to memory of 2860	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 1748 wrote to memory of 2860	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	41
PID 1748 wrote to memory of 2936	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 1748 wrote to memory of 2936	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 1748 wrote to memory of 2936	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	42
PID 1748 wrote to memory of 2952	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 1748 wrote to memory of 2952	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 1748 wrote to memory of 2952	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	43
PID 1748 wrote to memory of 2580	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	51
PID 1748 wrote to memory of 2580	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	51
PID 1748 wrote to memory of 2580	1748	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	51
PID 2580 wrote to memory of 1308	2580	cmd.exe	53
PID 2580 wrote to memory of 1308	2580	cmd.exe	53
PID 2580 wrote to memory of 1308	2580	cmd.exe	53
PID 2580 wrote to memory of 3004	2580	cmd.exe	54
PID 2580 wrote to memory of 3004	2580	cmd.exe	54
PID 2580 wrote to memory of 3004	2580	cmd.exe	54
PID 3004 wrote to memory of 944	3004	spoolsv.exe	55
PID 3004 wrote to memory of 944	3004	spoolsv.exe	55
PID 3004 wrote to memory of 944	3004	spoolsv.exe	55
PID 3004 wrote to memory of 2024	3004	spoolsv.exe	56
PID 3004 wrote to memory of 2024	3004	spoolsv.exe	56
PID 3004 wrote to memory of 2024	3004	spoolsv.exe	56
PID 944 wrote to memory of 2760	944	WScript.exe	58
PID 944 wrote to memory of 2760	944	WScript.exe	58
PID 944 wrote to memory of 2760	944	WScript.exe	58
PID 2760 wrote to memory of 1292	2760	spoolsv.exe	59
PID 2760 wrote to memory of 1292	2760	spoolsv.exe	59
PID 2760 wrote to memory of 1292	2760	spoolsv.exe	59
PID 2760 wrote to memory of 2892	2760	spoolsv.exe	60
PID 2760 wrote to memory of 2892	2760	spoolsv.exe	60
PID 2760 wrote to memory of 2892	2760	spoolsv.exe	60
PID 1292 wrote to memory of 1776	1292	WScript.exe	61
PID 1292 wrote to memory of 1776	1292	WScript.exe	61
PID 1292 wrote to memory of 1776	1292	WScript.exe	61
PID 1776 wrote to memory of 2940	1776	spoolsv.exe	62
PID 1776 wrote to memory of 2940	1776	spoolsv.exe	62
PID 1776 wrote to memory of 2940	1776	spoolsv.exe	62
PID 1776 wrote to memory of 2280	1776	spoolsv.exe	63
PID 1776 wrote to memory of 2280	1776	spoolsv.exe	63
PID 1776 wrote to memory of 2280	1776	spoolsv.exe	63
PID 2940 wrote to memory of 1944	2940	WScript.exe	64
PID 2940 wrote to memory of 1944	2940	WScript.exe	64
PID 2940 wrote to memory of 1944	2940	WScript.exe	64
PID 1944 wrote to memory of 1288	1944	spoolsv.exe	65
PID 1944 wrote to memory of 1288	1944	spoolsv.exe	65
PID 1944 wrote to memory of 1288	1944	spoolsv.exe	65
PID 1944 wrote to memory of 1968	1944	spoolsv.exe	66
PID 1944 wrote to memory of 1968	1944	spoolsv.exe	66
PID 1944 wrote to memory of 1968	1944	spoolsv.exe	66
PID 1288 wrote to memory of 1836	1288	WScript.exe	67

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
"C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Documents\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft Help\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\thawbrkr\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AtBroker\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\rasmxs\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FVmGJllIYd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1308
- - C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
    "C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91a2a3d-61fa-4183-8a47-16a48af3684a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2760
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22932be1-8e7e-4347-96b5-59073b9c71e1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7974e49b-c9f7-4927-ba7f-bcde52d4a21f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5322c478-4e85-4f9c-b449-70ba07d9628b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6656d0a0-ccdc-47a6-bbba-837a5cd07f63.vbs"
        12⤵
        
        PID:1140
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b217a0e6-22af-4619-9dee-e2882adb741b.vbs"
        14⤵
        
        PID:2288
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85fa9a68-945c-4340-b1d3-5ee606fc59a7.vbs"
        16⤵
        
        PID:2336
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7efc7fc4-53c0-4d15-bfe8-26a639ce696a.vbs"
        18⤵
        
        PID:1228
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a049bbd0-c8e4-4617-99c4-a37f88b49285.vbs"
        20⤵
        
        PID:1476
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e87e132b-5c11-4388-981a-41e06d1adc11.vbs"
        22⤵
        
        PID:2380
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6965cc22-3f6e-4549-8022-953feeeb4728.vbs"
        24⤵
        
        PID:1568
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8742cd8f-0eec-46d1-b39f-3cf0ad7eb99c.vbs"
        26⤵
        
        PID:808
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3af8b3b2-40eb-4eea-8095-08e05786b551.vbs"
        28⤵
        
        PID:2312
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        
        C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\772072e1-cf6e-4f3d-a251-5a80e91bd20f.vbs"
        30⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38159d82-8745-483d-8db2-e5393d55498c.vbs"
        30⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a61f81b9-f680-4397-bdc3-a389bfa50bd3.vbs"
        28⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03f866be-d4f7-4ceb-bd71-85ac065f2ae2.vbs"
        26⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5838352-b2bc-48c3-b158-728d31ab647c.vbs"
        24⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71998b70-045e-405b-b777-2e565a15c049.vbs"
        22⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1e0715-8e03-4a9e-999b-24823887f455.vbs"
        20⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91636d36-025f-43c5-bc01-4932fe4c7a1b.vbs"
        18⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7b89fe-223b-4fcb-8c7a-77eb47b5fffc.vbs"
        16⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b78dca01-2dc3-4e0a-99ef-ff8b2b800aed.vbs"
        14⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367480a0-5383-4d53-88bd-00c63d6c1c61.vbs"
        12⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\858d4e4f-7358-49a4-8c50-ebd2302255e9.vbs"
        10⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd4c86e-9d5f-4aae-9fb9-b64563913206.vbs"
        8⤵
        
        PID:2280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2ab2b0d-c19f-4f54-b0c9-6ab15aaf605c.vbs"
        6⤵
        
        PID:2892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5adca63e-5407-4100-9b57-8a3452328e0c.vbs"
      4⤵
      PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\ProgramData\Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\thawbrkr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\AtBroker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\rasmxs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22932be1-8e7e-4347-96b5-59073b9c71e1.vbs

Filesize
736B

MD5
3a9931571d81c041dbc5fbadd35013ac

SHA1
7b7eedace820094c76a0ba880471f3eb4a9fc8b6

SHA256
7e6f4c2807fbf9fdfe75adfd883083e73b71c18b1f666af61a70e1c9edf24fb6

SHA512
f6377253b0ff517a516c85b3e4f489d963cb07fa0394c9ac48b0b1bf8f64e909a37e3f1056c737504af5b26f67c78445d907b52b67b16348ba1601f559e33634

Download Submit
C:\Users\Admin\AppData\Local\Temp\3af8b3b2-40eb-4eea-8095-08e05786b551.vbs

Filesize
736B

MD5
d6e4c475c8fceeedd90f65361282aaca

SHA1
eae7ae8e59df2359fda103d6e6dcfd0a88047568

SHA256
a4e4e4b8a90e08cbae2da3b9480f821bde2be70733344e7e6192acdfe464ff81

SHA512
dfeace08a9b5112669f534d367fde8fdb92d592c5ea4eb2e655b0fae2d55974eaee5136c5c19d9ed24b53e3ad642b8ac551ddd8abeccc6a61e04de6ce2272bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5322c478-4e85-4f9c-b449-70ba07d9628b.vbs

Filesize
736B

MD5
068daa8681411d79193738a6d7db0826

SHA1
579935c9561b4c691991573209f7d5a0354afa5c

SHA256
b0fd2e0b5c9e21ce7d474192894b19d9f909249a428d75a5997f48c37df6d5c4

SHA512
b76e17e1bede576eecd9c1dad1753b13dab2bb1fdeb888625e110f48aa357d31050510e167f2352d8010061537b81ea7a2f157ad04675701729d1447afec2e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\5adca63e-5407-4100-9b57-8a3452328e0c.vbs

Filesize
512B

MD5
50a50baca8e6be0fd11ca7d75487c8a6

SHA1
e64dbf96028ab4b0c8817d9841e88b10c559056b

SHA256
23a4167f99cc79cbcd0e01e80c29cdd281c4d583831c2e0f0662fc1fa865e300

SHA512
bf173b612f4a6381345f484ae55d96a474500a2b97b2f9ca7efae8a3a85b2b67af303f6ce5eca6dea2aa6332324221b608f4cfe9e977116b74298dc50b22782e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6656d0a0-ccdc-47a6-bbba-837a5cd07f63.vbs

Filesize
736B

MD5
8c29458f89ffdf408be8311b8ffbbf74

SHA1
15d6294f72a0ae8313e92c630905687791ec0d88

SHA256
cb9226f48ccdf753ed98ecb341b6849e4a73ee058167eb0768958676ce0b2516

SHA512
40067061a2e09f77ac63728269c515211303d84b4dbee6b3666fb13f0e236fca27ba8871c4d6a3eb2106c744947ed5a5a52b824ec3a9ef7654cc9ffa2f45976d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6965cc22-3f6e-4549-8022-953feeeb4728.vbs

Filesize
736B

MD5
9c402e2068149ae00d98856bc8c40fb3

SHA1
7cd72a8e275589a27e7c0f73b8ba8e2e6fbae336

SHA256
71c03dff02c2a79ca45561c9f29f0dc551744ff24f7a03d81f41c4c6544a4aa1

SHA512
ca2a443616f0ad575c62fc6f1702c72fd968be50b9b66f753365e66730b4309c653b72c3e8820c6ba5d4a476339fb3d5920c916ebb1b6e5dba3901ac16c0dc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\772072e1-cf6e-4f3d-a251-5a80e91bd20f.vbs

Filesize
736B

MD5
60880d1ec7b55f749b471df30eacbdff

SHA1
c897cfd72e98f7b1d02a2431f06f73e4425afc09

SHA256
e7caf9699f7718e54a2971bec3f55a6010adb0c5e1559a9d548e49b61b837cd2

SHA512
a31acbf074cbd69dad992fd10e07c9f757d6ae96fefaacbec5ac2bae025055fc4a02b4d587180056ab81f0e5214fddce25296ab9011776a51adaaadf2e5aba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7974e49b-c9f7-4927-ba7f-bcde52d4a21f.vbs

Filesize
736B

MD5
cf575f7e5bd3f1f9a0e1335ca7296fd8

SHA1
a7b05d814c39f67ec688b994e88f362ef20f4992

SHA256
4d0669062dc3f3533a8768d304d1c093f1eafa37dca848c151fb9562adb69863

SHA512
781c6465f05b33ecfd0587d15ff2ceab013a6d51a606a94ae3c0a15c6629e56a9f5fcc3e0a28fe88e9ec8d1440f749244376f4fd327cebbaf2329a58ed9013df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7efc7fc4-53c0-4d15-bfe8-26a639ce696a.vbs

Filesize
735B

MD5
784f84088c0af37d057f1e472112fe62

SHA1
14c797e4aec2d3f19235a19de1ed44605bd8d4cc

SHA256
9e660b1e70b9e0aa9fee850b169a07cd7e117238e28fd7a8aab5f762960460bc

SHA512
04351c17abd78d706485261f1670ca250c0252f6c2e4e60ed5a459da1ca4e9f158d233c6823f32bd457fff34d350524dc8826dcadc7faf3bba980d262fb44b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\85fa9a68-945c-4340-b1d3-5ee606fc59a7.vbs

Filesize
735B

MD5
278873635d6d8943b7b942cc7515b467

SHA1
0e7b195e624f0aedc4c69d0484df394d246efea7

SHA256
bfc9bb22366e2339315159ddbf1f8ff39a3b98f8b45a71bd218b1c3e3144eace

SHA512
f05e3def66b6c9c7bd1127e3347d6b5e18676863d5c1d777e121502b8d28696d0515261443fdb57d80a8ede78a75f5325aaba02079fa2cd0eed195dedd567dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8742cd8f-0eec-46d1-b39f-3cf0ad7eb99c.vbs

Filesize
736B

MD5
ba93addd04d4d2cb83bf270b4304d8b5

SHA1
4ebc83be1a4cec2771b688728adb21d6c9d67695

SHA256
af3d672e0aedac407a3be5fdffcc0609343d65620647224b322139a1e2f2bb5f

SHA512
1684860fae251984429a8c01d546a7c421317df73792c388a36e6e507af21444cbe5275d41fdc74179c17b30644cfdf374d11b297c23bcb973ed21f2036f12e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVmGJllIYd.bat

Filesize
224B

MD5
88ffd6e3bafa8fecd5a092e27f56166c

SHA1
a4e55ba85a05047b7bf5f428ba15c21a9f4531cd

SHA256
b946c1545fa6eca1cac9efde7380b93848e72880c38fd4c822fc163b652618f4

SHA512
c1a0f7a254df21bac92b8854bdb6fcafc196d6a97b536c48a101259cf60df43b9446eb8a416ea2bce2b90b2a8ef91de747a4bdd534ab255e62679a453286f7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a049bbd0-c8e4-4617-99c4-a37f88b49285.vbs

Filesize
735B

MD5
389bac2180fb3f3ae3a7f1ccd1b8bd38

SHA1
902f5c975d9095c81e9027e771c42f8504bd3ae2

SHA256
0b51dc8169121a566401955abaf9b4e122ef2ca0f8917ea7b2c9fba3af313bc4

SHA512
4be452493885324fb610b2be3e89151708e614d860b9fe886e784bb6c6866283adb59d5dccbe85caa6bd6451bcb4aeab40dfdf4bd8725d880acbf81b0468c9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b217a0e6-22af-4619-9dee-e2882adb741b.vbs

Filesize
735B

MD5
f0836e4d6396bde271580201e61b8aa6

SHA1
2195a2afdffa1dcec6c30dec13c738394f566b86

SHA256
eb53371c2fdf0fb803587ad51eb4a9124b3ad772f3733fac7c7376a3ed8ea70c

SHA512
96ac84d0d29980ea614868ba1a4a035cbc006dbc36b4004e96a28d7b960bfd4ca2e78f2a9ebe2dcb53cb6ddf7482094ef919ff313a523f0e3fed0fb5d8d59e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c91a2a3d-61fa-4183-8a47-16a48af3684a.vbs

Filesize
736B

MD5
56cbe4f114bdd15840458780b6bace61

SHA1
9517bec53edd8eb58de7e6c5f7280dcf6919acff

SHA256
b2d1578d55014398ddb797d263e70947b3db4d79dc32bab6e6ea6eaeb94009f8

SHA512
a09b99486177f24850b559b5ef0fe92ecaec2e846a0c7a7be760f148b51e8a17a9919b27fe138f356e4b03a04a87378ec2856a1c1dafd6e83bfcc85ed6ddc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\e87e132b-5c11-4388-981a-41e06d1adc11.vbs

Filesize
736B

MD5
d86ddf7bfa3b77a09b3825c28513c7f2

SHA1
cf0b6e16d038a238ac6b4a7781a47bf691a33e66

SHA256
2cea5deb26f7cfff65c6779efe9b0bf6bbc63f47025813ad3d3f49aa060bfed9

SHA512
a18e741abd499a512f386c7c757cabc915fa5661941d5a4fb5f40b2135e1817eced570f76ef85a1b28b665fd25315d6a2a2dba3f4c7d131284d9b94fbf4e1dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9723531956a4cb41187778af99722544

SHA1
4718d8eb37e16a7816190cbd3561b3c56fc7403b

SHA256
9673e1af4a8ef2f0145f10a2ac4aaadfb9276aabf6f6c6006a29c7ca3b108089

SHA512
bfabfc5857dd307bfc299cff4d20843c9647c34d2f3407df7884cbc8f93fbb816d4e6ce3329ca92fb55ec75fe5f5f2dafc9c61bd9febeb67cbd0489b800dc55b

Download Submit
C:\Windows\System32\AtBroker\taskhost.exe

Filesize
1.5MB

MD5
d38d717691c05fac4769e664d6e53248

SHA1
33bef9a88e278cc160f053a9ba87b2a16f7108b7

SHA256
68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

SHA512
811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09

Download Submit
C:\Windows\System32\api-ms-win-core-debug-l1-1-0\spoolsv.exe

Filesize
1.5MB

MD5
5d5e776e56fa4326aa1f83af5abf30ad

SHA1
a60f55d30ea101088822b13ea9c1c9dc8a75ede8

SHA256
e73a00c25d5a8f19f8dd91f44b79116f07a5076267a69fd61f341deb21da3c9c

SHA512
19221d5bde503c9dd374c8176a19216224848ebe2b87c61a9b0273955e44f5ab57b1645b40fe76c5c7a91a11a691d4a172456b0d0d374654fa0f184364e8216c

Download Submit
memory/560-178-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1748-12-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1748-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

Filesize
4KB

Download
memory/1748-21-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1748-81-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-20-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1748-18-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1748-1-0x0000000000DF0000-0x0000000000F6E000-memory.dmp

Filesize
1.5MB

Download
memory/1748-2-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-17-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/1748-3-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1748-16-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1748-15-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/1748-4-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1748-14-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1748-5-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1748-24-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/1748-13-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1748-11-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1748-10-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1748-8-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/1748-9-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1748-7-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1748-6-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1776-144-0x00000000011C0000-0x000000000133E000-memory.dmp

Filesize
1.5MB

Download
memory/2116-234-0x0000000000120000-0x000000000029E000-memory.dmp

Filesize
1.5MB

Download
memory/2220-270-0x0000000000320000-0x000000000049E000-memory.dmp

Filesize
1.5MB

Download
memory/2340-96-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2340-102-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2364-246-0x00000000009E0000-0x0000000000B5E000-memory.dmp

Filesize
1.5MB

Download
memory/2468-258-0x0000000000BF0000-0x0000000000D6E000-memory.dmp

Filesize
1.5MB

Download
memory/2760-132-0x0000000000E30000-0x0000000000FAE000-memory.dmp

Filesize
1.5MB

Download
memory/3004-121-0x0000000000A10000-0x0000000000B8E000-memory.dmp

Filesize
1.5MB

Download