dcrat | 26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Size

1.5MB
MD5

a5fab16bfd5f2f5b2beef03fc634c78b
SHA1

e2876e25315d4109734bd0ffa2e3d50db7550f5e
SHA256

26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7
SHA512

a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRQ:EzhWhCXQFN+0IEuQgyiVK4

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\splwow64\\sysmon.exe\", \"C:\\Windows\\System32\\uReFS\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.Uev.ManagedAgentWmiUninstall\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\splwow64\\sysmon.exe\", \"C:\\Windows\\System32\\uReFS\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.Uev.ManagedAgentWmiUninstall\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\mofcomp\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\splwow64\\sysmon.exe\", \"C:\\Windows\\System32\\uReFS\\winlogon.exe\", \"C:\\Windows\\System32\\wbem\\Microsoft.Uev.ManagedAgentWmiUninstall\\unsecapp.exe\", \"C:\\Windows\\System32\\wbem\\mofcomp\\unsecapp.exe\", \"C:\\PerfLogs\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\splwow64\\sysmon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\splwow64\\sysmon.exe\", \"C:\\Windows\\System32\\uReFS\\winlogon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3940	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3940	schtasks.exe	82

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3232	powershell.exe
1736	powershell.exe
4388	powershell.exe
5080	powershell.exe
1704	powershell.exe
2244	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 12 IoCs

pid	Process
2912	sysmon.exe
2604	sysmon.exe
2504	sysmon.exe
4288	sysmon.exe
456	sysmon.exe
4976	sysmon.exe
4460	sysmon.exe
720	sysmon.exe
840	sysmon.exe
2212	sysmon.exe
1516	sysmon.exe
3432	sysmon.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\uReFS\\winlogon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\uReFS\\winlogon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\mofcomp\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\splwow64\\sysmon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\splwow64\\sysmon.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\Microsoft.Uev.ManagedAgentWmiUninstall\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\Microsoft.Uev.ManagedAgentWmiUninstall\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\mofcomp\\unsecapp.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\explorer.exe\""	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\uReFS\winlogon.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\uReFS\cc11b995f2a76d	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\29c1c3cc0f7685	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\mofcomp\29c1c3cc0f7685	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\uReFS\RCX8FCE.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\uReFS\winlogon.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\RCX91D3.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\mofcomp\RCX93D8.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\unsecapp.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\System32\wbem\mofcomp\unsecapp.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\unsecapp.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\System32\wbem\mofcomp\unsecapp.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\splwow64\121e5b5079f7c0	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\splwow64\RCX8DCA.tmp	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File created	C:\Windows\splwow64\sysmon.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
File opened for modification	C:\Windows\splwow64\sysmon.exe	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1104	schtasks.exe
2332	schtasks.exe
2124	schtasks.exe
724	schtasks.exe
2240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2244	powershell.exe
1704	powershell.exe
3232	powershell.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4388	powershell.exe
5080	powershell.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4388	powershell.exe
2244	powershell.exe
1704	powershell.exe
1736	powershell.exe
3232	powershell.exe
5080	powershell.exe
1736	powershell.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2912	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe
2604	sysmon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2912	sysmon.exe
Token: SeDebugPrivilege	2604	sysmon.exe
Token: SeDebugPrivilege	2504	sysmon.exe
Token: SeDebugPrivilege	4288	sysmon.exe
Token: SeDebugPrivilege	456	sysmon.exe
Token: SeDebugPrivilege	4976	sysmon.exe
Token: SeDebugPrivilege	4460	sysmon.exe
Token: SeDebugPrivilege	720	sysmon.exe
Token: SeDebugPrivilege	840	sysmon.exe
Token: SeDebugPrivilege	2212	sysmon.exe
Token: SeDebugPrivilege	1516	sysmon.exe
Token: SeDebugPrivilege	3432	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3232	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	88
PID 4132 wrote to memory of 3232	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	88
PID 4132 wrote to memory of 1736	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	89
PID 4132 wrote to memory of 1736	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	89
PID 4132 wrote to memory of 4388	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	90
PID 4132 wrote to memory of 4388	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	90
PID 4132 wrote to memory of 5080	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	91
PID 4132 wrote to memory of 5080	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	91
PID 4132 wrote to memory of 1704	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	92
PID 4132 wrote to memory of 1704	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	92
PID 4132 wrote to memory of 2244	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	93
PID 4132 wrote to memory of 2244	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	93
PID 4132 wrote to memory of 2912	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	100
PID 4132 wrote to memory of 2912	4132	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe	100
PID 2912 wrote to memory of 2300	2912	sysmon.exe	101
PID 2912 wrote to memory of 2300	2912	sysmon.exe	101
PID 2912 wrote to memory of 2988	2912	sysmon.exe	102
PID 2912 wrote to memory of 2988	2912	sysmon.exe	102
PID 2300 wrote to memory of 2604	2300	WScript.exe	107
PID 2300 wrote to memory of 2604	2300	WScript.exe	107
PID 2604 wrote to memory of 3676	2604	sysmon.exe	108
PID 2604 wrote to memory of 3676	2604	sysmon.exe	108
PID 2604 wrote to memory of 628	2604	sysmon.exe	109
PID 2604 wrote to memory of 628	2604	sysmon.exe	109
PID 3676 wrote to memory of 2504	3676	WScript.exe	112
PID 3676 wrote to memory of 2504	3676	WScript.exe	112
PID 2504 wrote to memory of 4844	2504	sysmon.exe	113
PID 2504 wrote to memory of 4844	2504	sysmon.exe	113
PID 2504 wrote to memory of 2436	2504	sysmon.exe	114
PID 2504 wrote to memory of 2436	2504	sysmon.exe	114
PID 4844 wrote to memory of 4288	4844	WScript.exe	117
PID 4844 wrote to memory of 4288	4844	WScript.exe	117
PID 4288 wrote to memory of 1116	4288	sysmon.exe	118
PID 4288 wrote to memory of 1116	4288	sysmon.exe	118
PID 4288 wrote to memory of 2040	4288	sysmon.exe	119
PID 4288 wrote to memory of 2040	4288	sysmon.exe	119
PID 1116 wrote to memory of 456	1116	WScript.exe	120
PID 1116 wrote to memory of 456	1116	WScript.exe	120
PID 456 wrote to memory of 4132	456	sysmon.exe	121
PID 456 wrote to memory of 4132	456	sysmon.exe	121
PID 456 wrote to memory of 316	456	sysmon.exe	122
PID 456 wrote to memory of 316	456	sysmon.exe	122
PID 4132 wrote to memory of 4976	4132	WScript.exe	123
PID 4132 wrote to memory of 4976	4132	WScript.exe	123
PID 4976 wrote to memory of 4588	4976	sysmon.exe	124
PID 4976 wrote to memory of 4588	4976	sysmon.exe	124
PID 4976 wrote to memory of 5012	4976	sysmon.exe	125
PID 4976 wrote to memory of 5012	4976	sysmon.exe	125
PID 4588 wrote to memory of 4460	4588	WScript.exe	126
PID 4588 wrote to memory of 4460	4588	WScript.exe	126
PID 4460 wrote to memory of 4352	4460	sysmon.exe	127
PID 4460 wrote to memory of 4352	4460	sysmon.exe	127
PID 4460 wrote to memory of 2020	4460	sysmon.exe	128
PID 4460 wrote to memory of 2020	4460	sysmon.exe	128
PID 4352 wrote to memory of 720	4352	WScript.exe	129
PID 4352 wrote to memory of 720	4352	WScript.exe	129
PID 720 wrote to memory of 4708	720	sysmon.exe	130
PID 720 wrote to memory of 4708	720	sysmon.exe	130
PID 720 wrote to memory of 4108	720	sysmon.exe	131
PID 720 wrote to memory of 4108	720	sysmon.exe	131
PID 4708 wrote to memory of 840	4708	WScript.exe	132
PID 4708 wrote to memory of 840	4708	WScript.exe	132
PID 840 wrote to memory of 2432	840	sysmon.exe	133
PID 840 wrote to memory of 2432	840	sysmon.exe	133

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe
"C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\splwow64\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\uReFS\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\mofcomp\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\splwow64\sysmon.exe
  "C:\Windows\splwow64\sysmon.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f88dca1-fde8-4dbd-91ba-f42e6020402a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\splwow64\sysmon.exe
      C:\Windows\splwow64\sysmon.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3be6bfd-e252-40da-9e91-5cc388d959a5.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a771f8c-55bd-4425-b988-02228c168d8b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c03abe3-45dd-4998-80e1-3163257cefec.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f403c2-ed15-4d65-99b7-921ff07083d0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4bd8350-707d-4a21-b98a-647b620e611d.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b052b0-1eb0-48cf-b4fe-b24cb061f680.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b65a454-9ced-494e-b862-51efa58f47d1.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c86852d-6a05-4966-971c-d4920de4c984.vbs"
        19⤵
        
        PID:2432
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3244cf46-574f-412a-a8b0-0c5ac206e008.vbs"
        21⤵
        
        PID:1360
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa826057-efdc-4069-922f-8a1d93f89497.vbs"
        23⤵
        
        PID:4040
        
        C:\Windows\splwow64\sysmon.exe
        
        C:\Windows\splwow64\sysmon.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466f4875-f9a9-41e4-abc0-6871be23c56c.vbs"
        25⤵
        
        PID:3916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18fee0d0-78da-40a3-b4d7-8a2066dac0b0.vbs"
        25⤵
        
        PID:3288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6d745a4-f197-43ba-a82e-006c443802c2.vbs"
        23⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cd166c-1fd2-42c4-842e-e0241f0771d5.vbs"
        21⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cedb09e-46e1-4442-8af7-0e31df2fddf6.vbs"
        19⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13fe6681-eab3-4bd5-a5d6-ab82207a8b63.vbs"
        17⤵
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\436eefb1-dfe8-416c-9939-e1597e77ef86.vbs"
        15⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b54e82e-4683-4dd5-8e10-97ea9d034f8a.vbs"
        13⤵
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ddd99b4-0393-4f06-812a-6db354b7ffd8.vbs"
        11⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa1fb186-666c-4fc3-a862-87153af9346e.vbs"
        9⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cb05871-db38-400c-be50-bd0e8d2fe15e.vbs"
        7⤵
        
        PID:2436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\305b9ee8-a076-407d-9e18-6574d93cf6ca.vbs"
        5⤵
        
        PID:628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f519904-68f7-4d24-b158-1d255ba5aa63.vbs"
    3⤵
    PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\splwow64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\uReFS\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\Microsoft.Uev.ManagedAgentWmiUninstall\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mofcomp\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\explorer.exe

Filesize
1.5MB

MD5
a5fab16bfd5f2f5b2beef03fc634c78b

SHA1
e2876e25315d4109734bd0ffa2e3d50db7550f5e

SHA256
26ae980535130c95f6d19050c952ddcaf289ae27785e9d16e30ea2b19546c2f7

SHA512
a8efef2e38b32410db153aa3a8db6558a03e9fe73ed930fc37aaf2af2559dbd4a99c90249156884ecdf573498f6d9e8cdcaac0c983f749cdaf831df611925894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a771f8c-55bd-4425-b988-02228c168d8b.vbs

Filesize
706B

MD5
297b9cc2be207fee6947422b41db5cc0

SHA1
98f725ab7fe7bc15c4b5e9955e1ee62eb10e7913

SHA256
864d2c3dfdfbc92ac6e5b81e9e1ea51fee45c7b0e82096ab40b8f6d046533475

SHA512
c8042fb335574a606924bc333e1a8343e8eaa18da6e56dd50f22ce5db4a7c7e00a841e38035eab29931078ddb6c10c8d241e5f0b5e6b4e4d84afb73d24ab02cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c86852d-6a05-4966-971c-d4920de4c984.vbs

Filesize
705B

MD5
f8aec3f3c0eef90be37e83909b913165

SHA1
3f7a02379cea28da9c190165b50b55f0fe20279b

SHA256
7b6145a1d41c1b4e8ff4856e5dde44b82da6447e6df262339e9296e5aa54b0b2

SHA512
b3fd1cdd41335a3c311186977c5d1727323a666c32a36bb40c29917018b9fe47e01200553a8d355ce7d8f90761e487358e12537dd934d3a5bece7a5fd5273a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c03abe3-45dd-4998-80e1-3163257cefec.vbs

Filesize
706B

MD5
e1040a10a6c55ec3d343f40616b9ff41

SHA1
97a5f5dfd807fdd7d50e52dd7d012a5d2809b2ff

SHA256
e59de09ce27569daca2dd9831ad9faf1eabc04c2739d12cbe97de8e92018a005

SHA512
9aa0fd8147da17210d17ef371608540d8b0577f9c86c93e062fd3ced25ae221cd36abf0a585b1901262e3740f334750ce44154e467be01beb202a5506124f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3244cf46-574f-412a-a8b0-0c5ac206e008.vbs

Filesize
706B

MD5
c066cfae85a1a05d458b482e00a0e7af

SHA1
ce40f69c61b1496841c4191f834496b98861aee2

SHA256
c093b5b1331246a3ce282ef7519af4b92b87b9090034f9cfa435224fe116d586

SHA512
460433e414cbbba53a3d3a70bb8c6ce35a8eb6293a4c21acf5a694c5cd6fdd157bbd5da71e964296182bfbd54eea6c97f408983ed0f0019b34e4f2ae9b558179

Download Submit
C:\Users\Admin\AppData\Local\Temp\466f4875-f9a9-41e4-abc0-6871be23c56c.vbs

Filesize
706B

MD5
7cbf766c33872525862209a050767709

SHA1
2195603d3d359cd27e0d6615989abe9d001f3c42

SHA256
fc78d336ce2ad444180741d9b87c9cd0a36e8b02720b5aa80aaa92a3a9a2a573

SHA512
480d3423da94c78206bb8da4a6fe7b043a83647aead1987b87bdd91ddaebc71146ffcffb49dd0c1829be0d46d3832cf20acefe88f9d0139636ddf9c49917d5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f403c2-ed15-4d65-99b7-921ff07083d0.vbs

Filesize
705B

MD5
cb10468c5f6a6a13c730dbd820b57300

SHA1
a6fdb24834f07401dfcebe9b98ec5d2425796b0b

SHA256
1a3668cd40e53820eb527904cb8c48553033654540436279267574dbb3ae9f46

SHA512
8aa05162fc7ac3e182d92113f53d4973f81ee6662655ffe006eacbe2bc177eb99a9b73ec181519923e6de79eade26652bfda24dda46111ac5f350fbf22bfd6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b65a454-9ced-494e-b862-51efa58f47d1.vbs

Filesize
705B

MD5
ff3d9251956ebbe264599deee5cc4a4d

SHA1
7665b1dad655d9826ba2b26c8ec5fee325b645e2

SHA256
42d1ab9be5f7144641e2d2782d352432e269491ce2b48f66b54680fae2bf75c1

SHA512
d763d60eabdaedd28355a874dd5b580a95ff8833e7dc30a543faf3f4a1b6007d32c4d95adb4039e515c037e05692e904e7666d17bb07663cbff522a24edccf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60b052b0-1eb0-48cf-b4fe-b24cb061f680.vbs

Filesize
706B

MD5
a3204e8ac2bb42255279c4fcc0fca07c

SHA1
bcd0c1fde494599a51586ea1ce60ac6d5d9376c3

SHA256
cb6566cec04a3edce41aba257491452034340e619829cd09dd5061de41d499b4

SHA512
609957c843479afe4a3c715b8a582f4fecd90344bf3340bd2e3259140cd486c07a3f9343bcd95c46ccd75055bb0684d03b867fef7618938cfc4d0db9fee069b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f519904-68f7-4d24-b158-1d255ba5aa63.vbs

Filesize
482B

MD5
acd2ea1d6e6defc013e6e5eced1c2a4c

SHA1
33b6cd1d9d78cf426f07a31ab1a2bf2c2ba10f00

SHA256
5616236a3726c634e697189f73f1a1bf5120d46d7f54e0b654d00a2b1e010bbd

SHA512
6e173767375dba9c8c01af090c430372ef11d5095a4107bec84c5bc585226b1805e9b8ab592648819491ce41502c02af700f9f0d318d9c4c7479ef02e5a1439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f88dca1-fde8-4dbd-91ba-f42e6020402a.vbs

Filesize
706B

MD5
2a86cb1efcd134efd850e457e2eb4808

SHA1
a14f20140a7e9eb08d17d20404f21130cbd9888d

SHA256
e861bcc9a73ea727769a75eadce01c225eef0b54bb704209788c36c5edd25080

SHA512
d821d4eb23918fe4b34b626c21a9672ad28ed6e248c72425e87ef6e87ef903b5dd024e97019e27169a066bf27e3fa9181ea959e098a57ee791c8cad177cc9a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzhooan4.0ee.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa826057-efdc-4069-922f-8a1d93f89497.vbs

Filesize
706B

MD5
e37516d2c99a8b452092ee54c55be4fd

SHA1
399d2ef82821ea9f3012bc9ff5ff147a91674317

SHA256
3f5400091a9a1f20b3f0521082f8fc97375bf96f299da37932322eb7295c235e

SHA512
9c62a5c1d5d994bab211263292cb590f99c281d77dac66dc63097ee3e17af3418b3d3b47dc6d345f2691f0b89245538f740380b1e708e15d70c68781403ac5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4bd8350-707d-4a21-b98a-647b620e611d.vbs

Filesize
706B

MD5
1ce4c4ee354b4820a48819aeb6aeffac

SHA1
dd89630cae7d69a13475e165b2bfe8033291d182

SHA256
2d2e70891e9d652ec40d417693041c6cf560698ce81b696d939d63e083b7b1df

SHA512
77ed5b76a014159e3bc5cbe89c80c5f56177610ea0fd6dd10b43945ca52e2f8ef993aed2829f85f9ff1ad95457b9b8d2d0d93592d007343b405bcfa55381a0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3be6bfd-e252-40da-9e91-5cc388d959a5.vbs

Filesize
706B

MD5
28985a6c94a7f2e60d79af70a8c5d657

SHA1
b0bb0d8744377247a29ed1deba7bb62004973405

SHA256
e302ab7f5a78a2429ba3047e97785808dd334459e7f8fc1d2eb51a6d88ecf510

SHA512
4afd07e69cd3ad27ff1708f156fd293c80cc80eb0f047bb362780a0cd6f6ff0e57339145ec2cf7b500992b14ba243935371bf683210240d43d349aef4824e3ad

Download Submit
memory/456-246-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

Filesize
72KB

Download
memory/1704-129-0x000001F891F70000-0x000001F891F92000-memory.dmp

Filesize
136KB

Download
memory/2912-200-0x0000000002A00000-0x0000000002A12000-memory.dmp

Filesize
72KB

Download
memory/3432-324-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/4132-24-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/4132-18-0x000000001B920000-0x000000001B928000-memory.dmp

Filesize
32KB

Download
memory/4132-191-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/4132-15-0x000000001B8F0000-0x000000001B8FA000-memory.dmp

Filesize
40KB

Download
memory/4132-14-0x000000001B8E0000-0x000000001B8EC000-memory.dmp

Filesize
48KB

Download
memory/4132-13-0x000000001B8D0000-0x000000001B8DA000-memory.dmp

Filesize
40KB

Download
memory/4132-12-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/4132-17-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/4132-11-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/4132-10-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

Filesize
64KB

Download
memory/4132-1-0x00000000004A0000-0x000000000061E000-memory.dmp

Filesize
1.5MB

Download
memory/4132-25-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/4132-21-0x000000001B940000-0x000000001B948000-memory.dmp

Filesize
32KB

Download
memory/4132-7-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/4132-8-0x000000001B270000-0x000000001B278000-memory.dmp

Filesize
32KB

Download
memory/4132-6-0x000000001B240000-0x000000001B24A000-memory.dmp

Filesize
40KB

Download
memory/4132-20-0x000000001B930000-0x000000001B93C000-memory.dmp

Filesize
48KB

Download
memory/4132-5-0x000000001B250000-0x000000001B25C000-memory.dmp

Filesize
48KB

Download
memory/4132-4-0x000000001B230000-0x000000001B242000-memory.dmp

Filesize
72KB

Download
memory/4132-3-0x000000001B110000-0x000000001B118000-memory.dmp

Filesize
32KB

Download
memory/4132-2-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

Filesize
10.8MB

Download
memory/4132-16-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/4132-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

Filesize
8KB

Download
memory/4132-9-0x000000001B890000-0x000000001B89C000-memory.dmp

Filesize
48KB

Download