dcrat | 11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Size

1.5MB
MD5

c9254deead77cdb6cdb73b7afc529590
SHA1

2180a99bccb61ea1cca3999fc0282d98bba1576c
SHA256

11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527
SHA512

14de6e30fb7335b5d04c34455d567a923d11f27adacc82906fed3ac52dec973804992eae3c24a58630dbe14b271563e639c034af7428d19fbae245afdf690ade
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 12 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		860	schtasks.exe
		4196	schtasks.exe
		4908	schtasks.exe
		3296	schtasks.exe
		560	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3		11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
		4316	schtasks.exe
		2676	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
		3648	schtasks.exe
		4376	schtasks.exe
		4976	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\", \"C:\\Documents and Settings\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\", \"C:\\Documents and Settings\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\", \"C:\\Windows\\bfsvc\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\", \"C:\\Documents and Settings\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\", \"C:\\Windows\\bfsvc\\sysmon.exe\", \"C:\\Windows\\notepad\\explorer.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\", \"C:\\Documents and Settings\\dwm.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\", \"C:\\Windows\\bfsvc\\sysmon.exe\", \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\Windows\\System32\\netbios\\RuntimeBroker.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Windows\\setuperr\\sysmon.exe\", \"C:\\Windows\\WMSysPr9\\sysmon.exe\", \"C:\\Documents and Settings\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4288	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4288	schtasks.exe	82

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
1000	powershell.exe
2528	powershell.exe
888	powershell.exe
1196	powershell.exe
2776	powershell.exe
2104	powershell.exe
2160	powershell.exe
1608	powershell.exe
3436	powershell.exe
4268	powershell.exe
2180	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 12 IoCs

pid	Process
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
1528	sysmon.exe
4768	sysmon.exe
4164	sysmon.exe
2188	sysmon.exe
3052	sysmon.exe
3504	sysmon.exe
4780	sysmon.exe
2560	sysmon.exe
2308	sysmon.exe
4144	sysmon.exe
3456	sysmon.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\netbios\\RuntimeBroker.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\netbios\\RuntimeBroker.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\WMSysPr9\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\bfsvc\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\WMSysPr9\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\setuperr\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\setuperr\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\bfsvc\\sysmon.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\AppxSignature\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Documents and Settings\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Documents and Settings\\dwm.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\StartMenuExperienceHost.exe\""	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\netbios\RuntimeBroker.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\System32\netbios\9e8d7a4ca61bd9	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\System32\netbios\RuntimeBroker.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX8CB0.tmp	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\55b276f4edf653	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\RCX8ED4.tmp	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\WMSysPr9\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\bfsvc\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\notepad\explorer.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\bfsvc\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\setuperr\121e5b5079f7c0	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\WMSysPr9\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\WMSysPr9\121e5b5079f7c0	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\setuperr\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\setuperr\RCX92FD.tmp	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\notepad\explorer.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\55b276f4edf653	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File opened for modification	C:\Windows\setuperr\sysmon.exe	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\bfsvc\121e5b5079f7c0	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
File created	C:\Windows\notepad\7a0fd90576e088	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4908	schtasks.exe
4376	schtasks.exe
4976	schtasks.exe
4196	schtasks.exe
860	schtasks.exe
3648	schtasks.exe
3296	schtasks.exe
560	schtasks.exe
4316	schtasks.exe
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
2776	powershell.exe
4268	powershell.exe
2104	powershell.exe
1196	powershell.exe
3436	powershell.exe
2776	powershell.exe
2104	powershell.exe
3436	powershell.exe
4268	powershell.exe
1196	powershell.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
2740	powershell.exe
2740	powershell.exe
2528	powershell.exe
2528	powershell.exe
888	powershell.exe
888	powershell.exe
2180	powershell.exe
2180	powershell.exe
1000	powershell.exe
1000	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1528	sysmon.exe
Token: SeDebugPrivilege	4768	sysmon.exe
Token: SeDebugPrivilege	4164	sysmon.exe
Token: SeDebugPrivilege	2188	sysmon.exe
Token: SeDebugPrivilege	3052	sysmon.exe
Token: SeDebugPrivilege	3504	sysmon.exe
Token: SeDebugPrivilege	4780	sysmon.exe
Token: SeDebugPrivilege	2560	sysmon.exe
Token: SeDebugPrivilege	2308	sysmon.exe
Token: SeDebugPrivilege	4144	sysmon.exe
Token: SeDebugPrivilege	3456	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 1196	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	87
PID 3124 wrote to memory of 1196	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	87
PID 3124 wrote to memory of 3436	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	88
PID 3124 wrote to memory of 3436	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	88
PID 3124 wrote to memory of 2776	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	89
PID 3124 wrote to memory of 2776	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	89
PID 3124 wrote to memory of 4268	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	90
PID 3124 wrote to memory of 4268	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	90
PID 3124 wrote to memory of 2104	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	91
PID 3124 wrote to memory of 2104	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	91
PID 3124 wrote to memory of 2800	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	96
PID 3124 wrote to memory of 2800	3124	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	96
PID 2800 wrote to memory of 2764	2800	cmd.exe	99
PID 2800 wrote to memory of 2764	2800	cmd.exe	99
PID 2800 wrote to memory of 4496	2800	cmd.exe	102
PID 2800 wrote to memory of 4496	2800	cmd.exe	102
PID 4496 wrote to memory of 2740	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	111
PID 4496 wrote to memory of 2740	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	111
PID 4496 wrote to memory of 2180	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	112
PID 4496 wrote to memory of 2180	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	112
PID 4496 wrote to memory of 2160	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	113
PID 4496 wrote to memory of 2160	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	113
PID 4496 wrote to memory of 1608	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	114
PID 4496 wrote to memory of 1608	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	114
PID 4496 wrote to memory of 1000	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	115
PID 4496 wrote to memory of 1000	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	115
PID 4496 wrote to memory of 2528	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	116
PID 4496 wrote to memory of 2528	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	116
PID 4496 wrote to memory of 888	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	117
PID 4496 wrote to memory of 888	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	117
PID 4496 wrote to memory of 3304	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	125
PID 4496 wrote to memory of 3304	4496	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe	125
PID 3304 wrote to memory of 2436	3304	cmd.exe	127
PID 3304 wrote to memory of 2436	3304	cmd.exe	127
PID 3304 wrote to memory of 1528	3304	cmd.exe	130
PID 3304 wrote to memory of 1528	3304	cmd.exe	130
PID 1528 wrote to memory of 3512	1528	sysmon.exe	131
PID 1528 wrote to memory of 3512	1528	sysmon.exe	131
PID 1528 wrote to memory of 2836	1528	sysmon.exe	132
PID 1528 wrote to memory of 2836	1528	sysmon.exe	132
PID 3512 wrote to memory of 4768	3512	WScript.exe	134
PID 3512 wrote to memory of 4768	3512	WScript.exe	134
PID 4768 wrote to memory of 4572	4768	sysmon.exe	135
PID 4768 wrote to memory of 4572	4768	sysmon.exe	135
PID 4768 wrote to memory of 4744	4768	sysmon.exe	136
PID 4768 wrote to memory of 4744	4768	sysmon.exe	136
PID 4572 wrote to memory of 4164	4572	WScript.exe	138
PID 4572 wrote to memory of 4164	4572	WScript.exe	138
PID 4164 wrote to memory of 2320	4164	sysmon.exe	139
PID 4164 wrote to memory of 2320	4164	sysmon.exe	139
PID 4164 wrote to memory of 764	4164	sysmon.exe	140
PID 4164 wrote to memory of 764	4164	sysmon.exe	140
PID 2320 wrote to memory of 2188	2320	WScript.exe	141
PID 2320 wrote to memory of 2188	2320	WScript.exe	141
PID 2188 wrote to memory of 924	2188	sysmon.exe	142
PID 2188 wrote to memory of 924	2188	sysmon.exe	142
PID 2188 wrote to memory of 4972	2188	sysmon.exe	143
PID 2188 wrote to memory of 4972	2188	sysmon.exe	143
PID 924 wrote to memory of 3052	924	WScript.exe	144
PID 924 wrote to memory of 3052	924	WScript.exe	144
PID 3052 wrote to memory of 3456	3052	sysmon.exe	145
PID 3052 wrote to memory of 3456	3052	sysmon.exe	145
PID 3052 wrote to memory of 3736	3052	sysmon.exe	146
PID 3052 wrote to memory of 3736	3052	sysmon.exe	146

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
"C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\setuperr\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QVvvemhqFL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe
    "C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\WMSysPr9\sysmon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\dwm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bfsvc\sysmon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\notepad\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netbios\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4nJEb9CXNg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2436
    - - C:\Windows\bfsvc\sysmon.exe
        
        "C:\Windows\bfsvc\sysmon.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e828d42-6f7b-4a6e-8694-642c261466e6.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44d5e932-7ad4-40c5-8193-85cf4a41e80f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbfaf9f3-f423-4c57-b08c-1b47c2cc0ab3.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d85651b-b6fa-4fad-9e94-cb1f4633668f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07507dd-547c-414a-bd1a-44a287d5bbb4.vbs"
        14⤵
        
        PID:3456
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae52663-1a54-49c0-9969-775b868d92ed.vbs"
        16⤵
        
        PID:4388
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ce16b0-7ba3-4e05-a4af-7a6a213e906d.vbs"
        18⤵
        
        PID:3032
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0185ab5-cba5-41b6-a279-f6545339c5c3.vbs"
        20⤵
        
        PID:3764
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cca690-f21f-4dcb-8c0e-086cfb189866.vbs"
        22⤵
        
        PID:836
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\547b3786-33ee-492d-83e5-ddb0fb8e83a6.vbs"
        24⤵
        
        PID:5052
        
        C:\Windows\bfsvc\sysmon.exe
        
        C:\Windows\bfsvc\sysmon.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c06b591f-0141-4d68-b05a-bff0555c7ba1.vbs"
        26⤵
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d183e52c-82dc-46c4-9eb3-79849b13f04f.vbs"
        26⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0c185e-0641-4b5f-92c7-6f624232716f.vbs"
        24⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d89dc4-82b2-4971-9d62-573cd1bd6555.vbs"
        22⤵
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b747c52-52f1-4734-9ffc-f1ccf9d80152.vbs"
        20⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60148e7e-98ca-476f-b71f-3613845c5282.vbs"
        18⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ef92b0-d4a8-4237-abf5-5513468312e3.vbs"
        16⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc86990d-d8b6-46df-881c-a1dc2b7237cc.vbs"
        14⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdfc3974-42dd-4327-bede-7a9ea6d1b737.vbs"
        12⤵
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3414ff02-01fc-4ad8-ab3b-69c7aadc840a.vbs"
        10⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7583509-e30b-4a65-bd9a-1ab6503bcab4.vbs"
        8⤵
        
        PID:4744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1ce483-cb4d-438b-942a-f5a9f624abcf.vbs"
        6⤵
        
        PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppxSignature\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\setuperr\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\WMSysPr9\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\bfsvc\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\netbios\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
1.5MB

MD5
c9254deead77cdb6cdb73b7afc529590

SHA1
2180a99bccb61ea1cca3999fc0282d98bba1576c

SHA256
11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527

SHA512
14de6e30fb7335b5d04c34455d567a923d11f27adacc82906fed3ac52dec973804992eae3c24a58630dbe14b271563e639c034af7428d19fbae245afdf690ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\11aeb15d1660a266d50bc880e1b9b2ffa865313603c671d7a5b49601f4ee8527N.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a83ce2908066654f712d1858746bc3c4

SHA1
14887f0537ce076cdc91801fb5fa584b25f1089f

SHA256
7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f

SHA512
991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60f7ba83c688c80b331e8b979ee3f29d

SHA1
0a7eb61e59c008ff19c4cf235badf7619150c25a

SHA256
859b1842a5ad947f7c2566cd5f12b9becc1e9f110588e99aa492c92064d4041f

SHA512
9a6f0aa453e22d8b46da1ee715a41227ac717cdf15598f6810e2fb6791660058e806a0221508b92bb2daca91e20c5ff60f4df1e9dd1f9086a2e9a1b94d345827

Download Submit
C:\Users\Admin\AppData\Local\Temp\44d5e932-7ad4-40c5-8193-85cf4a41e80f.vbs

Filesize
703B

MD5
89cd391bec04ecc36bffc1765da47c14

SHA1
b1e04c5bdea13647489ae0b826ef66ef23fe2705

SHA256
28d3cc7f573d9006de6dcfb96759cecc97f72957cec1efc7b8557e01a36640a9

SHA512
dcdfd6429f001b8cf990198760a666a833dbecc77bb50d8b086015f85b13f61bd92aeabfb7dce89ad1ef02bb024f53a84c08af8e6e61941b9c337cb08d128ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e828d42-6f7b-4a6e-8694-642c261466e6.vbs

Filesize
703B

MD5
60cc090cf0fd3c47661aef448d20a978

SHA1
10c9a25c22bcff4f69c8ad8a7dfba4e21dd36697

SHA256
430bbbdde3805f191f573f7d20d9c85b915c70fa9107195ed14ad2a129baabda

SHA512
5d0100a6dda1fdec66f1deb2e741c387f8b0b619a93334f9b6775888b4058e45e61fe063f5b44c40a27d0abfd6a4caa825a743d3f1b3148cbb01b8ae1494098e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4nJEb9CXNg.bat

Filesize
191B

MD5
dfe908a03299d00cbeeec35cd34e6998

SHA1
4901ae4f4caa049b39cbc273703cc564494cda8b

SHA256
d5bb278914ddbf071d1223c9f91a8d552fb68cd82adf25216c1e799a4c9a8c6e

SHA512
acae0d6f848f8031925f9f7fa08ff432a14e6af1f78dd124f42e10830c48ab8de31c35308026dcb549208657b84622808cd3b6233d7cd6c121d5c2fdfb93da20

Download Submit
C:\Users\Admin\AppData\Local\Temp\547b3786-33ee-492d-83e5-ddb0fb8e83a6.vbs

Filesize
703B

MD5
e81083585ab9ff043e50b1ccc8c6a6e0

SHA1
52f1bc2c6cbdd01610a7308f89088595699e57d1

SHA256
f46fc4405da51f599d1f3a08037990730c8e6c555f098b55962e9d8331a4be47

SHA512
b2bfe9725dc6ecb9afe4945dcce48dc0c52382700d8c6ff5b5645b90e35321f179568c3db3f85c4cbce832d597d7fb537499ae69064f76fc5a3c650bf34ee592

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e1ce483-cb4d-438b-942a-f5a9f624abcf.vbs

Filesize
479B

MD5
7b821f22eb91e4f7c842b2a7a834acc7

SHA1
1c7548042a541aa6e48d26846a1bb5ff9f5b9d37

SHA256
aeb0cb3ac7bfbc5c9ee247a495c28874d1b58fd38c5030e4a8d37b7337b99f3d

SHA512
39d6fe51e4a5af56b57c5068aa1ae75a624bcdd9b5a6d7ba2e568a97f80b97998425b8069be947220e4f5fbf7ccb60bca211a216f5a23d00b8d8109a922e6aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\72ce16b0-7ba3-4e05-a4af-7a6a213e906d.vbs

Filesize
703B

MD5
2fb183a7b6d1697cc9d20b46325ca7ef

SHA1
21ed4eb7be8d8d24d9b3961d59dfbcfdbfb1c584

SHA256
90e2e46266ecb00e857444daaf3ae89e77d2ce0ac2f58fd2c43f353a62d86a14

SHA512
0e9cc411f0a2b5dd0df003ee9d4745c3bbd53c55ecd11e5e0e9f88ca430f3695e0d822bfa81945eba91195b57014a794dc7dde9d0e73b1b1e8ae8d4ec9b07145

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d85651b-b6fa-4fad-9e94-cb1f4633668f.vbs

Filesize
703B

MD5
690ffb8f5f4cc402b26b4b55b2299b57

SHA1
17a0cab03556b46a0d46a3200182c8f357c21921

SHA256
f68bdb1ffd1d745c2ae929082e0304c7a32b81a47f466d0b4a84902e8656da6c

SHA512
ca927c5fc537fda0695c313a62f18cd4add4f6208ca6bcaa526d412dadeb426b56c914d4ebfce29204229cabd6adde96f4476bda51b8ad48571a85e3d6a10b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QVvvemhqFL.bat

Filesize
267B

MD5
70d0a2b9e834e55045dec5e19c70c35a

SHA1
03a91cebc61391f94adae383092b282f6145fef3

SHA256
0bf00fb05975e974d51c1f25fbffc980e2ea2ee34ea91f3f5c7051fb26cb2a9d

SHA512
e0d06121956f77d3a5b17923b25ac655d3414a1044bfb97f54b2c3c306911938c2a0e723d7bcbcf487b5ed8508d7b536b11435c8d3acc2805568caa010b79c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zj0b0u1d.1uq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0185ab5-cba5-41b6-a279-f6545339c5c3.vbs

Filesize
703B

MD5
b161ab0aaa11048eb887813cc00c08e9

SHA1
1abdf48facd6765068553e4ecb1e37089b6e797e

SHA256
e763ff478617166de378795ed5ffe89945827d5475ee6a871619446e2527712f

SHA512
8b50d32651194a351a87aa37cc169013021e0590a420577fac11cd6159c9068df6040636f07be4caa8f11340c01579610ae0af143cd84f279948f80fbe84a79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c06b591f-0141-4d68-b05a-bff0555c7ba1.vbs

Filesize
703B

MD5
421b39251e0406e16b075e4bac35af38

SHA1
9aff7d2633a1867491ff13936b4aee15ba0ebabe

SHA256
0935a6fdbc0537c968c88e4c434d2d067280684ab7d73be93593c7f37a3b7e42

SHA512
39b59e8b1489a7a8ef62ca54425f90dbfa33de9668f309dcd9893ad4ef88eb01bc9281ecf246bfe2b0ce1812b84899a0f23122feec85fb8df9702b5162d2d3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c07507dd-547c-414a-bd1a-44a287d5bbb4.vbs

Filesize
703B

MD5
0fad66233013461ea9817f04cde21812

SHA1
c2d82145b3e5eda64909d9f1ed277a0ba0f50c06

SHA256
e09510a0f0d8e078603acaa162c47c61ef9c037e85bfa4ef1e3d2044a00952fb

SHA512
ec02de870cbd8e25278f9d39e259388ade656bc5a90727753beb6a901751fb646f4c20760188d26680fb52e3a360dabe2a033f2ff2203c6c63c11539371723e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cae52663-1a54-49c0-9969-775b868d92ed.vbs

Filesize
703B

MD5
cdec094c76070d05e593409b1e3a8404

SHA1
40d30e3c1ed1b75bfbf6733506a998ddc8385c8b

SHA256
5ae43d599cfe62cd9e621dc68ef0100d4ca8989c4197d79a96df5cc1bf8f90e2

SHA512
9a6ffe6bbe53c1ada370c3dd9c1ce99cc857c6bd690fa8cade4fa5eb2e9f27c4738023c513055e588ea79c2c4ccb25468af04f67cf1687c9bfad35d38eebb90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfaf9f3-f423-4c57-b08c-1b47c2cc0ab3.vbs

Filesize
703B

MD5
5777e6955033f93dec3b59c761702c85

SHA1
6c0167f81ada5faf0b46d41ad8619b5b4fd2727a

SHA256
7533f0dbebecc9f00baa268a6cfeff0220d2d10f2f18dbc792b2f7edb57eb5d9

SHA512
6036700d283b3434e8e1aad9e225720cb225b77adb8d7173840f35aa3eab33e3a9eaa2ea3744ddbf07b4c212d38e90b1632c3b1a50096121c9f63c1d2b97c403

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0cca690-f21f-4dcb-8c0e-086cfb189866.vbs

Filesize
703B

MD5
eb7430d49b767935f79bc42377a56613

SHA1
f0dc853d9bddeb1369fc8f7d75b9552ecf2fd6da

SHA256
9a0a0ac0c39abd211b4d1b678fe2f169a1bb503dcf1a34705ec2f9505a7ab491

SHA512
6e4c1aac11e6207715d836cd47aadcb205a9140883ef9c79b60833d1e62ef1d3739cda5f830bab24f4a27bb72c6feea0853ca5a5d371f71a03baec2450212d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
592B

MD5
ed7168896fb58b343c12af787d26831a

SHA1
4a0fa782756d1316707b6036da114cfba45654d1

SHA256
fe23b8d4ee4f63798d5f64f48b83c29b4c420a16a03803e48d93785cf53de713

SHA512
563ef3e64d94c24e79db0ea4c91732e8d64444a4a085c642e29e2d9fc732fb7a24af1b49b846deff445745e01176c8db2cbae70339ba196525a500f88d9478d5

Download Submit
memory/1528-241-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/2188-276-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2308-333-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/2560-321-0x0000000001AF0000-0x0000000001B02000-memory.dmp

Filesize
72KB

Download
memory/2776-77-0x000001D0741E0000-0x000001D074202000-memory.dmp

Filesize
136KB

Download
memory/3124-0-0x00007FFC7EB33000-0x00007FFC7EB35000-memory.dmp

Filesize
8KB

Download
memory/3124-3-0x0000000001600000-0x0000000001608000-memory.dmp

Filesize
32KB

Download
memory/3124-16-0x000000001C020000-0x000000001C028000-memory.dmp

Filesize
32KB

Download
memory/3124-14-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/3124-12-0x0000000002EE0000-0x0000000002EE8000-memory.dmp

Filesize
32KB

Download
memory/3124-11-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/3124-10-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3124-9-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/3124-7-0x0000000002E90000-0x0000000002E9C000-memory.dmp

Filesize
48KB

Download
memory/3124-15-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/3124-8-0x0000000002EA0000-0x0000000002EA8000-memory.dmp

Filesize
32KB

Download
memory/3124-6-0x0000000002E70000-0x0000000002E7A000-memory.dmp

Filesize
40KB

Download
memory/3124-5-0x0000000002E80000-0x0000000002E8C000-memory.dmp

Filesize
48KB

Download
memory/3124-13-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

Filesize
40KB

Download
memory/3124-20-0x000000001C050000-0x000000001C05C000-memory.dmp

Filesize
48KB

Download
memory/3124-17-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/3124-4-0x0000000002E60000-0x0000000002E72000-memory.dmp

Filesize
72KB

Download
memory/3124-70-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-38-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-2-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-18-0x000000001C040000-0x000000001C048000-memory.dmp

Filesize
32KB

Download
memory/3124-25-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-24-0x00007FFC7EB30000-0x00007FFC7F5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-21-0x000000001C3C0000-0x000000001C3C8000-memory.dmp

Filesize
32KB

Download
memory/3124-1-0x0000000000BB0000-0x0000000000D2E000-memory.dmp

Filesize
1.5MB

Download
memory/4144-345-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/4496-131-0x0000000002370000-0x0000000002382000-memory.dmp

Filesize
72KB

Download