dcrat | 69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Size

1.5MB
MD5

7b45d565ba6ca684897302d0eefc4b60
SHA1

5a48de7a66d4d2b46d296a9049dbe8f61b401989
SHA256

69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274
SHA512

6b770cc9b06f8295bd2dc1d8f5d52c4ff60d0db36baa44511dc960886f0f3670a92c23bab570f14b22aae87f47a5466ce89a1a85032d1dae40bd3da1714284c9
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
		1652	schtasks.exe
		2668	schtasks.exe
		2676	schtasks.exe
		2688	schtasks.exe
File created	C:\Windows\System32\wshom\101b941d020240		69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
		2592	schtasks.exe
		2568	schtasks.exe
		3048	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\", \"C:\\Windows\\System32\\shacct\\taskhost.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\", \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Windows\\System32\\mfc110\\winlogon.exe\", \"C:\\Program Files\\7-Zip\\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\", \"C:\\Windows\\System32\\shacct\\taskhost.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\", \"C:\\Windows\\System32\\shacct\\taskhost.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\", \"C:\\Windows\\System32\\shacct\\taskhost.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\", \"C:\\Documents and Settings\\sppsvc.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wshom\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\", \"C:\\Windows\\System32\\shacct\\taskhost.exe\", \"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\", \"C:\\Documents and Settings\\sppsvc.exe\", \"C:\\Windows\\System32\\mfc110\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2824	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2824	schtasks.exe	31

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1528	powershell.exe
1612	powershell.exe
400	powershell.exe
320	powershell.exe
1364	powershell.exe
780	powershell.exe
2860	powershell.exe
1524	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe

Executes dropped EXE 14 IoCs

pid	Process
1760	lsm.exe
2816	lsm.exe
568	lsm.exe
1704	lsm.exe
1408	lsm.exe
2204	lsm.exe
2728	lsm.exe
908	lsm.exe
2896	lsm.exe
1708	lsm.exe
2300	lsm.exe
2952	lsm.exe
2260	lsm.exe
2180	lsm.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc110\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274 = "\"C:\\Program Files\\7-Zip\\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\wshom\\lsm.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Windows Mail\\WMIADAP.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\shacct\\taskhost.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\shacct\\taskhost.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274 = "\"C:\\Program Files\\7-Zip\\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\wshom\\lsm.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc110\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\DeviceDisplayObjectProvider\\winlogon.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Documents and Settings\\sppsvc.exe\""	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wshom\lsm.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\mfc110\winlogon.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\shacct\taskhost.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\DeviceDisplayObjectProvider\winlogon.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\mfc110\RCXE22B.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\wshom\lsm.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\wshom\101b941d020240	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\shacct\b75386f1303e64	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\DeviceDisplayObjectProvider\cc11b995f2a76d	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\mfc110\cc11b995f2a76d	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\shacct\RCXDB45.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\mfc110\winlogon.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\shacct\taskhost.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Windows\System32\DeviceDisplayObjectProvider\winlogon.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\wshom\RCXD6D0.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Windows\System32\DeviceDisplayObjectProvider\RCXDD49.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Program Files\7-Zip\bd0fcb4dd71aa5	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD941.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WMIADAP.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Program Files\7-Zip\RCXE49C.tmp	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File opened for modification	C:\Program Files\7-Zip\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Program Files (x86)\Windows Mail\WMIADAP.exe	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
File created	C:\Program Files (x86)\Windows Mail\75a57c1bdf437c	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
2592	schtasks.exe
1652	schtasks.exe
2668	schtasks.exe
2568	schtasks.exe
2676	schtasks.exe
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
1524	powershell.exe
1528	powershell.exe
1364	powershell.exe
320	powershell.exe
780	powershell.exe
400	powershell.exe
2860	powershell.exe
1612	powershell.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
1760	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe
2816	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1760	lsm.exe
Token: SeDebugPrivilege	2816	lsm.exe
Token: SeDebugPrivilege	568	lsm.exe
Token: SeDebugPrivilege	1704	lsm.exe
Token: SeDebugPrivilege	1408	lsm.exe
Token: SeDebugPrivilege	2204	lsm.exe
Token: SeDebugPrivilege	2728	lsm.exe
Token: SeDebugPrivilege	908	lsm.exe
Token: SeDebugPrivilege	2896	lsm.exe
Token: SeDebugPrivilege	1708	lsm.exe
Token: SeDebugPrivilege	2300	lsm.exe
Token: SeDebugPrivilege	2952	lsm.exe
Token: SeDebugPrivilege	2260	lsm.exe
Token: SeDebugPrivilege	2180	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 400	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	39
PID 2380 wrote to memory of 400	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	39
PID 2380 wrote to memory of 400	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	39
PID 2380 wrote to memory of 320	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	40
PID 2380 wrote to memory of 320	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	40
PID 2380 wrote to memory of 320	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	40
PID 2380 wrote to memory of 1364	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	42
PID 2380 wrote to memory of 1364	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	42
PID 2380 wrote to memory of 1364	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	42
PID 2380 wrote to memory of 780	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	44
PID 2380 wrote to memory of 780	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	44
PID 2380 wrote to memory of 780	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	44
PID 2380 wrote to memory of 2860	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	45
PID 2380 wrote to memory of 2860	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	45
PID 2380 wrote to memory of 2860	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	45
PID 2380 wrote to memory of 1524	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	47
PID 2380 wrote to memory of 1524	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	47
PID 2380 wrote to memory of 1524	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	47
PID 2380 wrote to memory of 1528	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	48
PID 2380 wrote to memory of 1528	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	48
PID 2380 wrote to memory of 1528	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	48
PID 2380 wrote to memory of 1612	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	49
PID 2380 wrote to memory of 1612	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	49
PID 2380 wrote to memory of 1612	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	49
PID 2380 wrote to memory of 2192	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	55
PID 2380 wrote to memory of 2192	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	55
PID 2380 wrote to memory of 2192	2380	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe	55
PID 2192 wrote to memory of 1680	2192	cmd.exe	57
PID 2192 wrote to memory of 1680	2192	cmd.exe	57
PID 2192 wrote to memory of 1680	2192	cmd.exe	57
PID 2192 wrote to memory of 1760	2192	cmd.exe	58
PID 2192 wrote to memory of 1760	2192	cmd.exe	58
PID 2192 wrote to memory of 1760	2192	cmd.exe	58
PID 1760 wrote to memory of 600	1760	lsm.exe	59
PID 1760 wrote to memory of 600	1760	lsm.exe	59
PID 1760 wrote to memory of 600	1760	lsm.exe	59
PID 1760 wrote to memory of 2244	1760	lsm.exe	60
PID 1760 wrote to memory of 2244	1760	lsm.exe	60
PID 1760 wrote to memory of 2244	1760	lsm.exe	60
PID 600 wrote to memory of 2816	600	WScript.exe	61
PID 600 wrote to memory of 2816	600	WScript.exe	61
PID 600 wrote to memory of 2816	600	WScript.exe	61
PID 2816 wrote to memory of 2468	2816	lsm.exe	62
PID 2816 wrote to memory of 2468	2816	lsm.exe	62
PID 2816 wrote to memory of 2468	2816	lsm.exe	62
PID 2816 wrote to memory of 2572	2816	lsm.exe	63
PID 2816 wrote to memory of 2572	2816	lsm.exe	63
PID 2816 wrote to memory of 2572	2816	lsm.exe	63
PID 2468 wrote to memory of 568	2468	WScript.exe	64
PID 2468 wrote to memory of 568	2468	WScript.exe	64
PID 2468 wrote to memory of 568	2468	WScript.exe	64
PID 568 wrote to memory of 2080	568	lsm.exe	65
PID 568 wrote to memory of 2080	568	lsm.exe	65
PID 568 wrote to memory of 2080	568	lsm.exe	65
PID 568 wrote to memory of 1796	568	lsm.exe	66
PID 568 wrote to memory of 1796	568	lsm.exe	66
PID 568 wrote to memory of 1796	568	lsm.exe	66
PID 2080 wrote to memory of 1704	2080	WScript.exe	67
PID 2080 wrote to memory of 1704	2080	WScript.exe	67
PID 2080 wrote to memory of 1704	2080	WScript.exe	67
PID 1704 wrote to memory of 1676	1704	lsm.exe	68
PID 1704 wrote to memory of 1676	1704	lsm.exe	68
PID 1704 wrote to memory of 1676	1704	lsm.exe	68
PID 1704 wrote to memory of 1444	1704	lsm.exe	69

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe
"C:\Users\Admin\AppData\Local\Temp\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wshom\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\shacct\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceDisplayObjectProvider\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc110\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DpvWVvZ2ab.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1680
- - C:\Windows\System32\wshom\lsm.exe
    "C:\Windows\System32\wshom\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1760
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14413e31-bdc6-46ba-99d4-72f9fa3717dd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2816
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33a7dc9e-4b8b-46dd-800e-437e28887541.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2aaa6b-7561-4c85-8fd6-a2e54312310c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b6d7958-8528-41c0-bee7-959eb79690ac.vbs"
        10⤵
        
        PID:1676
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc63ea57-e1c7-4d34-8472-a3cd7f87d962.vbs"
        12⤵
        
        PID:1364
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8d1a87-f036-483f-a097-3deab71b72a4.vbs"
        14⤵
        
        PID:2088
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0246a111-bfee-4860-a0da-ee1b0b4fe5cc.vbs"
        16⤵
        
        PID:2776
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5f36ab1-8a90-4b9b-b7ff-d5c742a76ced.vbs"
        18⤵
        
        PID:2960
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3cffb13-8f5a-4d5b-8308-e9e89a1f28f5.vbs"
        20⤵
        
        PID:400
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f9adb57-edac-4977-b298-e1c7f0949701.vbs"
        22⤵
        
        PID:1644
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75c461f0-86b9-47a2-a6aa-b774cae3de1a.vbs"
        24⤵
        
        PID:2764
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0558c257-9518-46c9-8e18-b0a7226855bd.vbs"
        26⤵
        
        PID:1588
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77389384-9677-42ed-8479-60f59506640b.vbs"
        28⤵
        
        PID:1456
        
        C:\Windows\System32\wshom\lsm.exe
        
        C:\Windows\System32\wshom\lsm.exe
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ff4735-cddd-4c96-8b15-81d9594a4a2c.vbs"
        28⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b47e5c-2aad-42c4-aac2-28663039db34.vbs"
        26⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d4e14e6-a406-416f-84b4-1af653e8daa6.vbs"
        24⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b87dbd9a-6e6d-4880-b8f9-c30607b6df57.vbs"
        22⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07e1db3e-25b8-4306-afc2-42e9d82fbc42.vbs"
        20⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2806230-f0b0-4948-a8d6-c6f6cf2ce63d.vbs"
        18⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb713658-c677-48f2-af9a-1b5911dce72b.vbs"
        16⤵
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55b8f5c8-257c-43fa-af8a-e74f85ece407.vbs"
        14⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bb162f2-6aaf-4ddb-b64e-7916b1dd18ad.vbs"
        12⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53aaf522-946d-4a28-bcef-92a66a323ca1.vbs"
        10⤵
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e1ba34f-4b52-4f92-9d3d-19a52b4140e1.vbs"
        8⤵
        
        PID:1796
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bacd2c1d-08f1-4028-9cf8-8231d1839cdf.vbs"
        6⤵
        
        PID:2572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c325b0b-4cb9-4f82-b735-d206cf8e8278.vbs"
      4⤵
      PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\wshom\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\shacct\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\DeviceDisplayObjectProvider\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Documents and Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\mfc110\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274" /sc ONLOGON /tr "'C:\Program Files\7-Zip\69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0246a111-bfee-4860-a0da-ee1b0b4fe5cc.vbs

Filesize
709B

MD5
4754705db8bbe83d98d9a8a2d7629f99

SHA1
677bae5abaeb802c412138565e24b26ea70dca6e

SHA256
d2e80c06b8e0469c0e8e740d2c24b14b3b1dd4e671edaacdc00c81046ce077b2

SHA512
932b0592600bd157e15af647d55003a2cc806f66436c2840bf2834b04f24a22cfa05cdea6b6d5c95c5e5a4dd3dff7dfa45616e4c75c1d187991780d714d16082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0558c257-9518-46c9-8e18-b0a7226855bd.vbs

Filesize
709B

MD5
0c6b84f175a44ca0ccee72ca9f3745b8

SHA1
7eed6247dadd96f8e3330cba067cb11cf950cca5

SHA256
c84fee647652c5f22a20685b309daed793c8f69ffcf496bfe4588ffbf4bbc349

SHA512
5a3ced7a27b23ba2ec909bdc9c627dd818ccf4e209a15de4b2ec9995f834142d29968e2b3ebe1997c5b9d4c36b8a96ac1cc74b1849d3eef0dec4236eb07a2187

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e2aaa6b-7561-4c85-8fd6-a2e54312310c.vbs

Filesize
708B

MD5
0bdabba4ad7fa99ac574664e1ef69eff

SHA1
002937cd92be7ed2755c6763c09db62e9ab183df

SHA256
ea8bef0233db3ded2d79ba77081f62dd7ee4119eda5eb77b3284bd8ab4ec2a3e

SHA512
070dd5197b2a2436afd6259f422da5325288348f1027afd57e0771ce3cecf846f79748200e50e286984af84d3f618d714e1486faf3ca4d5ce106affb26186e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\14413e31-bdc6-46ba-99d4-72f9fa3717dd.vbs

Filesize
709B

MD5
b658d0772be604e59d21c63b197eab6e

SHA1
e955b76ed52b2ce31f6a0407380cf21bf7a4e074

SHA256
9727363c797a358ea7913b0009288255d4f67cd43e4c6a8f5dfd444ac53663db

SHA512
565df7e512b99dcfb97a54053ab9cd790c3801663ba4c07e141e2b30ff0be3c45e7382c7ed0752812c577fecd8593cdfa7bbda28b1f85eb6db423e8334736ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b6d7958-8528-41c0-bee7-959eb79690ac.vbs

Filesize
709B

MD5
622b717b963d7d08edf1a61cea03fa4d

SHA1
9804edc41d211726bd55fd1e60a67e919028e377

SHA256
12d899aaf83ef3aedf0abcd497afb4939205db3f4cbd970ea5ff8e7d48d0364f

SHA512
4c9a2aa65882caa26b41e8aa3de937a588aeb6f3765cc447a81bd2d97b88979862905d816846406353738b85c38e9a377d398a79325aae960099a3d2b8c010c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\33a7dc9e-4b8b-46dd-800e-437e28887541.vbs

Filesize
709B

MD5
2827f45623f42fa1486980142e41c7b5

SHA1
19529d4d2ed75a6f1151ad5d42da8bdf299c3a6d

SHA256
258a1c13bec062efb18c51051f49c1d17f941b273c21d5ae0b9a05d95af97d71

SHA512
37a60d4cd83e22b80159d17aeaa700ba322d58f5eaff97ccf40577fd91a0f69782371e9b5b54aec74b0bd448fbbe55b8d5111ab36d55591c0aaeb98b6e24c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\75c461f0-86b9-47a2-a6aa-b774cae3de1a.vbs

Filesize
709B

MD5
37f48d2b8c744172fa6548cecf1afb0d

SHA1
def34fdf23f294fdb604dfed3468042fc30ad70a

SHA256
bf27e8e7ea4ee7d96b26075ff6b2e56de5d179c7cc0296982cde0fa5c51a6b62

SHA512
2ef9773dc599bdc83e7c38fce9bfb78dfacbb32ba2b167d39bf98b365da2e1dd08fc741026cfaf0ed1f58a514149169a766a4a91967aca314020905e7bb05e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\77389384-9677-42ed-8479-60f59506640b.vbs

Filesize
709B

MD5
f33b2252057d9544b10fbe25c7ae7e40

SHA1
a38264984f5828c4c584198e0ad1e3f4d983874e

SHA256
f009c7a2cc8b8cbf826f94b1f3ce5b7076f322ecf790e038ec4746f8c704d5c0

SHA512
4b6e0ba3b3c31914de001131c802f261ca2e032155cd839a3ade47951c9610e852e9e7fa1524f060feb93e03ffc2beaf9b9c08f93c081e083000aaa01a1176cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b8d1a87-f036-483f-a097-3deab71b72a4.vbs

Filesize
709B

MD5
22d3b57c6fd184cd985d4a95e51211c0

SHA1
0cfc5a06d9f3396b79563e4090191ec348298681

SHA256
1eba4534742ccf603b46c9399c220b67720ef1ec85aa72e1925217d1b0b785e0

SHA512
a112d381eecd83e0b61f221f5c2569c332485e821b6546f331ff9dc7e3f966bb7507abee7a9392c0e5e357b107d5c3dc160456ca5aaba042eb084d4915dd308d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c325b0b-4cb9-4f82-b735-d206cf8e8278.vbs

Filesize
485B

MD5
a1da76f3a7d9f744407b9e3d459c01a0

SHA1
910591842c016dab42ca40e86a363c8bd900b65a

SHA256
7a612af890fb1bc88cb1ae3749417f1a057678c31db70ee5fc2cc3b6df42ff3e

SHA512
28b90f833694ad154c9a81bcc9f8d0fe49232453698a0422804516d0700f4e77b9067e30a494cb5d8185a287c9d4c1f93c5f5397a336fb2bc563ea82b4f2d070

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f9adb57-edac-4977-b298-e1c7f0949701.vbs

Filesize
709B

MD5
1f9ab974d9564d42259c0ef5f6c7ba52

SHA1
182679556eff41419992590789a63b97711484e1

SHA256
235d8b2359b712b4058b809255e6ccf7bfac7eac616ba0f85054659eeeecb2e0

SHA512
61a556fc4a97f346c4dca8290aa4535c31105423e8a20ec238328ae29bf4bc8d6e949eb1b82cd8dc08d0f5a68877faf6ccb5b460b432cfca60ecc0e84eff83c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DpvWVvZ2ab.bat

Filesize
197B

MD5
c4acf3d92ffc33d0e63adb46739291c2

SHA1
4dba75a989e17f7cad687f060eb15a580ed37c63

SHA256
e3e3c568f32ca4545012ae6c09319b1c93d334f093c5e9e69890d1bde120af26

SHA512
074319c8b79f84b5bcba30c84544fcd69382ec7342ee765077ea2d02a1229cb2e70084b1c8dbea573e6b5441b82a85880a430be1d43d52ba2dd5e38fc4b5e81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3cffb13-8f5a-4d5b-8308-e9e89a1f28f5.vbs

Filesize
709B

MD5
2797ee6f51f2530d8b3c70f0a8f4e461

SHA1
6ccd2c74f60b13e77617c3b6d73875f19017dd9f

SHA256
6953a58427e8b301276b58641ed4adf7b1568811b80c420e057898ee353bb3e4

SHA512
f9c5f4034228d3c3ced84fc28c35ec89c67b12a4281ed7eac088e040409b850a886bf539c4b0e46172c82a5208f4113fad61ad1ce3bbe6e58aa64f9c6e528256

Download Submit
C:\Users\Admin\AppData\Local\Temp\b94d87c3b5b57da5025812e6b4e2aae870a859b3.exe

Filesize
1.5MB

MD5
03a413f17d11af6f658c58575b4371b6

SHA1
bb39f9eb00394fe1b2517c4b115f84cce37d834a

SHA256
d5a59a6b4cc904b74b5e7f05c7bd862f5ac205f76f37e719b944e38638d09c85

SHA512
938cdebfb21d91f0cd1e76141ffe9c9308060462183c73485efc4b41d29d9aca3bd01b0680c5fe00e0bf3f63c5766c026ec4fa6054a4fccf7823e514f26234c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc63ea57-e1c7-4d34-8472-a3cd7f87d962.vbs

Filesize
709B

MD5
a811312b663355b3acd63ea19f212a70

SHA1
49dcaf1519dc3525c9c9aa1419be0d928866eef6

SHA256
8a51440ae5020b210262dd0fefa8bbb9b6788102366d2cd9fe97421f08b04796

SHA512
a8bebbb25b4e6ab7a7be94af4c55c04d8c3f1f175628a82e1c871f531f6433589c105e15f4830fbf35c4cb15314a337c109f1c3bb09301b1fb11d3ce8208ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5f36ab1-8a90-4b9b-b7ff-d5c742a76ced.vbs

Filesize
708B

MD5
c40de686ed7a9d79520aa9da8cd850e0

SHA1
9e2e58741f29e45aec17662bc3eefef19860caed

SHA256
8caae72e45c396a55571b78e1f1428fef0be150181fec0d874c50664f0860035

SHA512
a8816e05ef23b9a7e4d5aea8e63fbb2b6efe4a741acbcc773aa6a1f03618e6e2ca4863051689ea8d8b3ea6fd792f2850f63ce0f51f576ca05847cc8f13be6161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
89ff268f6c0a5d67341e01e16a16f9f5

SHA1
359edd7842fbf1bc3fe7b357bdba0567b36548b2

SHA256
5dd3d298ead8b341bccb436e7f30686e630579d77896edefc159da43cd46da38

SHA512
0ec2232275653531a1335afaea27d54f68aa78d5d9224255ad6d750bad09c9c77e44c903838b695c799b27ee1456c801e4da1486aa1c1823cc3c921245b39f98

Download Submit
C:\Users\sppsvc.exe

Filesize
1.5MB

MD5
7b45d565ba6ca684897302d0eefc4b60

SHA1
5a48de7a66d4d2b46d296a9049dbe8f61b401989

SHA256
69b86941727bc8b758648b00a55e606f5e9efec117681a7a392d9fc669a55274

SHA512
6b770cc9b06f8295bd2dc1d8f5d52c4ff60d0db36baa44511dc960886f0f3670a92c23bab570f14b22aae87f47a5466ce89a1a85032d1dae40bd3da1714284c9

Download Submit
C:\Windows\System32\wshom\lsm.exe

Filesize
1.5MB

MD5
4dc2fd418aa2537d6b1459e7f4fd3dec

SHA1
3a2e780d928d2290490d782bb0dd7eea24790b6d

SHA256
931a893f0779347ab6593e977af741be55353a94625f52e82c040f3dd1ea452b

SHA512
6990936e415adce0c59413cdb19eb90f0aa4c2596c4062a3e809f131042efccf863168b3d2d2279f9e8719e5741966365c55a2257fd11d6d827836b850b10e4e

Download Submit
memory/568-159-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1408-185-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1408-184-0x0000000000CB0000-0x0000000000E2E000-memory.dmp

Filesize
1.5MB

Download
memory/1524-131-0x000000001B9A0000-0x000000001BC82000-memory.dmp

Filesize
2.9MB

Download
memory/1524-132-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1704-171-0x00000000003A0000-0x000000000051E000-memory.dmp

Filesize
1.5MB

Download
memory/1704-172-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1760-135-0x0000000000210000-0x000000000038E000-memory.dmp

Filesize
1.5MB

Download
memory/1760-136-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2180-290-0x0000000000110000-0x000000000028E000-memory.dmp

Filesize
1.5MB

Download
memory/2204-197-0x00000000012E0000-0x000000000145E000-memory.dmp

Filesize
1.5MB

Download
memory/2260-278-0x0000000001370000-0x00000000014EE000-memory.dmp

Filesize
1.5MB

Download
memory/2300-254-0x00000000003E0000-0x000000000055E000-memory.dmp

Filesize
1.5MB

Download
memory/2380-13-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download
memory/2380-8-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2380-16-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2380-15-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2380-14-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2380-24-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-18-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2380-100-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-12-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2380-11-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2380-10-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2380-20-0x0000000002070000-0x000000000207C000-memory.dmp

Filesize
48KB

Download
memory/2380-9-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2380-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2380-6-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2380-1-0x00000000003D0000-0x000000000054E000-memory.dmp

Filesize
1.5MB

Download
memory/2380-7-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2380-5-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2380-21-0x000000001A710000-0x000000001A718000-memory.dmp

Filesize
32KB

Download
memory/2380-4-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2380-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2380-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-147-0x00000000012F0000-0x000000000146E000-memory.dmp

Filesize
1.5MB

Download
memory/2896-231-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2952-266-0x0000000000F70000-0x00000000010EE000-memory.dmp

Filesize
1.5MB

Download