dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410897f36809104096c8b600eb3a0444.exe
Size

1.1MB
MD5

410897f36809104096c8b600eb3a0444
SHA1

18e8b8e65471f7f19b3612ba93a20bd6a702e7dc
SHA256

1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
SHA512

479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 13 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		368	schtasks.exe
		4752	schtasks.exe
		4840	schtasks.exe
		4808	schtasks.exe
		4768	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		410897f36809104096c8b600eb3a0444.exe
		4072	schtasks.exe
		2492	schtasks.exe
		2584	schtasks.exe
		4708	schtasks.exe
		4780	schtasks.exe
		4960	schtasks.exe
		2096	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\", \"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\", \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\", \"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wowreg32\\conhost.exe\", \"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\", \"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\""	410897f36809104096c8b600eb3a0444.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	4228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4228	schtasks.exe	87

UAC bypass 3 TTPs 48 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3368	powershell.exe
1624	powershell.exe
4980	powershell.exe
4488	powershell.exe
3232	powershell.exe
3924	powershell.exe
2952	powershell.exe
2532	powershell.exe
4704	powershell.exe
4868	powershell.exe
4876	powershell.exe
1220	powershell.exe
1424	powershell.exe
1016	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	410897f36809104096c8b600eb3a0444.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 15 IoCs

pid	Process
4676	410897f36809104096c8b600eb3a0444.exe
1884	lsass.exe
3332	lsass.exe
1108	lsass.exe
5124	lsass.exe
3588	lsass.exe
3480	lsass.exe
452	lsass.exe
1556	lsass.exe
516	lsass.exe
5196	lsass.exe
8	lsass.exe
788	lsass.exe
4392	lsass.exe
1268	lsass.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip\\powershell.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.UI.Search\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Microsoft\\WinMSIPC\\lsass.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\DeviceReactivation\\fontdrvhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft.NET\\Idle.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wdc\\RuntimeBroker.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\AudioSrvPolicyManager\\backgroundTaskHost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\wowreg32\\conhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\wowreg32\\conhost.exe\""	410897f36809104096c8b600eb3a0444.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wowreg32\conhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\wdc\9e8d7a4ca61bd9	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\wdc\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\AudioSrvPolicyManager\RCX8C68.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\DeviceReactivation\5b884080fd4f94	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\wdc\RCX83F9.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\e978f868350d50	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\Windows.UI.Search\9e8d7a4ca61bd9	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\DeviceReactivation\fontdrvhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\wowreg32\conhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\AudioSrvPolicyManager\eddb19405b7ce1	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\DeviceReactivation\fontdrvhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\wdc\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\wowreg32\088424020bedd6	410897f36809104096c8b600eb3a0444.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX81F4.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Idle.exe	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX866B.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Program Files (x86)\Microsoft.NET\Idle.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Program Files (x86)\Microsoft.NET\6ccacd8608530f	410897f36809104096c8b600eb3a0444.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c3	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCX8870.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	410897f36809104096c8b600eb3a0444.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	410897f36809104096c8b600eb3a0444.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	410897f36809104096c8b600eb3a0444.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4840	schtasks.exe
4780	schtasks.exe
4808	schtasks.exe
4768	schtasks.exe
2096	schtasks.exe
368	schtasks.exe
2584	schtasks.exe
4708	schtasks.exe
4960	schtasks.exe
4072	schtasks.exe
2492	schtasks.exe
4752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
4704	powershell.exe
4704	powershell.exe
4868	powershell.exe
4868	powershell.exe
4980	powershell.exe
4980	powershell.exe
6072	410897f36809104096c8b600eb3a0444.exe
4876	powershell.exe
4876	powershell.exe
1016	powershell.exe
1016	powershell.exe
4488	powershell.exe
4488	powershell.exe
1424	powershell.exe
1424	powershell.exe
1220	powershell.exe
1220	powershell.exe
1424	powershell.exe
4876	powershell.exe
1016	powershell.exe
4704	powershell.exe
4980	powershell.exe
4868	powershell.exe
1220	powershell.exe
4488	powershell.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
6072	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe
4676	410897f36809104096c8b600eb3a0444.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	6072	410897f36809104096c8b600eb3a0444.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	4676	410897f36809104096c8b600eb3a0444.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1884	lsass.exe
Token: SeDebugPrivilege	3332	lsass.exe
Token: SeDebugPrivilege	1108	lsass.exe
Token: SeDebugPrivilege	5124	lsass.exe
Token: SeDebugPrivilege	3588	lsass.exe
Token: SeDebugPrivilege	3480	lsass.exe
Token: SeDebugPrivilege	452	lsass.exe
Token: SeDebugPrivilege	1556	lsass.exe
Token: SeDebugPrivilege	516	lsass.exe
Token: SeDebugPrivilege	5196	lsass.exe
Token: SeDebugPrivilege	8	lsass.exe
Token: SeDebugPrivilege	788	lsass.exe
Token: SeDebugPrivilege	4392	lsass.exe
Token: SeDebugPrivilege	1268	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6072 wrote to memory of 4704	6072	410897f36809104096c8b600eb3a0444.exe	98
PID 6072 wrote to memory of 4704	6072	410897f36809104096c8b600eb3a0444.exe	98
PID 6072 wrote to memory of 4868	6072	410897f36809104096c8b600eb3a0444.exe	99
PID 6072 wrote to memory of 4868	6072	410897f36809104096c8b600eb3a0444.exe	99
PID 6072 wrote to memory of 4980	6072	410897f36809104096c8b600eb3a0444.exe	100
PID 6072 wrote to memory of 4980	6072	410897f36809104096c8b600eb3a0444.exe	100
PID 6072 wrote to memory of 4876	6072	410897f36809104096c8b600eb3a0444.exe	101
PID 6072 wrote to memory of 4876	6072	410897f36809104096c8b600eb3a0444.exe	101
PID 6072 wrote to memory of 1016	6072	410897f36809104096c8b600eb3a0444.exe	102
PID 6072 wrote to memory of 1016	6072	410897f36809104096c8b600eb3a0444.exe	102
PID 6072 wrote to memory of 4488	6072	410897f36809104096c8b600eb3a0444.exe	103
PID 6072 wrote to memory of 4488	6072	410897f36809104096c8b600eb3a0444.exe	103
PID 6072 wrote to memory of 1424	6072	410897f36809104096c8b600eb3a0444.exe	104
PID 6072 wrote to memory of 1424	6072	410897f36809104096c8b600eb3a0444.exe	104
PID 6072 wrote to memory of 1220	6072	410897f36809104096c8b600eb3a0444.exe	105
PID 6072 wrote to memory of 1220	6072	410897f36809104096c8b600eb3a0444.exe	105
PID 6072 wrote to memory of 4676	6072	410897f36809104096c8b600eb3a0444.exe	114
PID 6072 wrote to memory of 4676	6072	410897f36809104096c8b600eb3a0444.exe	114
PID 4676 wrote to memory of 2532	4676	410897f36809104096c8b600eb3a0444.exe	122
PID 4676 wrote to memory of 2532	4676	410897f36809104096c8b600eb3a0444.exe	122
PID 4676 wrote to memory of 2952	4676	410897f36809104096c8b600eb3a0444.exe	123
PID 4676 wrote to memory of 2952	4676	410897f36809104096c8b600eb3a0444.exe	123
PID 4676 wrote to memory of 3924	4676	410897f36809104096c8b600eb3a0444.exe	124
PID 4676 wrote to memory of 3924	4676	410897f36809104096c8b600eb3a0444.exe	124
PID 4676 wrote to memory of 3232	4676	410897f36809104096c8b600eb3a0444.exe	125
PID 4676 wrote to memory of 3232	4676	410897f36809104096c8b600eb3a0444.exe	125
PID 4676 wrote to memory of 1624	4676	410897f36809104096c8b600eb3a0444.exe	126
PID 4676 wrote to memory of 1624	4676	410897f36809104096c8b600eb3a0444.exe	126
PID 4676 wrote to memory of 3368	4676	410897f36809104096c8b600eb3a0444.exe	127
PID 4676 wrote to memory of 3368	4676	410897f36809104096c8b600eb3a0444.exe	127
PID 4676 wrote to memory of 3440	4676	410897f36809104096c8b600eb3a0444.exe	134
PID 4676 wrote to memory of 3440	4676	410897f36809104096c8b600eb3a0444.exe	134
PID 3440 wrote to memory of 5200	3440	cmd.exe	136
PID 3440 wrote to memory of 5200	3440	cmd.exe	136
PID 3440 wrote to memory of 1884	3440	cmd.exe	138
PID 3440 wrote to memory of 1884	3440	cmd.exe	138
PID 1884 wrote to memory of 3812	1884	lsass.exe	139
PID 1884 wrote to memory of 3812	1884	lsass.exe	139
PID 1884 wrote to memory of 1964	1884	lsass.exe	140
PID 1884 wrote to memory of 1964	1884	lsass.exe	140
PID 3812 wrote to memory of 3332	3812	WScript.exe	141
PID 3812 wrote to memory of 3332	3812	WScript.exe	141
PID 3332 wrote to memory of 3344	3332	lsass.exe	143
PID 3332 wrote to memory of 3344	3332	lsass.exe	143
PID 3332 wrote to memory of 3276	3332	lsass.exe	144
PID 3332 wrote to memory of 3276	3332	lsass.exe	144
PID 3344 wrote to memory of 1108	3344	WScript.exe	152
PID 3344 wrote to memory of 1108	3344	WScript.exe	152
PID 1108 wrote to memory of 2152	1108	lsass.exe	153
PID 1108 wrote to memory of 2152	1108	lsass.exe	153
PID 1108 wrote to memory of 3664	1108	lsass.exe	154
PID 1108 wrote to memory of 3664	1108	lsass.exe	154
PID 2152 wrote to memory of 5124	2152	WScript.exe	155
PID 2152 wrote to memory of 5124	2152	WScript.exe	155
PID 5124 wrote to memory of 4988	5124	lsass.exe	156
PID 5124 wrote to memory of 4988	5124	lsass.exe	156
PID 5124 wrote to memory of 1408	5124	lsass.exe	157
PID 5124 wrote to memory of 1408	5124	lsass.exe	157
PID 4988 wrote to memory of 3588	4988	WScript.exe	158
PID 4988 wrote to memory of 3588	4988	WScript.exe	158
PID 3588 wrote to memory of 820	3588	lsass.exe	159
PID 3588 wrote to memory of 820	3588	lsass.exe	159
PID 3588 wrote to memory of 4068	3588	lsass.exe	160
PID 3588 wrote to memory of 4068	3588	lsass.exe	160

System policy modification 1 TTPs 48 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe
"C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wdc\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe
  "C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wowreg32\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\WinMSIPC\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DeviceReactivation\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\81VaE6Q4eQ.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5200
  - - C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
      "C:\ProgramData\Microsoft\WinMSIPC\lsass.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1884
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaf26042-3961-47d1-b701-8c3c51731fcd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d051598e-a0e9-4827-85e6-39fe0aaa9b89.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4dac5c5-2d14-42d4-ba97-55859d138c7c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2b71f-288f-490c-b9e0-f287f8d9eddc.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfab3c8-5259-4173-8e62-7514782681d3.vbs"
        13⤵
        
        PID:820
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd62e811-f0b0-46d3-a89e-0858bfb2a963.vbs"
        15⤵
        
        PID:4712
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b199c8-a2ab-4af2-8706-2eba0c3725cb.vbs"
        17⤵
        
        PID:1988
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29823425-a1dc-4c1d-b166-c3e61cb778ef.vbs"
        19⤵
        
        PID:1004
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71aa7d7-4e19-4bc6-b35d-9c27537be80f.vbs"
        21⤵
        
        PID:4900
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0353ce62-a226-4ffe-bbea-9d1789a7cff2.vbs"
        23⤵
        
        PID:596
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:8
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41b74bdf-1e4d-48da-80dc-4f5a5b26bb9f.vbs"
        25⤵
        
        PID:1112
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d250668b-3f7c-486c-ba8c-fb93312cda76.vbs"
        27⤵
        
        PID:5108
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea1b92b8-03ee-4bdc-a5b2-cbf75a05279c.vbs"
        29⤵
        
        PID:5364
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        
        C:\ProgramData\Microsoft\WinMSIPC\lsass.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e45ceb23-70ff-4d8a-85e6-526fcca8da06.vbs"
        31⤵
        
        PID:3764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8e38da-ef76-4196-8e79-9a14ac053052.vbs"
        31⤵
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f933126-8b5a-4a5a-b104-9e3be4055865.vbs"
        29⤵
        
        PID:3304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7a4d49-593d-4801-8af1-a6b29d008003.vbs"
        27⤵
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c659fec4-0f82-4e62-adc8-e4c57478b991.vbs"
        25⤵
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7d83f2c-b2f4-4d1f-a864-5e4ae5c4d155.vbs"
        23⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d2e6377-c6ed-4ad1-9519-dd96fc172c0c.vbs"
        21⤵
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8da156b-7261-46e5-9c65-c15252bd1031.vbs"
        19⤵
        
        PID:6004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94dea313-5b7c-40ae-a126-5d7d682fff92.vbs"
        17⤵
        
        PID:4204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0bb67d2-1889-44ad-a33a-4c5d6f79ef9e.vbs"
        15⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de34fe53-27c2-4bef-a7ba-8d5d30392322.vbs"
        13⤵
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d33e50f7-21e6-47e7-bc71-97a9723e70fa.vbs"
        11⤵
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a22e577-dd7a-4705-893b-a9c85b2355b9.vbs"
        9⤵
        
        PID:3664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87cfe211-f2ec-4c66-892e-915a528e7040.vbs"
        7⤵
        
        PID:3276
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0e3d261-183e-4fc6-9f4b-5e2f17865ed1.vbs"
        5⤵
        
        PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wdc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\AudioSrvPolicyManager\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.UI.Search\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\wowreg32\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\WinMSIPC\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\DeviceReactivation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

Filesize
1.1MB

MD5
410897f36809104096c8b600eb3a0444

SHA1
18e8b8e65471f7f19b3612ba93a20bd6a702e7dc

SHA256
1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed

SHA512
479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\410897f36809104096c8b600eb3a0444.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69ced0a44ced088c3954d6ae03796e7

SHA1
ef4cac17b8643fb57424bb56907381a555a8cb92

SHA256
49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

SHA512
15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ff8dea104630cb0cb3da85eea627c4c0

SHA1
b332b51a9f473a604710d64b66c01c9df8caf88b

SHA256
97d63b322c131f512e5b1f2052d364bd82e41de6899d4d334532a35f6e290d7f

SHA512
698ee25bcecac3a2c71452150be7e69fb08bed1a041f2f44e38427a9bb6911a4eea8d7320bb4530c2893c11994913142051d472ddefe900055f415cb9673552e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0353ce62-a226-4ffe-bbea-9d1789a7cff2.vbs

Filesize
719B

MD5
726ec93615f0017fa7640a2ff71b0180

SHA1
8c7d21ede357d68fa6a183cc898620e5b0625632

SHA256
105ae5b6af1502429e4a39cf6b44d25de322ffc0123655358168bcb1e0f7fbfc

SHA512
ce4edd86c3403226c2e3554a4cac360205f4108d5863ecefe167a4eda3504cda8ba78d334065851092b249f8bfc4d7ab309fedc7f6c6ae658472a1fd72fe2b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\29823425-a1dc-4c1d-b166-c3e61cb778ef.vbs

Filesize
719B

MD5
791a12bd0077de80832895a6da09e73f

SHA1
5afe7103d363fb3c580aacc6deb8fb3cc2a11522

SHA256
c41522eca34ae087ac00ce487f9892bba4e19304e04fdad7ad568393e6a7d55f

SHA512
83ea1acba61680c3aefa7bb1632767faad6706e18ac7c61c04192504487543cce5c1594ec68e4dceb16f0e9959a3c5d4e8d66ee5f10ff2db18b3b00174ef05ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\41b74bdf-1e4d-48da-80dc-4f5a5b26bb9f.vbs

Filesize
716B

MD5
be47888984d8b32456abe941f4fc2e4e

SHA1
1fdabb953452d90a19baf5a98e351c29c99cd24d

SHA256
79eb1863d119909da0734cf2f7630e5f868cf22f6dcaf64ea5c780bbd7c25126

SHA512
a231ec0ef45fa228b107cd3c286b6982108c14d5d3025b78627280aa785a987590d97ea9b8ea61bf88324e90181540ceb406ea82055742833f8eac36e156d371

Download Submit
C:\Users\Admin\AppData\Local\Temp\58d2b71f-288f-490c-b9e0-f287f8d9eddc.vbs

Filesize
719B

MD5
cf3509dcb8150adca240ff4d8391db80

SHA1
87ec2f9f80533b62d50e49efddd69050bc18e860

SHA256
9c8f05ce53d518b9daef0159f3b3041764b813f91c0e39517c88bd4ab2684990

SHA512
e136dddb974f31d1103beb22973994e6b2d65e744fe92a0ce1cbde180ac31afebb8ad4afdc1b2e2ed19390148aa0d8e21027be9d3f5b6aadcdf4eb40170516cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bfab3c8-5259-4173-8e62-7514782681d3.vbs

Filesize
719B

MD5
b5b3dde604732d9c39c60b8ecd406fce

SHA1
d913ba49cb6d22377bcdad70a40694b37d51ddfe

SHA256
551e4ac9f5fd0ddaee470e2f93c01bbd36c4de0a84afe6a305bd59c4d12c32b8

SHA512
a43cac99dee25099db6461b39f18b602752277c27b1545dba9e0b2fd1144ddedd1790b0ee2143694e7231da8edbe6a88b12708366cf0f8690c9f9a68db8fc019

Download Submit
C:\Users\Admin\AppData\Local\Temp\81VaE6Q4eQ.bat

Filesize
207B

MD5
9c7fbc07881bb0111ec21c0e45ec3ddb

SHA1
47d1c6dbca5c5460cc9924f4aeb6857a27c3b3e7

SHA256
77b49ded09c6abc3aed47ac50e38178d62110bcccb662a3ccb26c129b18e1fce

SHA512
d7ab0469e02bf52696bf814e86d2a2a2f112656c567e82feb57a24e6f142819c53b59d013394f3054b777adbf5fe56c2afe7f7d8c879985504a277cfddaa5ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vyd4kj5n.wgn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaf26042-3961-47d1-b701-8c3c51731fcd.vbs

Filesize
719B

MD5
4ff03d72de552270f63b064e79e71bfd

SHA1
b74539d05a8df3d1250d992f26d8291d8ae7c9f6

SHA256
aaff1ed04d584185e472eab2b3a1a27590c8835d86d182a7e36184d593e5b902

SHA512
2967a7520affc61424351194ab5b7b2d6c1796b0e19bb9c0fae806522b9b3baf5c3dce0a79963c9474a435c31ea60300879c82245c86842addeddb464f3975ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\c71aa7d7-4e19-4bc6-b35d-9c27537be80f.vbs

Filesize
718B

MD5
bcbd78458422b5c290492707a7fabc91

SHA1
235ae127f702301ecbd565e34531ce74bf787dc8

SHA256
313615d9f9c0ec0975ad0cdb53c4166f67591303afe3f7bd87863934a236dd1a

SHA512
57ce8aca2cdc018cd5252e724b924c94b05d1186b2b5fd9fa721bda90fdc74c918a57a7c2d55c9cabe104f140b2391f664774ddc450112461662f4b9e35b026d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d051598e-a0e9-4827-85e6-39fe0aaa9b89.vbs

Filesize
719B

MD5
0fed312f700b3c2fbcd7135f3bbc298e

SHA1
71d86ac8bce315566accf3eec0f24073b871c025

SHA256
0249e1f333256fe22a01cab72af06a359209952cf3182f46165b36bf403687b8

SHA512
327b54af69bd5e2a6fd39b64259f5c20ad3607fa352cfa721e6d1f291e2d270bcd81bb88b2132e9ef7b1fa3f8c5bf29d0c27da7db04d852e1a834ec10698675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0e3d261-183e-4fc6-9f4b-5e2f17865ed1.vbs

Filesize
495B

MD5
ccb98b59dd9a0ed390d964ca07b67ec8

SHA1
37fc0d6b86542058894cdaa0eeb05f79e3202787

SHA256
8f598bb2f437cae844f9c42380bb8c0da431617d58ceaac8113e919fabba8ae6

SHA512
ba2bb53c458303da063dc5055f6453456621574c0fed778e7da33e3debde7dff7d16ac87bb78186c5148659f6cb7e88d430d21d3c0aefaf9d5cf2e8d87bcf09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dac5c5-2d14-42d4-ba97-55859d138c7c.vbs

Filesize
719B

MD5
cbae056fdf34967db4470e2f2855decf

SHA1
132ea3080a7d19f392d5a61c34519ae8c6e8a3c2

SHA256
81b139a68c803942f47c01dbfb55e7d5328291f6a12da00e367ceb35c2364cbf

SHA512
11347399b845dc385c2452464b548d5af394bc5b77ce25fa2b3e4c9d65a931a2f01809283bbf575d47d7795969bf1d94727cb66bed7fdd50385437a4cb983540

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd62e811-f0b0-46d3-a89e-0858bfb2a963.vbs

Filesize
719B

MD5
2e4dafca4e82b6edf300f6e8b20b0e08

SHA1
b1574db75ecbe5055f84f6eb81bd6b9933ffd6f3

SHA256
b5d97005666ceaf125439369319fb754bdd4126cd863c28ad0470ac062b473e1

SHA512
02eb725689eeaf0766956a075a423a27848c8824aa43fdb073aca433db2e7dd72cbb77ab72c10047e570bf744fb523d7090bc4ac660e9550ee8975d18bbfc22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5b199c8-a2ab-4af2-8706-2eba0c3725cb.vbs

Filesize
718B

MD5
65771bfa33f7dc57b25e3b1c5e41fb64

SHA1
2ef22d4212397c742a8f90dbd0b07000a2b544eb

SHA256
d71613fd4d7b5b407aebbdaa4ce5fd18f2f1055687a91d8a09a43dad567b5368

SHA512
cd1973d484382fd85a350c02db5b986737d55f3eecdc43e5e35b59be6be695eee1bd271c2d0c8ea7b32e9edb590bec123baab98f86b0fd42ac5ab60d0ede5663

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
500B

MD5
32a207bc45a735fd1f81449bdf12f151

SHA1
528b6dd3fc15175217eb6dcf5dd781c805622fd7

SHA256
4971e88223bf1200feb70648e9185c20eb2f2a74f8b7ecc7a8ca70f7e2df1723

SHA512
760a3b9bea801310b3f7e39b5d2c5c7596a792bb4fffa9ad9d24d3fface368fec8eceb64d440c228e2db636865449b38f13ed4d0fa250952b383705c39fd4720

Download Submit
memory/788-402-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/1424-98-0x0000026A5DF20000-0x0000026A5DF42000-memory.dmp

Filesize
136KB

Download
memory/3332-290-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/4676-165-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/5124-313-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/6072-12-0x000000001B510000-0x000000001B518000-memory.dmp

Filesize
32KB

Download
memory/6072-16-0x000000001B540000-0x000000001B548000-memory.dmp

Filesize
32KB

Download
memory/6072-24-0x00007FF90A090000-0x00007FF90AB51000-memory.dmp

Filesize
10.8MB

Download
memory/6072-21-0x000000001B580000-0x000000001B588000-memory.dmp

Filesize
32KB

Download
memory/6072-20-0x000000001B570000-0x000000001B57C000-memory.dmp

Filesize
48KB

Download
memory/6072-18-0x000000001B560000-0x000000001B568000-memory.dmp

Filesize
32KB

Download
memory/6072-0-0x00007FF90A093000-0x00007FF90A095000-memory.dmp

Filesize
8KB

Download
memory/6072-17-0x000000001B550000-0x000000001B55C000-memory.dmp

Filesize
48KB

Download
memory/6072-15-0x000000001B530000-0x000000001B53A000-memory.dmp

Filesize
40KB

Download
memory/6072-14-0x000000001B520000-0x000000001B52C000-memory.dmp

Filesize
48KB

Download
memory/6072-25-0x00007FF90A090000-0x00007FF90AB51000-memory.dmp

Filesize
10.8MB

Download
memory/6072-13-0x000000001B620000-0x000000001B62A000-memory.dmp

Filesize
40KB

Download
memory/6072-9-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/6072-10-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/6072-164-0x00007FF90A090000-0x00007FF90AB51000-memory.dmp

Filesize
10.8MB

Download
memory/6072-8-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

Filesize
32KB

Download
memory/6072-11-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/6072-6-0x000000001AF90000-0x000000001AF9A000-memory.dmp

Filesize
40KB

Download
memory/6072-7-0x000000001AFB0000-0x000000001AFBC000-memory.dmp

Filesize
48KB

Download
memory/6072-5-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/6072-3-0x000000001AE10000-0x000000001AE18000-memory.dmp

Filesize
32KB

Download
memory/6072-4-0x000000001AE20000-0x000000001AE32000-memory.dmp

Filesize
72KB

Download
memory/6072-2-0x00007FF90A090000-0x00007FF90AB51000-memory.dmp

Filesize
10.8MB

Download
memory/6072-1-0x0000000000160000-0x0000000000274000-memory.dmp

Filesize
1.1MB

Download