dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

08/04/2025, 14:11

250408-rhjmcsvp15 10

22/03/2025, 06:18

250322-g2ywaay1fy 10

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f736c152b3d1812f1142ed0da99e0ac8.exe
Size

5.9MB
MD5

f736c152b3d1812f1142ed0da99e0ac8
SHA1

5df819dd9a3c73b64b33950ecfac1c690fa0f03d
SHA256

78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
SHA512

a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4824	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4824	schtasks.exe	91

UAC bypass 3 TTPs 42 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2064	powershell.exe
2036	powershell.exe
3084	powershell.exe
1168	powershell.exe
1640	powershell.exe
6076	powershell.exe
1288	powershell.exe
5264	powershell.exe
868	powershell.exe
2920	powershell.exe
1940	powershell.exe
4204	powershell.exe
1100	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f736c152b3d1812f1142ed0da99e0ac8.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 13 IoCs

pid	Process
5132	conhost.exe
3884	conhost.exe
5304	conhost.exe
4384	conhost.exe
5768	conhost.exe
4368	conhost.exe
2644	conhost.exe
5004	conhost.exe
692	conhost.exe
4348	conhost.exe
4252	conhost.exe
3688	conhost.exe
5312	conhost.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

pid	Process
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
5132	conhost.exe
5132	conhost.exe
3884	conhost.exe
3884	conhost.exe
5304	conhost.exe
5304	conhost.exe
4384	conhost.exe
4384	conhost.exe
5768	conhost.exe
5768	conhost.exe
4368	conhost.exe
4368	conhost.exe
2644	conhost.exe
2644	conhost.exe
5004	conhost.exe
5004	conhost.exe
692	conhost.exe
692	conhost.exe
4348	conhost.exe
4348	conhost.exe
4252	conhost.exe
4252	conhost.exe
3688	conhost.exe
3688	conhost.exe
5312	conhost.exe
5312	conhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\unsecapp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Crashpad\unsecapp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Crashpad\29c1c3cc0f7685	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Crashpad\RCX643A.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Crashpad\RCX644B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4004	schtasks.exe
5360	schtasks.exe
4280	schtasks.exe
4932	schtasks.exe
856	schtasks.exe
1064	schtasks.exe
392	schtasks.exe
3388	schtasks.exe
5004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
1028	f736c152b3d1812f1142ed0da99e0ac8.exe
3084	powershell.exe
3084	powershell.exe
1100	powershell.exe
1100	powershell.exe
6076	powershell.exe
6076	powershell.exe
5264	powershell.exe
5264	powershell.exe
2064	powershell.exe
2064	powershell.exe
1940	powershell.exe
1940	powershell.exe
2920	powershell.exe
2920	powershell.exe
1288	powershell.exe
1288	powershell.exe
1640	powershell.exe
1640	powershell.exe
868	powershell.exe
868	powershell.exe
1168	powershell.exe
1168	powershell.exe
2036	powershell.exe
2036	powershell.exe
4204	powershell.exe
4204	powershell.exe
1100	powershell.exe
1640	powershell.exe
5264	powershell.exe
6076	powershell.exe
2064	powershell.exe
1168	powershell.exe
3084	powershell.exe
3084	powershell.exe
1940	powershell.exe
2920	powershell.exe
1288	powershell.exe
4204	powershell.exe
868	powershell.exe
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	5132	conhost.exe
Token: SeDebugPrivilege	3884	conhost.exe
Token: SeDebugPrivilege	5304	conhost.exe
Token: SeDebugPrivilege	4384	conhost.exe
Token: SeDebugPrivilege	5768	conhost.exe
Token: SeDebugPrivilege	4368	conhost.exe
Token: SeDebugPrivilege	2644	conhost.exe
Token: SeDebugPrivilege	5004	conhost.exe
Token: SeDebugPrivilege	692	conhost.exe
Token: SeDebugPrivilege	4348	conhost.exe
Token: SeDebugPrivilege	4252	conhost.exe
Token: SeDebugPrivilege	3688	conhost.exe
Token: SeDebugPrivilege	5312	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 5264	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 1028 wrote to memory of 5264	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 1028 wrote to memory of 1100	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	103
PID 1028 wrote to memory of 1100	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	103
PID 1028 wrote to memory of 1288	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 1028 wrote to memory of 1288	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 1028 wrote to memory of 4204	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 1028 wrote to memory of 4204	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 1028 wrote to memory of 6076	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 1028 wrote to memory of 6076	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 1028 wrote to memory of 1640	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 1028 wrote to memory of 1640	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 1028 wrote to memory of 1940	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	110
PID 1028 wrote to memory of 1940	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	110
PID 1028 wrote to memory of 1168	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	111
PID 1028 wrote to memory of 1168	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	111
PID 1028 wrote to memory of 3084	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	112
PID 1028 wrote to memory of 3084	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	112
PID 1028 wrote to memory of 2920	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	113
PID 1028 wrote to memory of 2920	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	113
PID 1028 wrote to memory of 2036	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	114
PID 1028 wrote to memory of 2036	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	114
PID 1028 wrote to memory of 2064	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	116
PID 1028 wrote to memory of 2064	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	116
PID 1028 wrote to memory of 868	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	117
PID 1028 wrote to memory of 868	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	117
PID 1028 wrote to memory of 5288	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	128
PID 1028 wrote to memory of 5288	1028	f736c152b3d1812f1142ed0da99e0ac8.exe	128
PID 5288 wrote to memory of 1944	5288	cmd.exe	130
PID 5288 wrote to memory of 1944	5288	cmd.exe	130
PID 5288 wrote to memory of 5132	5288	cmd.exe	134
PID 5288 wrote to memory of 5132	5288	cmd.exe	134
PID 5132 wrote to memory of 2796	5132	conhost.exe	135
PID 5132 wrote to memory of 2796	5132	conhost.exe	135
PID 5132 wrote to memory of 4680	5132	conhost.exe	136
PID 5132 wrote to memory of 4680	5132	conhost.exe	136
PID 2796 wrote to memory of 3884	2796	WScript.exe	137
PID 2796 wrote to memory of 3884	2796	WScript.exe	137
PID 3884 wrote to memory of 6024	3884	conhost.exe	138
PID 3884 wrote to memory of 6024	3884	conhost.exe	138
PID 3884 wrote to memory of 5428	3884	conhost.exe	139
PID 3884 wrote to memory of 5428	3884	conhost.exe	139
PID 6024 wrote to memory of 5304	6024	WScript.exe	145
PID 6024 wrote to memory of 5304	6024	WScript.exe	145
PID 5304 wrote to memory of 4120	5304	conhost.exe	146
PID 5304 wrote to memory of 4120	5304	conhost.exe	146
PID 5304 wrote to memory of 916	5304	conhost.exe	147
PID 5304 wrote to memory of 916	5304	conhost.exe	147
PID 4120 wrote to memory of 4384	4120	WScript.exe	151
PID 4120 wrote to memory of 4384	4120	WScript.exe	151
PID 4384 wrote to memory of 1512	4384	conhost.exe	152
PID 4384 wrote to memory of 1512	4384	conhost.exe	152
PID 4384 wrote to memory of 3644	4384	conhost.exe	153
PID 4384 wrote to memory of 3644	4384	conhost.exe	153
PID 1512 wrote to memory of 5768	1512	WScript.exe	154
PID 1512 wrote to memory of 5768	1512	WScript.exe	154
PID 5768 wrote to memory of 380	5768	conhost.exe	155
PID 5768 wrote to memory of 380	5768	conhost.exe	155
PID 5768 wrote to memory of 2404	5768	conhost.exe	156
PID 5768 wrote to memory of 2404	5768	conhost.exe	156
PID 380 wrote to memory of 4368	380	WScript.exe	157
PID 380 wrote to memory of 4368	380	WScript.exe	157
PID 4368 wrote to memory of 5272	4368	conhost.exe	158
PID 4368 wrote to memory of 5272	4368	conhost.exe	158

System policy modification 1 TTPs 42 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/7e20f84d5244aba7145631d4073af8/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d25f591a00514bc9ba8441/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j14hHxgp42.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5288
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1944
- - C:\Users\Public\AccountPictures\conhost.exe
    "C:\Users\Public\AccountPictures\conhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5132
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\736231ea-a10b-480e-a317-a3b8b88d838b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddfa90cc-aa2a-404b-b339-35cd730ad222.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:6024
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e150ada6-c241-4335-8abd-57854698ad87.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b84f8249-c205-4331-9961-478d91fb21e3.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\726bda50-d092-4cf4-89ab-2875e3c0e366.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada8ae32-8707-462d-8f18-f470844d191b.vbs"
        14⤵
        
        PID:5272
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e844885-44c7-474f-8ead-6b2487c4f814.vbs"
        16⤵
        
        PID:5640
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef15db2-86f0-4711-a479-91c2b48d7e97.vbs"
        18⤵
        
        PID:5756
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51fc5d6a-3430-424c-9a0f-323633995672.vbs"
        20⤵
        
        PID:4760
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b064c88d-b583-47aa-a445-347f3195fbf9.vbs"
        22⤵
        
        PID:6128
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9e800c-049b-4b96-9dea-aa2101ee7396.vbs"
        24⤵
        
        PID:6052
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a545cc1-27b0-4141-9003-5268cdd159de.vbs"
        26⤵
        
        PID:6060
        
        C:\Users\Public\AccountPictures\conhost.exe
        
        C:\Users\Public\AccountPictures\conhost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\917f356e-eee5-480d-95fa-a1d6b7d1b47c.vbs"
        28⤵
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54080a0d-f86f-4393-9f4e-87bfef2dc8e5.vbs"
        28⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8f991ef-efac-4953-b0e6-9835eff1b126.vbs"
        26⤵
        
        PID:4628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78234db9-92d1-47e6-8d3f-41153cffe2cb.vbs"
        24⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\518d0bc0-7224-46ff-a68d-1948c78b2e1c.vbs"
        22⤵
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bffa9dec-9091-44a6-a1bd-29aa677a697c.vbs"
        20⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09fcf97-2f4f-4feb-93e9-ce5ab4e70769.vbs"
        18⤵
        
        PID:6076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0df3cc75-bdae-4d51-b2ef-430346d68e69.vbs"
        16⤵
        
        PID:5712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09a06838-908c-49dc-b155-135d159714b9.vbs"
        14⤵
        
        PID:5556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b36055-02e5-4b9b-9cde-04e00c0926d6.vbs"
        12⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9cb8326-3fda-433f-9c31-94c49ff136f1.vbs"
        10⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5391b3ba-dbf7-4ade-aec9-f91424a462d9.vbs"
        8⤵
        
        PID:916
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b70cd4ed-edc4-4a2c-ac4c-d51f610a5cb8.vbs"
        6⤵
        
        PID:5428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4ebea3-cb8f-479c-961a-54f31d190fb5.vbs"
      4⤵
      PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe

Filesize
5.9MB

MD5
23a1cce6f6cd380caadba031ef3e10ea

SHA1
37796591a3e660aa9f4a49e8cf5cf857da60a1a1

SHA256
1b3f8325ad621ba8386cbd8aa98927fb81fda47b99715baecbdd48ee5c03e13f

SHA512
904e5c4497ec8c6d1070a2aadd7cda1c4612f969466f1b31661298b7613ad9b0660b0428fd239d2cfff90a6cc8a8e944b490ff564ade0f344ed3f41c8d3277a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c44e48d99762769d16de7352e92db16f

SHA1
29898e4ddba0504899fe0f0a55abacf592689e1b

SHA256
f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8

SHA512
18cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94f35f261590c8add6967ae13ee05fab

SHA1
e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7

SHA256
db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63

SHA512
3e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
091f20bbaff3637ace005fce1590be7b

SHA1
00d1ef232fc560231ff81adc227a8f2918235a29

SHA256
bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe

SHA512
ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5e4343881dc5fcb6305d29ef34a5ce28

SHA1
823b588ad6905d682cc3b7ac7bf7184d71da3d45

SHA256
27e82cc6e13b0db3a8b74798dffe21837cd4ef1f519519227bbd41ef05f428ac

SHA512
7a8c265e8dc6b4ad85132c4182270322023b4d59c97b466b5cce24402426c32fe14500343938c069cb17f985c73ef00f06187669d5b0c2050839a4cf6eb91762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e844885-44c7-474f-8ead-6b2487c4f814.vbs

Filesize
719B

MD5
2194873d00572ed5d0ed4c84b54a0389

SHA1
398d4622da5066ea6c0b8b362a4284fd8351988d

SHA256
c95d40819cbf2939fbdb463df96db3fd5d0e5f6f807b09cebdf16b38582ca17f

SHA512
9202248df64f6c6552b8d7736b8790c937220ee64fbd40ab3f28211011e76ca9c9fd08f1c53fcf494e14c0c0c3be7048898eee9ca09322efcd84c41ed8f4b57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a545cc1-27b0-4141-9003-5268cdd159de.vbs

Filesize
719B

MD5
1266b7ab541ae9482cbe0d050ddfb115

SHA1
389f3cc511582bdb93d91c9079a05481ca1f6579

SHA256
d77458bf2294655e4fc85490213dbb5e8d6b6f48b9506f50d8e42be448900692

SHA512
96cb1955488faccf791ef22f63a33711bf85608835eda8ba0a9a9557e7c6bb8544f0d30f01c7fe1021d8cf4ce6cd5de2757d6e7869585bbe7f753883cc729c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\51fc5d6a-3430-424c-9a0f-323633995672.vbs

Filesize
718B

MD5
b6d79e80642ac47a77f4c17c719e61a3

SHA1
b7202803ba4ead2ac537fcd0f9da34ab3358ac65

SHA256
349ff6e2e44e422c9366700a7424663e2908a3d43c836f3705230f281264335a

SHA512
0ffcd1ef1d78061f40f965d7deefa65eea3ed41a90a3a82196fd9f76256bb98889c88f31f626ee1f67697cf8e96b205522282da4b9610d029696c2edd21bba7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\726bda50-d092-4cf4-89ab-2875e3c0e366.vbs

Filesize
719B

MD5
1a241c3bfb230d96dc2577d8ef5c5ff8

SHA1
788f19289c4a08b88175a8b87abbb076faae09a6

SHA256
0112b66208eae8c8c15de466fcd8955a8fca7eeddecd84579b362aa0113c6a87

SHA512
ff50f38ab1156fc0d6248c611dd6703e7e5b25b45b1f59cc41b767b1a67036da4b5cdf44cd84ed86f7ff6ad20d786b45a37b0ffafb61a7f593e10fc46e228fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\736231ea-a10b-480e-a317-a3b8b88d838b.vbs

Filesize
719B

MD5
9fe51cbd86e188a9608a44232b9d73a8

SHA1
326cd83295a377dd9e3449432f3c461fe9f3f1de

SHA256
51163af464806057e4a7f331efd38feb7da018d95eb036622145f658c596dff5

SHA512
b3e713cd866345e054df97cb540911b195efe79a5d2050482acea3b1ab7b1f235b7da8067130a086691954aeabc25b6e85baa226d212e752a6a56607c350a32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b4ebea3-cb8f-479c-961a-54f31d190fb5.vbs

Filesize
495B

MD5
f550b48e17470ad28af6055f0d1ef20c

SHA1
d3a0969707b63eb2400405c1749dc41c1e506631

SHA256
62381d2c3ac6c22e3470c240b8310f103a4de71ee8956fb426457dd42bf93320

SHA512
71902081753c8c70eed17852c28bf52954f808b13abcc7e2250c5b542352f4ca7da58419b6ba80c1c7e2982f28b23ac6c916d005991049273c0ca8cb14991e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e9e800c-049b-4b96-9dea-aa2101ee7396.vbs

Filesize
719B

MD5
bb4990d96ec90780cfe61b7661789b62

SHA1
88b35179319477900fa1a023a5fc66c5bc784423

SHA256
892681b7dd4cce856a3c70437914ade79a5c9afa77f50fbe84fbb1fce4682517

SHA512
9aa3fe2f1e6a4b0ef12ee66797429e5d55a1ffc97a95ee12c40a37a3a9ccd691c46fe7779b61a605b4e939776a46811a7e5a9f27a4ae59e40acb10ebcadee0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX6226.tmp

Filesize
5.9MB

MD5
f736c152b3d1812f1142ed0da99e0ac8

SHA1
5df819dd9a3c73b64b33950ecfac1c690fa0f03d

SHA256
78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

SHA512
a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zcykx5r.020.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ada8ae32-8707-462d-8f18-f470844d191b.vbs

Filesize
719B

MD5
9e433ddae6514376695bfdf41401dbd8

SHA1
7096a1920c43b58fd9fdf85b38339a32a0727583

SHA256
550dea8e5c7fc30b32ad1478c60b42b1b5dde86a6e9bed11ab5e0bedefe5f6de

SHA512
e6f461136c3a42051072a29c85c937bcd8c4ab9b5ba49d3257a10a062a579188404f37eaef60685970c2dd86e3d8fda34d65cb4ad562a0e598e9b36a018365e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b064c88d-b583-47aa-a445-347f3195fbf9.vbs

Filesize
719B

MD5
8e5c11eaff20ace92049b2ea5461db97

SHA1
e00ac738d59f6d3dc6326a126adb358b01de9f84

SHA256
611903bb21f464ddd1d97555d37ef8b1d7ee1be2f89c68d4073c798b92b425b8

SHA512
01de510e41380da91643d7b49279db0e82f94b616355904ada6004fbc366a48a55ad724485cd19b39b2b1f95a2fb4b6175f6c14b0124e44f6c580cdd2f547306

Download Submit
C:\Users\Admin\AppData\Local\Temp\b84f8249-c205-4331-9961-478d91fb21e3.vbs

Filesize
719B

MD5
6a3b8570c822643d98ba488281626b36

SHA1
4367a8d2fd5fad8aaeb16c274a91426d1d1064de

SHA256
169f7970a7100a681e1784463b7dd4c6a5a58feb3d89928f51e403aeaaab5ba5

SHA512
36c96517a392154376fc6e7d6dea8d4b5e85a25dd9c23f86196bbeea38f8430a787717dd46b4c1dff35a6fbf10a21db881503d0917a4070f9a20f88a0846c2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddfa90cc-aa2a-404b-b339-35cd730ad222.vbs

Filesize
719B

MD5
596ec5813627583a4bb11bd174c0cd01

SHA1
ab619020c854d3a7f953942ae68f86424e800c32

SHA256
9dbabc02d80553fe41a4175ab2d019139a497a0bbb5248e8d6fec253804ab283

SHA512
0181c43ff898b68eaec9ea45f7d2ec9e43631a11ced55e6e725b5d5f24d20de4d9e964312bf93bacb6f4210c440249155071cb69dc196fee4ad0770fb3a43e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\e150ada6-c241-4335-8abd-57854698ad87.vbs

Filesize
719B

MD5
28ff45bda118a3f746be98e2f2eb282a

SHA1
55db5c5296f4cea762ad6cf698c414602c5e77ba

SHA256
14fe451ec4098449ad4555a5135ce2843952885e68f8c4297e3faf06e2d63d16

SHA512
e38422d7108972a73670c5a982d0910e8d2f388d869705182683fe3530ebc3a3f6019cfbd4c9eb340f793f85fa01820ac5b6fdf346d470cad8ef7e38a674bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fef15db2-86f0-4711-a479-91c2b48d7e97.vbs

Filesize
719B

MD5
41775395a5e0368bc2a608f5e8197238

SHA1
de3342c08dc835f6da42fac66e74f05a9371402e

SHA256
7f20cf742a57e3b8de9ff6fd63cb7b2f6d9a3b6dad43be55ced0f8e9e3102068

SHA512
db7ecd54ee6c7183f708e087d2dde76d2cdcdbb6b2c2747a3394867068e0e84a676e8f1b674fd66c4dc252e73920073e1b38d1364e64db435e212b8c93ddd58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j14hHxgp42.bat

Filesize
208B

MD5
ba7e7588511a449f3f713e3d60a5ed51

SHA1
77446ef839968ef2012f31f9ec9afd366a7dbcb3

SHA256
8e7125f6e3d10f749c432d0dd163dbcc75c1474eb95eb0992f6db07d9a01a2c8

SHA512
181c868f23a8db489e1ef16c113ec6654dcd6eebb68f567efdc330090e15a536ec50cb358ab811b7437c481a2af617b0c31ad76d0662fc0af12d1ce2e0495a6b

Download Submit
C:\Users\Public\AccountPictures\conhost.exe

Filesize
5.9MB

MD5
d92af324c2dfaba08f3f8fb564c5adfb

SHA1
b948f4b0eb9168247880d92542a9b7ba642cc6ce

SHA256
ffead88c50488c23c159f1a58e0ec49ab6af1872ae1573ead2c30df9720ec46d

SHA512
bf241fb4a091b16307a85a8fe9879ec0ce3c72439dbd1428102028626388cbfe88e4c412b31a8d5de4d458bb5d6b69e30efa4e3960bf9ea699cb0efe57ccedf1

Download Submit
memory/1028-18-0x000000001BD70000-0x000000001BDC6000-memory.dmp

Filesize
344KB

Download
memory/1028-24-0x000000001D6B0000-0x000000001D6C2000-memory.dmp

Filesize
72KB

Download
memory/1028-40-0x000000001D9D0000-0x000000001D9DA000-memory.dmp

Filesize
40KB

Download
memory/1028-41-0x000000001D9E0000-0x000000001D9EC000-memory.dmp

Filesize
48KB

Download
memory/1028-39-0x000000001D9C0000-0x000000001D9C8000-memory.dmp

Filesize
32KB

Download
memory/1028-38-0x000000001D790000-0x000000001D79C000-memory.dmp

Filesize
48KB

Download
memory/1028-37-0x000000001D780000-0x000000001D788000-memory.dmp

Filesize
32KB

Download
memory/1028-35-0x000000001D760000-0x000000001D768000-memory.dmp

Filesize
32KB

Download
memory/1028-34-0x000000001D750000-0x000000001D75E000-memory.dmp

Filesize
56KB

Download
memory/1028-33-0x000000001D740000-0x000000001D74A000-memory.dmp

Filesize
40KB

Download
memory/1028-32-0x000000001D730000-0x000000001D73C000-memory.dmp

Filesize
48KB

Download
memory/1028-31-0x000000001D9B0000-0x000000001D9B8000-memory.dmp

Filesize
32KB

Download
memory/1028-25-0x000000001DCE0000-0x000000001E208000-memory.dmp

Filesize
5.2MB

Download
memory/1028-21-0x000000001D7A0000-0x000000001D7AC000-memory.dmp

Filesize
48KB

Download
memory/1028-20-0x000000001BDD0000-0x000000001BDD8000-memory.dmp

Filesize
32KB

Download
memory/1028-27-0x000000001D6F0000-0x000000001D6FC000-memory.dmp

Filesize
48KB

Download
memory/1028-28-0x000000001D700000-0x000000001D708000-memory.dmp

Filesize
32KB

Download
memory/1028-30-0x000000001D720000-0x000000001D72C000-memory.dmp

Filesize
48KB

Download
memory/1028-29-0x000000001D710000-0x000000001D71C000-memory.dmp

Filesize
48KB

Download
memory/1028-1-0x0000000000730000-0x0000000001028000-memory.dmp

Filesize
9.0MB

Download
memory/1028-132-0x00007FFEEE2A0000-0x00007FFEEED61000-memory.dmp

Filesize
10.8MB

Download
memory/1028-26-0x000000001D6E0000-0x000000001D6EC000-memory.dmp

Filesize
48KB

Download
memory/1028-22-0x000000001D6A0000-0x000000001D6A8000-memory.dmp

Filesize
32KB

Download
memory/1028-36-0x000000001D770000-0x000000001D77E000-memory.dmp

Filesize
56KB

Download
memory/1028-19-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/1028-0-0x00007FFEEE2A3000-0x00007FFEEE2A5000-memory.dmp

Filesize
8KB

Download
memory/1028-17-0x000000001BD60000-0x000000001BD6A000-memory.dmp

Filesize
40KB

Download
memory/1028-5-0x0000000001870000-0x000000000187E000-memory.dmp

Filesize
56KB

Download
memory/1028-15-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/1028-2-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1028-16-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/1028-14-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/1028-8-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/1028-10-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/1028-13-0x00000000031F0000-0x0000000003202000-memory.dmp

Filesize
72KB

Download
memory/1028-11-0x00000000031C0000-0x00000000031D6000-memory.dmp

Filesize
88KB

Download
memory/1028-3-0x00007FFEEE2A0000-0x00007FFEEED61000-memory.dmp

Filesize
10.8MB

Download
memory/1028-12-0x00000000031E0000-0x00000000031E8000-memory.dmp

Filesize
32KB

Download
memory/1028-4-0x0000000001860000-0x000000000186E000-memory.dmp

Filesize
56KB

Download
memory/1028-9-0x00000000031A0000-0x00000000031A8000-memory.dmp

Filesize
32KB

Download
memory/1028-7-0x0000000003180000-0x000000000319C000-memory.dmp

Filesize
112KB

Download
memory/1028-6-0x0000000001880000-0x0000000001888000-memory.dmp

Filesize
32KB

Download
memory/2064-106-0x000001D39EF00000-0x000001D39EF22000-memory.dmp

Filesize
136KB

Download
memory/2644-319-0x000000001C2E0000-0x000000001C2F2000-memory.dmp

Filesize
72KB

Download
memory/3688-380-0x000000001BE10000-0x000000001BE22000-memory.dmp

Filesize
72KB

Download
memory/4368-306-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

Filesize
72KB

Download
memory/5132-242-0x0000000000C60000-0x0000000001558000-memory.dmp

Filesize
9.0MB

Download
memory/5768-293-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

Filesize
72KB

Download