dcrat | 30b269ab236535ccb2035e6c2b66655cb30889a92b2218de90e22725a127c19b

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Size

1.2MB
MD5

6783cedfbb7ee848a0bb6e5f9e849945
SHA1

cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5
SHA256

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd
SHA512

be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d
SSDEEP

24576:CgUVDQapmJamx98IhSf5QdINv5dHnG3xu:C7DyfONvfu

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\", \"C:\\Windows\\Web\\Wallpaper\\Nature\\dwm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\", \"C:\\Users\\Admin\\Cookies\\spoolsv.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2632	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3008-1-0x0000000000E90000-0x0000000000FCE000-memory.dmp	dcrat
C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe	dcrat
behavioral1/memory/264-39-0x0000000000880000-0x00000000009BE000-memory.dmp	dcrat
behavioral1/memory/888-51-0x0000000001080000-0x00000000011BE000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\1826bebac22c327fada03a0cae90942bcfe25242.exe	dcrat
behavioral1/memory/2344-99-0x00000000003A0000-0x00000000004DE000-memory.dmp	dcrat
behavioral1/memory/496-111-0x0000000000D30000-0x0000000000E6E000-memory.dmp	dcrat
behavioral1/memory/2324-123-0x00000000001E0000-0x000000000031E000-memory.dmp	dcrat
behavioral1/memory/2204-135-0x0000000000FD0000-0x000000000110E000-memory.dmp	dcrat
behavioral1/memory/1656-147-0x0000000001070000-0x00000000011AE000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid process

264 System.exe
888 System.exe
1724 System.exe
1276 System.exe
2692 System.exe
2344 System.exe
496 System.exe
2324 System.exe
2204 System.exe
1656 System.exe

pid	process
264	System.exe
888	System.exe
1724	System.exe
1276	System.exe
2692	System.exe
2344	System.exe
496	System.exe
2324	System.exe
2204	System.exe
1656	System.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\dwm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Cookies\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\winlogon.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Admin\\Cookies\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\7-Zip\\Lang\\csrss.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Web\\Wallpaper\\Nature\\dwm.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows Journal\\en-US\\taskhost.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

System.exeSystem.exeSystem.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 6 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\en-US\b75386f1303e64	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\f3b6ecef712a24	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Program Files\Windows Journal\en-US\taskhost.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Drops file in Windows directory 2 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

description	ioc	process
File created	C:\Windows\Web\Wallpaper\Nature\dwm.exe	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
File created	C:\Windows\Web\Wallpaper\Nature\6cb0b6c459d5d3	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1504	schtasks.exe
2648	schtasks.exe
2736	schtasks.exe
1360	schtasks.exe
1248	schtasks.exe
1752	schtasks.exe
236	schtasks.exe
2208	schtasks.exe
2544	schtasks.exe
2960	schtasks.exe
1972	schtasks.exe
1508	schtasks.exe
1856	schtasks.exe
2000	schtasks.exe
2772	schtasks.exe
3028	schtasks.exe
2976	schtasks.exe
1988	schtasks.exe
2548	schtasks.exe
2032	schtasks.exe
2172	schtasks.exe
2476	schtasks.exe
2740	schtasks.exe
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
3008	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
264	System.exe
888	System.exe
1724	System.exe
1276	System.exe
2692	System.exe
2344	System.exe
496	System.exe
2324	System.exe
2204	System.exe
1656	System.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	3008	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Token: SeDebugPrivilege	264	System.exe
Token: SeDebugPrivilege	888	System.exe
Token: SeDebugPrivilege	1724	System.exe
Token: SeDebugPrivilege	1276	System.exe
Token: SeDebugPrivilege	2692	System.exe
Token: SeDebugPrivilege	2344	System.exe
Token: SeDebugPrivilege	496	System.exe
Token: SeDebugPrivilege	2324	System.exe
Token: SeDebugPrivilege	2204	System.exe
Token: SeDebugPrivilege	1656	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.execmd.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exe

description	pid	process	target process
PID 3008 wrote to memory of 2288	3008	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	cmd.exe
PID 3008 wrote to memory of 2288	3008	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	cmd.exe
PID 3008 wrote to memory of 2288	3008	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe	cmd.exe
PID 2288 wrote to memory of 2988	2288	cmd.exe	w32tm.exe
PID 2288 wrote to memory of 2988	2288	cmd.exe	w32tm.exe
PID 2288 wrote to memory of 2988	2288	cmd.exe	w32tm.exe
PID 2288 wrote to memory of 264	2288	cmd.exe	System.exe
PID 2288 wrote to memory of 264	2288	cmd.exe	System.exe
PID 2288 wrote to memory of 264	2288	cmd.exe	System.exe
PID 264 wrote to memory of 2280	264	System.exe	WScript.exe
PID 264 wrote to memory of 2280	264	System.exe	WScript.exe
PID 264 wrote to memory of 2280	264	System.exe	WScript.exe
PID 264 wrote to memory of 1788	264	System.exe	WScript.exe
PID 264 wrote to memory of 1788	264	System.exe	WScript.exe
PID 264 wrote to memory of 1788	264	System.exe	WScript.exe
PID 2280 wrote to memory of 888	2280	WScript.exe	System.exe
PID 2280 wrote to memory of 888	2280	WScript.exe	System.exe
PID 2280 wrote to memory of 888	2280	WScript.exe	System.exe
PID 888 wrote to memory of 2356	888	System.exe	WScript.exe
PID 888 wrote to memory of 2356	888	System.exe	WScript.exe
PID 888 wrote to memory of 2356	888	System.exe	WScript.exe
PID 888 wrote to memory of 1208	888	System.exe	WScript.exe
PID 888 wrote to memory of 1208	888	System.exe	WScript.exe
PID 888 wrote to memory of 1208	888	System.exe	WScript.exe
PID 2356 wrote to memory of 1724	2356	WScript.exe	System.exe
PID 2356 wrote to memory of 1724	2356	WScript.exe	System.exe
PID 2356 wrote to memory of 1724	2356	WScript.exe	System.exe
PID 1724 wrote to memory of 2684	1724	System.exe	WScript.exe
PID 1724 wrote to memory of 2684	1724	System.exe	WScript.exe
PID 1724 wrote to memory of 2684	1724	System.exe	WScript.exe
PID 1724 wrote to memory of 2404	1724	System.exe	WScript.exe
PID 1724 wrote to memory of 2404	1724	System.exe	WScript.exe
PID 1724 wrote to memory of 2404	1724	System.exe	WScript.exe
PID 2684 wrote to memory of 1276	2684	WScript.exe	System.exe
PID 2684 wrote to memory of 1276	2684	WScript.exe	System.exe
PID 2684 wrote to memory of 1276	2684	WScript.exe	System.exe
PID 1276 wrote to memory of 2036	1276	System.exe	WScript.exe
PID 1276 wrote to memory of 2036	1276	System.exe	WScript.exe
PID 1276 wrote to memory of 2036	1276	System.exe	WScript.exe
PID 1276 wrote to memory of 2736	1276	System.exe	WScript.exe
PID 1276 wrote to memory of 2736	1276	System.exe	WScript.exe
PID 1276 wrote to memory of 2736	1276	System.exe	WScript.exe
PID 2036 wrote to memory of 2692	2036	WScript.exe	System.exe
PID 2036 wrote to memory of 2692	2036	WScript.exe	System.exe
PID 2036 wrote to memory of 2692	2036	WScript.exe	System.exe
PID 2692 wrote to memory of 1236	2692	System.exe	WScript.exe
PID 2692 wrote to memory of 1236	2692	System.exe	WScript.exe
PID 2692 wrote to memory of 1236	2692	System.exe	WScript.exe
PID 2692 wrote to memory of 2288	2692	System.exe	WScript.exe
PID 2692 wrote to memory of 2288	2692	System.exe	WScript.exe
PID 2692 wrote to memory of 2288	2692	System.exe	WScript.exe
PID 1236 wrote to memory of 2344	1236	WScript.exe	System.exe
PID 1236 wrote to memory of 2344	1236	WScript.exe	System.exe
PID 1236 wrote to memory of 2344	1236	WScript.exe	System.exe
PID 2344 wrote to memory of 1696	2344	System.exe	WScript.exe
PID 2344 wrote to memory of 1696	2344	System.exe	WScript.exe
PID 2344 wrote to memory of 1696	2344	System.exe	WScript.exe
PID 2344 wrote to memory of 2312	2344	System.exe	WScript.exe
PID 2344 wrote to memory of 2312	2344	System.exe	WScript.exe
PID 2344 wrote to memory of 2312	2344	System.exe	WScript.exe
PID 1696 wrote to memory of 496	1696	WScript.exe	System.exe
PID 1696 wrote to memory of 496	1696	WScript.exe	System.exe
PID 1696 wrote to memory of 496	1696	WScript.exe	System.exe
PID 496 wrote to memory of 2752	496	System.exe	WScript.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

System.exeSystem.exeea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe
"C:\Users\Admin\AppData\Local\Temp\ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vHmN1gwLRe.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2988

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:264

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7255f91d-570e-4ff0-9aa1-140db6ffe714.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3fcc4f6-e46f-41b1-8728-53fa2812050d.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ad50e1-b0f6-4f97-b838-39dbd5db46c9.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d524b2ff-56a5-4dcf-a81c-1456f0172e77.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fe28e61-0a69-4096-950f-36a3b5595c37.vbs"
12⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\184af919-2272-47ba-bbb1-881ae98be2d9.vbs"
14⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60f7d9ea-b52a-42f8-b2a4-47c0d248963b.vbs"
16⤵
PID:2752

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22544b30-de4c-4da3-9e8d-992dc6793851.vbs"
18⤵
PID:2712

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf8295f1-bfa3-4e0f-80cd-0574fbe07f0e.vbs"
20⤵
PID:1900

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aedea4b0-d004-4f8f-8ad5-600246ea43fc.vbs"
22⤵
PID:2228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f7ba2ef-c1d4-4478-8e87-a3c81309b559.vbs"
22⤵
PID:2008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18b13e80-aa25-467e-b406-022f33e9da2b.vbs"
20⤵
PID:1368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58a8feb9-62fe-4f21-b14a-7572269e09db.vbs"
18⤵
PID:2464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f79d43a-c90b-4d2a-b1c0-4273bd95eb35.vbs"
16⤵
PID:1536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b72099a3-f3e9-452d-99d8-f17c66a4bb4c.vbs"
14⤵
PID:2312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7884adb-0461-4147-805d-b54eb7da99d2.vbs"
12⤵
PID:2288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec2d6da6-82af-4287-8f31-53e7434e5f42.vbs"
10⤵
PID:2736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\026dea72-5f80-4bea-a39e-41786133a96e.vbs"
8⤵
PID:2404

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ae89590-666b-4bcb-8931-ea8774b83d90.vbs"
6⤵
PID:1208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69345017-d9a0-4604-ba47-69c867e370fe.vbs"
4⤵
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Nature\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Nature\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\csrss.exe
Filesize
1.2MB

MD5
6783cedfbb7ee848a0bb6e5f9e849945

SHA1
cdf977f9deb3c1db344a0cbaf09f3b64bfa812c5

SHA256
ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd

SHA512
be8440ffca1061d78c6657b0e4eaeedb2697d5cb612a66009ec2f38783c76876833348eb86b60ee06c0e076dd5ef16bf60ad59fe51ee8ee1c9ccf347e2e2f38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\02ad50e1-b0f6-4f97-b838-39dbd5db46c9.vbs
Filesize
749B

MD5
30413f690f4c5ecbed0ac0fe790d228c

SHA1
50dfb42a56d6c07e23af0b2a08502c5da07792cf

SHA256
47a190e7e3bccd0142dfd31c8bd8769dd77cc3a03c5271698483579c510feb4c

SHA512
f002c10cfc904f9fe9727d0b32fad21e2652a8774a3a0b775d0ab3b3200a387ef8b1bbde1fc1904753cad64c82a5d7bd0dc9783ad1943e8927997858a231eb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\1826bebac22c327fada03a0cae90942bcfe25242.exe
Filesize
1.2MB

MD5
e0fbbed0c65afe2382e661b310391d2e

SHA1
f70dd24bd7fa902f540086115c91f013e2f137f4

SHA256
3a0b90a90638e625bb4cbcb027e22ab8890a0357175f0f412c3326d79c08aa09

SHA512
e78b6bf46d392dfa47439919fa90100eabdeea6ad77be8112adb6794e1af7c17e0f9ff83c301f46e3c8caf99c7a7877cf39098c1a5781ddcc3569a74fc9a68f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\184af919-2272-47ba-bbb1-881ae98be2d9.vbs
Filesize
749B

MD5
cf9b888319df4cd2813e163dd9c435dc

SHA1
9a6b6cf1c254da67aa65a4de47022ce4302cd0d3

SHA256
8607202b8eda639d49852553840aef4e664f59d068d1220e8dedadb0f56e08c8

SHA512
2597165139c57aa08053adf32d831cfa70a2e6b88b116f6a75dbe068eae1b132b735f35b6c6cd6620a8406f06ed29f5d3c965b91fa7cd4415c761adc2c50c6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\22544b30-de4c-4da3-9e8d-992dc6793851.vbs
Filesize
749B

MD5
7b520ded331ccf81206256ee7778f687

SHA1
a268656325322ed1b34ca048ef0e7aaf84fe580e

SHA256
aa26c4cc685934b0ead494db8cf8a53fb4a1f129d3aab45456bef199e1fb2bee

SHA512
66672609b467ecf80219995dd49049b52129bde6706393b80527100e8d68f40230cccabc8ef6557031e2278b9ed153da894793ce09451dece34a6d97758e1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fe28e61-0a69-4096-950f-36a3b5595c37.vbs
Filesize
749B

MD5
181a4459ba75657f4a516d257ead3f11

SHA1
deccef03f97f58d8b2cf4df10ba2e6bd39e5374c

SHA256
6f3e8198e4b495bd81fbe7be9ff292588d7f6a285765e3d99db98ab3d4379b83

SHA512
54ff3baaf6ee6272eb2a5899122b2aa860e5047b949502a28ee1983c17b7f6fa437229fc65e34c683a851b7b751311386fedfd9bde75c958d51846ff57da7d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\60f7d9ea-b52a-42f8-b2a4-47c0d248963b.vbs
Filesize
748B

MD5
f0d69d9e9539f17a8c8ccdc3bc507592

SHA1
fa0760bce874b14d661150746c79d623ddd3f702

SHA256
e51016829b2f1bab377dccec9954c64bd32524f3c6ffd2ee1bf8e52bd087e6a3

SHA512
5d342edfecfbad01a04e8b6816f7c79520c7a044482fa27b8ac170ec0b50a812466834a183cdfe14286ff7e4cefb66b1e81b023a11705def5066f3e7b12ad0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\69345017-d9a0-4604-ba47-69c867e370fe.vbs
Filesize
525B

MD5
b3b889e040c59af17183480e411dfecb

SHA1
3061c2fb4906455504d2da4d62a1a3a82fd970f1

SHA256
930d72897379a6858ef2302904b8bd6a40086ed5c1576effca4a5f69973aedf8

SHA512
92ceb02ea31e8f76a76a194b752fe7f5e26cf60a5b491ae17825b829b2e42061ece5ac87a93b02e1e70e4dd932181e69fcc8b481876ab57d5c2cd2a6450f7f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7255f91d-570e-4ff0-9aa1-140db6ffe714.vbs
Filesize
748B

MD5
185ad4637d1644e02487dccc5dfa681f

SHA1
1a359cf4318364a2a00d6a991f2f3ce5b283e688

SHA256
a2da0b0c7968f345a699694b647ad9d039abfcbea8ac9fd0ac4253fca5910940

SHA512
a1c222a5219ceed3440db8be65a35599bc4c812d039072aa44d7e46a342bb498e6803bda72e14208c22eb4420ad86ef3c7bac26a4603e66d1e81d8d6d1f2ee30

Download Submit
C:\Users\Admin\AppData\Local\Temp\aedea4b0-d004-4f8f-8ad5-600246ea43fc.vbs
Filesize
749B

MD5
245074806f7f6cb1968aad53be7d69e6

SHA1
814b8d79b143af2363c8f7f6f800dd651a08b3be

SHA256
d793523d5253db72877e035fa1c726071614390143eb848f10deebf29e7277d2

SHA512
3bd4f8935ecedea6a36801d272302807e114faab3c0271dc213fff78b28a846bbdf8d0536277910074b8a4bb4f28f247a301c567fe66e7ba73eab0e6e04bd149

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3fcc4f6-e46f-41b1-8728-53fa2812050d.vbs
Filesize
748B

MD5
94f01b87097239ece5bbe3cb920dd19c

SHA1
9b018aef0dcacc6bed02402f5801de9ecdd42ca4

SHA256
4f18957dcd9214a8321c186416eeff5a1abc8fc8fc32c28962d2c42616eb7a6d

SHA512
722a4dd118e10cf82490856e9d87adc0da3acd85063ed050e4aedc2dec5c52fc510cbf10a89ca3dcaa5e114c95a23b696376d9dbfeeffcc0a383483f5aff5674

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf8295f1-bfa3-4e0f-80cd-0574fbe07f0e.vbs
Filesize
749B

MD5
0204e819fc0e1aceaf49f1a8f320d2e5

SHA1
42b37d728ee2094917075a6b4f8d432fe5186011

SHA256
f1d0ad9edd3b1fe15e0136eff64d88a7dce3f2143ccc49f79e9e85b9d391d793

SHA512
dd97086c654896855a452ac27be9af85b049acb03bc35f904c2f234c7af76ac81ffb96f255fe60029bea30251f54309ef525677d310fe3240fdfbf6c3c711391

Download Submit
C:\Users\Admin\AppData\Local\Temp\d524b2ff-56a5-4dcf-a81c-1456f0172e77.vbs
Filesize
749B

MD5
84ac8c22b856ced885e911e9add90ea8

SHA1
8062026a19378514e96c8d072c532539168a0e1f

SHA256
643d0ec23f7ff9c4bfbe97c04707020ae5fe1af8e455fe412f70992d4ccd1053

SHA512
ab5ccb82d474b090f6261fbba65b5eeb3ee7d347cdb5dc6d7c940b01414103aea93c8a0c179ca9bf5fd2533178bddfe9088310639a02c3064af20f12597a0550

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHmN1gwLRe.bat
Filesize
238B

MD5
3c9e68cbaaa3c4a0f3efa15b89137b19

SHA1
b4e0db21f98e0855d939bf539ebd0d3ce3ee6a8e

SHA256
4fa22a82d4afe22c0930ba6f2188139ea608f4cb069c9f207372b56532f968ab

SHA512
d70af2190a27e4d7209760dfbbe25fa3250ab475a6811aa7800d54161918289671f2de112d3409ca0d95142bfc2b648e1fedba822dfff2e4d5211b1725334d31

Download Submit
memory/264-39-0x0000000000880000-0x00000000009BE000-memory.dmp

Filesize
1.2MB

Download
memory/264-40-0x0000000001F60000-0x0000000001F72000-memory.dmp

Filesize
72KB

Download
memory/496-111-0x0000000000D30000-0x0000000000E6E000-memory.dmp

Filesize
1.2MB

Download
memory/888-51-0x0000000001080000-0x00000000011BE000-memory.dmp

Filesize
1.2MB

Download
memory/888-52-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/1656-147-0x0000000001070000-0x00000000011AE000-memory.dmp

Filesize
1.2MB

Download
memory/1724-64-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2204-135-0x0000000000FD0000-0x000000000110E000-memory.dmp

Filesize
1.2MB

Download
memory/2324-123-0x00000000001E0000-0x000000000031E000-memory.dmp

Filesize
1.2MB

Download
memory/2344-99-0x00000000003A0000-0x00000000004DE000-memory.dmp

Filesize
1.2MB

Download
memory/2692-87-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/3008-3-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/3008-4-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/3008-5-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/3008-7-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/3008-13-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/3008-6-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/3008-11-0x0000000000870000-0x000000000087E000-memory.dmp

Filesize
56KB

Download
memory/3008-12-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/3008-8-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/3008-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-36-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x0000000000E90000-0x0000000000FCE000-memory.dmp

Filesize
1.2MB

Download
memory/3008-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/3008-9-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/3008-14-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/3008-10-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download