dcrat | f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Size

1.8MB
MD5

466d3339a6316e66b95f518633917d70
SHA1

a9e63aa789eeb63ccf3a0d848593cefc85b2176f
SHA256

f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f
SHA512

2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02
SSDEEP

49152:2hjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:2gVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	972	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	972	schtasks.exe	87

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 25 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1836-0-0x0000000000330000-0x00000000004FE000-memory.dmp	dcrat
behavioral2/files/0x0006000000022e4d-26.dat	dcrat
behavioral2/files/0x0009000000022d5b-111.dat	dcrat
behavioral2/files/0x0006000000022e44-340.dat	dcrat
behavioral2/files/0x0006000000022e44-339.dat	dcrat
behavioral2/files/0x0006000000022e44-354.dat	dcrat
behavioral2/files/0x0007000000022e7a-360.dat	dcrat
behavioral2/files/0x0006000000022e44-368.dat	dcrat
behavioral2/files/0x0007000000022e7a-373.dat	dcrat
behavioral2/files/0x0006000000022e44-381.dat	dcrat
behavioral2/files/0x0007000000022e7a-386.dat	dcrat
behavioral2/files/0x0006000000022e44-394.dat	dcrat
behavioral2/files/0x0007000000022e7a-399.dat	dcrat
behavioral2/files/0x0006000000022e44-407.dat	dcrat
behavioral2/files/0x0007000000022e7a-413.dat	dcrat
behavioral2/files/0x0006000000022e44-421.dat	dcrat
behavioral2/files/0x0007000000022e7a-427.dat	dcrat
behavioral2/files/0x0006000000022e44-435.dat	dcrat
behavioral2/files/0x0007000000022e7a-440.dat	dcrat
behavioral2/files/0x0006000000022e44-449.dat	dcrat
behavioral2/files/0x0007000000022e7a-454.dat	dcrat
behavioral2/files/0x0006000000022e44-462.dat	dcrat
behavioral2/files/0x0007000000022e7a-467.dat	dcrat
behavioral2/files/0x0006000000022e44-475.dat	dcrat
behavioral2/files/0x0007000000022e7a-480.dat	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 11 IoCs

pid	Process
5504	csrss.exe
6032	csrss.exe
5292	csrss.exe
5244	csrss.exe
2852	csrss.exe
5308	csrss.exe
6060	csrss.exe
5100	csrss.exe
5144	csrss.exe
536	csrss.exe
772	csrss.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC9CD.tmp	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXCE05.tmp	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File created	C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File created	C:\Program Files\7-Zip\Lang\eddb19405b7ce1	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\e1ef82546f0b02	NEAS.466d3339a6316e66b95f518633917d70_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2352	schtasks.exe
768	schtasks.exe
1956	schtasks.exe
2980	schtasks.exe
4608	schtasks.exe
2080	schtasks.exe
916	schtasks.exe
4776	schtasks.exe
856	schtasks.exe
4048	schtasks.exe
1168	schtasks.exe
2532	schtasks.exe
2572	schtasks.exe
4472	schtasks.exe
2152	schtasks.exe
3536	schtasks.exe
3572	schtasks.exe
4780	schtasks.exe
2692	schtasks.exe
876	schtasks.exe
4140	schtasks.exe
1020	schtasks.exe
3028	schtasks.exe
3976	schtasks.exe
4068	schtasks.exe
1144	schtasks.exe
4812	schtasks.exe
2416	schtasks.exe
216	schtasks.exe
5060	schtasks.exe
960	schtasks.exe
4036	schtasks.exe
1720	schtasks.exe
2708	schtasks.exe
4072	schtasks.exe
3344	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
2368	powershell.exe
2368	powershell.exe
4232	powershell.exe
4232	powershell.exe
2460	powershell.exe
2460	powershell.exe
2132	powershell.exe
2132	powershell.exe
2244	powershell.exe
2244	powershell.exe
3080	powershell.exe
3080	powershell.exe
3908	powershell.exe
3908	powershell.exe
916	powershell.exe
916	powershell.exe
1196	powershell.exe
1196	powershell.exe
1880	powershell.exe
1880	powershell.exe
2264	powershell.exe
2264	powershell.exe
3620	powershell.exe
3620	powershell.exe
3340	powershell.exe
3340	powershell.exe
4232	powershell.exe
4232	powershell.exe
2368	powershell.exe
2368	powershell.exe
2244	powershell.exe
2132	powershell.exe
3080	powershell.exe
2460	powershell.exe
2460	powershell.exe
1880	powershell.exe
1196	powershell.exe
916	powershell.exe
3340	powershell.exe
3908	powershell.exe
2264	powershell.exe
3620	powershell.exe
5504	csrss.exe
5504	csrss.exe
6032	csrss.exe
6032	csrss.exe
5292	csrss.exe
5292	csrss.exe
5244	csrss.exe
5244	csrss.exe
2852	csrss.exe
2852	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	5504	csrss.exe
Token: SeDebugPrivilege	6032	csrss.exe
Token: SeDebugPrivilege	5292	csrss.exe
Token: SeDebugPrivilege	5244	csrss.exe
Token: SeDebugPrivilege	2852	csrss.exe
Token: SeDebugPrivilege	5308	csrss.exe
Token: SeDebugPrivilege	6060	csrss.exe
Token: SeDebugPrivilege	5100	csrss.exe
Token: SeDebugPrivilege	5144	csrss.exe
Token: SeDebugPrivilege	536	csrss.exe
Token: SeDebugPrivilege	772	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1880	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	132
PID 1836 wrote to memory of 1880	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	132
PID 1836 wrote to memory of 2460	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	133
PID 1836 wrote to memory of 2460	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	133
PID 1836 wrote to memory of 3080	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	134
PID 1836 wrote to memory of 3080	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	134
PID 1836 wrote to memory of 2368	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	135
PID 1836 wrote to memory of 2368	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	135
PID 1836 wrote to memory of 3620	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	136
PID 1836 wrote to memory of 3620	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	136
PID 1836 wrote to memory of 2244	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	156
PID 1836 wrote to memory of 2244	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	156
PID 1836 wrote to memory of 1196	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	155
PID 1836 wrote to memory of 1196	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	155
PID 1836 wrote to memory of 2264	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	154
PID 1836 wrote to memory of 2264	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	154
PID 1836 wrote to memory of 916	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	153
PID 1836 wrote to memory of 916	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	153
PID 1836 wrote to memory of 4232	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	151
PID 1836 wrote to memory of 4232	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	151
PID 1836 wrote to memory of 3340	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	149
PID 1836 wrote to memory of 3340	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	149
PID 1836 wrote to memory of 3908	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	148
PID 1836 wrote to memory of 3908	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	148
PID 1836 wrote to memory of 2132	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	145
PID 1836 wrote to memory of 2132	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	145
PID 1836 wrote to memory of 4088	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	158
PID 1836 wrote to memory of 4088	1836	NEAS.466d3339a6316e66b95f518633917d70_JC.exe	158
PID 4088 wrote to memory of 5844	4088	cmd.exe	162
PID 4088 wrote to memory of 5844	4088	cmd.exe	162
PID 4088 wrote to memory of 5504	4088	cmd.exe	163
PID 4088 wrote to memory of 5504	4088	cmd.exe	163
PID 5504 wrote to memory of 5780	5504	csrss.exe	164
PID 5504 wrote to memory of 5780	5504	csrss.exe	164
PID 5504 wrote to memory of 3540	5504	csrss.exe	165
PID 5504 wrote to memory of 3540	5504	csrss.exe	165
PID 5780 wrote to memory of 6032	5780	WScript.exe	167
PID 5780 wrote to memory of 6032	5780	WScript.exe	167
PID 6032 wrote to memory of 4424	6032	csrss.exe	168
PID 6032 wrote to memory of 4424	6032	csrss.exe	168
PID 6032 wrote to memory of 5368	6032	csrss.exe	169
PID 6032 wrote to memory of 5368	6032	csrss.exe	169
PID 4424 wrote to memory of 5292	4424	WScript.exe	172
PID 4424 wrote to memory of 5292	4424	WScript.exe	172
PID 5292 wrote to memory of 2184	5292	csrss.exe	174
PID 5292 wrote to memory of 2184	5292	csrss.exe	174
PID 5292 wrote to memory of 2156	5292	csrss.exe	175
PID 5292 wrote to memory of 2156	5292	csrss.exe	175
PID 2184 wrote to memory of 5244	2184	WScript.exe	179
PID 2184 wrote to memory of 5244	2184	WScript.exe	179
PID 5244 wrote to memory of 5316	5244	csrss.exe	181
PID 5244 wrote to memory of 5316	5244	csrss.exe	181
PID 5244 wrote to memory of 5084	5244	csrss.exe	182
PID 5244 wrote to memory of 5084	5244	csrss.exe	182
PID 5316 wrote to memory of 2852	5316	WScript.exe	183
PID 5316 wrote to memory of 2852	5316	WScript.exe	183
PID 2852 wrote to memory of 1376	2852	csrss.exe	184
PID 2852 wrote to memory of 1376	2852	csrss.exe	184
PID 2852 wrote to memory of 5584	2852	csrss.exe	185
PID 2852 wrote to memory of 5584	2852	csrss.exe	185
PID 1376 wrote to memory of 5308	1376	WScript.exe	186
PID 1376 wrote to memory of 5308	1376	WScript.exe	186
PID 5308 wrote to memory of 3740	5308	csrss.exe	187
PID 5308 wrote to memory of 3740	5308	csrss.exe	187

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.466d3339a6316e66b95f518633917d70_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.466d3339a6316e66b95f518633917d70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.466d3339a6316e66b95f518633917d70_JC.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEAS.466d3339a6316e66b95f518633917d70_JC.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\unsecapp.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RU6Ya2tl6U.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5844
- - C:\Users\Default User\csrss.exe
    "C:\Users\Default User\csrss.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbfa0393-187b-46f6-944f-f34b1f346a2b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5780
    - - C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77661900-db5c-47cb-80fb-1dd318f9bc89.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea16699-c62d-41ad-b6af-8955b0d4a881.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c408e5b-b56d-4468-9e78-bb09ff3695b2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5316
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af00713c-8f02-41fc-8cf5-26fb6348e485.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb1d0fd-af13-4a8e-9392-be76f43fda42.vbs"
        14⤵
        
        PID:3740
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ef48191-ffc0-4b4c-b6b1-147ec39f4740.vbs"
        16⤵
        
        PID:5432
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32a0b032-d47c-4e55-9e62-63352482f0be.vbs"
        18⤵
        
        PID:4560
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9ed56d5-4b67-4b7d-8ad1-4f737b8f3ee2.vbs"
        20⤵
        
        PID:1580
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\548c699a-095b-4d7e-a57d-91cf3c0a9161.vbs"
        22⤵
        
        PID:2664
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20441d37-12a0-4a92-9e56-5fcf02ee772a.vbs"
        24⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae08b754-c95b-4788-befb-e358d4b56ddf.vbs"
        24⤵
        
        PID:5508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a577d24f-0e6b-471f-a379-85cbcd395113.vbs"
        22⤵
        
        PID:5244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78a52ae4-4ba9-4bfd-a4ba-5dc7474d6078.vbs"
        20⤵
        
        PID:6108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc52360-66ec-4a59-8499-87ea49546f2c.vbs"
        18⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01e7fb5-63ac-41a3-9a56-b11fcdf28cd9.vbs"
        16⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367c5fee-9bb8-4421-a32d-fbba7ca9a507.vbs"
        14⤵
        
        PID:5428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebf66748-aacc-4e6a-a889-4b4d4c258550.vbs"
        12⤵
        
        PID:5584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33065749-d51c-40e6-ba3f-a6c55b259c26.vbs"
        10⤵
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc129aa2-6c02-47d3-aa70-79cf872a1637.vbs"
        8⤵
        
        PID:2156
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43963d8d-e550-472d-a65e-d7da5b230d01.vbs"
        6⤵
        
        PID:5368
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d63bf68-70af-4551-bd6f-78557556f795.vbs"
      4⤵
      PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
662c6b9373ca36a07ad92048f50c059c

SHA1
8ba4e5839be3de6264abfa03cc34710158f3e6ea

SHA256
cbca7cc398c324238218a6f3ed796910b4a55c967987e4620cc062424f2938d2

SHA512
b734c055e3535cbc68200694d3defb41ae78e36d7d9b59c2cb65fff29ca560c4b21c274471448535f56c53e4c5a0e0dc59c20a1d77df719344d1bf3ad3ac869b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
662c6b9373ca36a07ad92048f50c059c

SHA1
8ba4e5839be3de6264abfa03cc34710158f3e6ea

SHA256
cbca7cc398c324238218a6f3ed796910b4a55c967987e4620cc062424f2938d2

SHA512
b734c055e3535cbc68200694d3defb41ae78e36d7d9b59c2cb65fff29ca560c4b21c274471448535f56c53e4c5a0e0dc59c20a1d77df719344d1bf3ad3ac869b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96cb80a142b37ab4b3b6006fb9344bac

SHA1
cfb0d756fbad277e9c508cbea162cf16ea28bd8d

SHA256
bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6

SHA512
d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96cb80a142b37ab4b3b6006fb9344bac

SHA1
cfb0d756fbad277e9c508cbea162cf16ea28bd8d

SHA256
bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6

SHA512
d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96cb80a142b37ab4b3b6006fb9344bac

SHA1
cfb0d756fbad277e9c508cbea162cf16ea28bd8d

SHA256
bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6

SHA512
d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60dadce00853b94120f52606ccdf6b58

SHA1
39c8af646ae33ba0d02544d8ef98bd24c1dd35db

SHA256
1415bc8dff8b06c6276ffc0dbbea341ebd8160e9d47100ca0ae1bb1c33c35e8c

SHA512
6729950cb83878bb8f16e37b17d1590edae3132118401a9e15c3b8e9102db0e27b1262a4461c97facfd855ceb4e345f4d5bdc56b1a154e31013638d36d43da4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30d47aa3475456bab00c70836f17c331

SHA1
9e0ce618975aa87d473901b87df8841ed9f37930

SHA256
4d8b29ae16dd454fb93ee55d11ed92e2953ad1070680e0aa1dceaba1b8131aa8

SHA512
5ba2259e9ad8bfddea19b73c8f6ecec8e66e1b6efd8a96b437659f5fd0cb135310fcc237aff43a0f54b3966545281480b341266bfa05566caffc7919ebff8867

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c408e5b-b56d-4468-9e78-bb09ff3695b2.vbs

Filesize
707B

MD5
b606ac298b1b8f42131c675e4f4e7898

SHA1
53be7d107095cef04a13faac78088ca797b0f096

SHA256
ca3bedb3a76f71a37abe2f3609e335135dd1092ac902f756d599c539d8a2cd26

SHA512
3f25ae588229a82d529d43727db749ed5cfcfec9c205ae4fa3042072403959f6d56da29d0312b56c8e6b0146844cc70704574ab787376507c3728557d0b4b926

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dc52360-66ec-4a59-8499-87ea49546f2c.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\20441d37-12a0-4a92-9e56-5fcf02ee772a.vbs

Filesize
706B

MD5
f24d11c3dfc78895b84600ce313d56b5

SHA1
1f3f2ae506a988817d7e8b5350947b5165d75d5e

SHA256
755ed91d98282ad553ac1600c871f7d9b3ee202179d7b4a72903ea1740bd2923

SHA512
8ac7c4bc9382e4eb64eb38ed6b483b321769cbe8025a34e828d04746aab816101299bfcc40f0e0874b93e9b80c6b31635b7c2850594ec9ded8a0c2857efc8cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\32a0b032-d47c-4e55-9e62-63352482f0be.vbs

Filesize
707B

MD5
a8d0beda113c9f124b028ab92a9f50b6

SHA1
13090da363b02014cbdb71ff03ad1d3cf3d0d697

SHA256
cd001ad654401d49cc26b1298cfc5474105593f6f617291af03c2a4e3cc5ed04

SHA512
ea1fa4c3f775ea6af86f413bc6333526bc4549f7ca65fdbdaba662f35af72151d24a74034e41d0b011581cd88e705046ed22ca713aeebc7a5cae1943822f5d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\33065749-d51c-40e6-ba3f-a6c55b259c26.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\367c5fee-9bb8-4421-a32d-fbba7ca9a507.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fb1d0fd-af13-4a8e-9392-be76f43fda42.vbs

Filesize
707B

MD5
cfe44bd555253b3b87aca9fb632d30b6

SHA1
46c1530f3682030fae88aeed45e6f28270b83f9f

SHA256
3aa0ee93526b9fbe668aa535f8ad47d4c144667f0af3f8e54f0bf08dc04116a7

SHA512
5c2d1d23268b8f609d8b3ad8d8bf6041da8552f6525c122e6f7c52650271e47cffdb307d19aaffd66de84defc073eea715286a53366d6bd47d56e8a0457fd5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\43963d8d-e550-472d-a65e-d7da5b230d01.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\43963d8d-e550-472d-a65e-d7da5b230d01.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\548c699a-095b-4d7e-a57d-91cf3c0a9161.vbs

Filesize
706B

MD5
a4027f171234218576f1056ec20509cc

SHA1
d08ac4f0a17b9af52502f8fc397ade9b82b9f2f7

SHA256
fc0dac9113ee79d7e48136ed62ccb0114dff21cd274df67d1de6ee4d0b0a3260

SHA512
ecc9e1fe996421b4fd34a09ee192f51f5153f0003abb592dea3c3b87fa5def59d8500ddcda2ae8fbb1b009d2f9c4052e241ecdfa8d8486296ff092837c78d954

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d63bf68-70af-4551-bd6f-78557556f795.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ef48191-ffc0-4b4c-b6b1-147ec39f4740.vbs

Filesize
707B

MD5
03336227011e17beb43ad20bacfd3c2f

SHA1
1053cf7b0eda229faa40489ed91f4856e4c78b03

SHA256
6cd5586f87187d8e35da5b373e2a15d20be415f95a5aff73f49cc7d73b365428

SHA512
4a3796ae1488a2ae7df7cc7de3191c971a9387e69948e7e3bcadb746ff899caee3d6b526ace9a398315e4abfba9b3f621983ef8ea61eb28b292cbe03632f6bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\77661900-db5c-47cb-80fb-1dd318f9bc89.vbs

Filesize
707B

MD5
760e1094290abf3cec254420fdaf4a38

SHA1
d0c0189b2271866ab46bbb8d9cc0d612ca56a81c

SHA256
2f7a9d819b6f2c2d7fad4d5cb2d1d5abd28d780712f5b08122a5e37d6b09b3ae

SHA512
4c9fb318091aa8ea6d2366b5ac7c388e70ea71fdcd4fd84bef99e6d1840d0ecdf9985051bdfbf984bd00aafc7dacad2d5d29ddccf9cd9f805c5eb584d7c56ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\78a52ae4-4ba9-4bfd-a4ba-5dc7474d6078.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\804ee5d401cf49897e59f6136674baf3cc75da9f.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RU6Ya2tl6U.bat

Filesize
196B

MD5
83c88577304a113ee7aa0598f533edf9

SHA1
ad6e654d99eaa9989ead183b76e9a5438f1277ee

SHA256
593d94c1ec34596022d09cffd2cc04958bf13ccc9f6fbc193a45592d926e7dbd

SHA512
76ba527d51e3b4fa641e3f6abf9f26cb15349aba2f04adf8d94f85b62314025775dfe9f2ed0206eb75d30642623bdb187af5c4e75e6ab9823e47971bb31be3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ymizkh5.f0p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a01e7fb5-63ac-41a3-9a56-b11fcdf28cd9.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a577d24f-0e6b-471f-a379-85cbcd395113.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9ed56d5-4b67-4b7d-8ad1-4f737b8f3ee2.vbs

Filesize
707B

MD5
b8add728dbab12c5dcdc3e5a04a38b4b

SHA1
9913fa44906aaeb6ef9e8bf66f2e308e7166aecd

SHA256
7b41e022b5efa932ac8b3b9f98f865422a09213b32133508d19409a69b571145

SHA512
893b2edd443887aa4aad95e83fdc0a3a0837ac1ed11d7c2761bd3885412ff6adb0da2c2b59d1251bdba88a62ec0c43c51f85191577ccb6b7884090d14119d1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae08b754-c95b-4788-befb-e358d4b56ddf.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\af00713c-8f02-41fc-8cf5-26fb6348e485.vbs

Filesize
707B

MD5
ea9ea35d4e528c4b4ad552b94576cbd1

SHA1
3cdc2bb50162001f320439641e24a9fa5f1565c1

SHA256
f66dbe0ed62beef8fb08c1383e75ff2845e524959a9d187b2ce3a910e32e3b65

SHA512
768d83d277243b60a15bfcbad223004add579cd288e31943eb7f38504c8af3c662813fb2ced75beae727a549699d34bbfcb99a6b0aa8e4edb56fe99043919969

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfa0393-187b-46f6-944f-f34b1f346a2b.vbs

Filesize
707B

MD5
5e2ddaeea49c6100a0a8fee65945f60c

SHA1
1787525b30ebd94c7db0f0463afb20bf355319bb

SHA256
cc4cce39fbacd8976bcd87bb3670f9fb7ed028a0663fcf666adbf9a5a5969594

SHA512
5058601ee933bb76e2b1370dc224422e7dd31bcfe286e4a5282b5dd7f226394d0df90a59c6349199c5459a04dc3975c1c3e52e2426f21783427fb4a0bef94a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc129aa2-6c02-47d3-aa70-79cf872a1637.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebf66748-aacc-4e6a-a889-4b4d4c258550.vbs

Filesize
483B

MD5
8dbc8d8d73e0fdd4057723222e58fb88

SHA1
e98b7a219273031527846cf31c3f9e06e40d98c8

SHA256
7e54b7f5d8ccab6c880c1d474da56bfc80786b628c3a1c7336569a6e47dcd682

SHA512
ed96caf75af35ba3c229a5968a6b41fb45111ef4a9ba1d4799ea9db91301816942bd8f496dffb775243decfb62f7e1fe11bbca521597f56b7371251916d18d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eea16699-c62d-41ad-b6af-8955b0d4a881.vbs

Filesize
707B

MD5
2ad73ae9a5eff225b34b824b31b3a194

SHA1
1ca86e5b265037f4bc2b07d7d791614ec3711d18

SHA256
ba9b5bbe9d5eb3b9527f6b7ec225bf0df346d7f2db5804ca05054db40432b093

SHA512
56ae0bcd1d42eeba6caafec8e8533cbe3705fbd6c1db1a170823b16a440084147e01b2d3cc7800fcdf34c279c1c9c400c6397080d7cec00536a713e4beee077d

Download Submit
C:\Users\Default User\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
466d3339a6316e66b95f518633917d70

SHA1
a9e63aa789eeb63ccf3a0d848593cefc85b2176f

SHA256
f89dc88046a2c4c2b798da907daf1a18766ec21664b273403a6ef7f870f5e93f

SHA512
2e554c626dd94ad680e26a8fae4d4677edc4f87f57a285b47dae9f738d44a3b2efa71a1f23c4b20507a8f4bdc0c45ac99f01ab5344ce6275d916fe9964bc4f02

Download Submit
C:\odt\RCXD471.tmp

Filesize
1.8MB

MD5
d8bd123e0b7c607918d17215f7c41e6a

SHA1
9a1925ddd152752153d1e9761da2e9cad7bc3935

SHA256
542a2be4dff584f2f452ef296d691fb8cc1f478ee50d75a55e4270e4bd33bab5

SHA512
5ba5464690423f9b6d6ea7803458b6e9b521b9b2a485fc12128926131bf31a7297d3940916ab73f2f3bc8a981f0711543edd3a8a951ecfd63d9e309e177de5ea

Download Submit
memory/916-275-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1196-286-0x0000029C20D10000-0x0000029C20D20000-memory.dmp

Filesize
64KB

Download
memory/1196-292-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1196-295-0x0000029C20D10000-0x0000029C20D20000-memory.dmp

Filesize
64KB

Download
memory/1196-269-0x0000029C20D10000-0x0000029C20D20000-memory.dmp

Filesize
64KB

Download
memory/1196-267-0x0000029C20D10000-0x0000029C20D20000-memory.dmp

Filesize
64KB

Download
memory/1836-11-0x000000001B180000-0x000000001B192000-memory.dmp

Filesize
72KB

Download
memory/1836-9-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/1836-1-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1836-93-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1836-17-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/1836-16-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/1836-2-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/1836-0-0x0000000000330000-0x00000000004FE000-memory.dmp

Filesize
1.8MB

Download
memory/1836-14-0x000000001B930000-0x000000001B93E000-memory.dmp

Filesize
56KB

Download
memory/1836-15-0x000000001B940000-0x000000001B94E000-memory.dmp

Filesize
56KB

Download
memory/1836-13-0x000000001B210000-0x000000001B21A000-memory.dmp

Filesize
40KB

Download
memory/1836-12-0x000000001BE60000-0x000000001C388000-memory.dmp

Filesize
5.2MB

Download
memory/1836-161-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1836-10-0x000000001B170000-0x000000001B17A000-memory.dmp

Filesize
40KB

Download
memory/1836-3-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

Filesize
112KB

Download
memory/1836-121-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/1836-5-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/1836-8-0x000000001B160000-0x000000001B172000-memory.dmp

Filesize
72KB

Download
memory/1836-7-0x000000001B140000-0x000000001B156000-memory.dmp

Filesize
88KB

Download
memory/1836-6-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1836-4-0x000000001B190000-0x000000001B1E0000-memory.dmp

Filesize
320KB

Download
memory/1880-279-0x0000022F4BD90000-0x0000022F4BDA0000-memory.dmp

Filesize
64KB

Download
memory/1880-277-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/1880-282-0x0000022F4BD90000-0x0000022F4BDA0000-memory.dmp

Filesize
64KB

Download
memory/1880-278-0x0000022F4BD90000-0x0000022F4BDA0000-memory.dmp

Filesize
64KB

Download
memory/2132-280-0x00000265B5B30000-0x00000265B5B40000-memory.dmp

Filesize
64KB

Download
memory/2132-250-0x00000265B5B30000-0x00000265B5B40000-memory.dmp

Filesize
64KB

Download
memory/2132-290-0x00000265B5B30000-0x00000265B5B40000-memory.dmp

Filesize
64KB

Download
memory/2132-229-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/2244-139-0x0000017F2C280000-0x0000017F2C290000-memory.dmp

Filesize
64KB

Download
memory/2244-294-0x0000017F2C280000-0x0000017F2C290000-memory.dmp

Filesize
64KB

Download
memory/2244-137-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/2244-140-0x0000017F2C280000-0x0000017F2C290000-memory.dmp

Filesize
64KB

Download
memory/2264-284-0x000001F052BC0000-0x000001F052BD0000-memory.dmp

Filesize
64KB

Download
memory/2264-287-0x000001F052BC0000-0x000001F052BD0000-memory.dmp

Filesize
64KB

Download
memory/2264-273-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/2368-146-0x000001C2DBFA0000-0x000001C2DBFC2000-memory.dmp

Filesize
136KB

Download
memory/2368-293-0x000001C2DC000000-0x000001C2DC010000-memory.dmp

Filesize
64KB

Download
memory/2368-134-0x000001C2DC000000-0x000001C2DC010000-memory.dmp

Filesize
64KB

Download
memory/2368-132-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/2368-135-0x000001C2DC000000-0x000001C2DC010000-memory.dmp

Filesize
64KB

Download
memory/2368-285-0x000001C2DC000000-0x000001C2DC010000-memory.dmp

Filesize
64KB

Download
memory/2460-289-0x00000162C3040000-0x00000162C3050000-memory.dmp

Filesize
64KB

Download
memory/2460-228-0x00000162C3040000-0x00000162C3050000-memory.dmp

Filesize
64KB

Download
memory/2460-281-0x00000162C3040000-0x00000162C3050000-memory.dmp

Filesize
64KB

Download
memory/2460-218-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/3080-160-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/3080-177-0x000001D5D2D40000-0x000001D5D2D50000-memory.dmp

Filesize
64KB

Download
memory/3080-162-0x000001D5D2D40000-0x000001D5D2D50000-memory.dmp

Filesize
64KB

Download
memory/3340-272-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/3340-276-0x000002B17C7F0000-0x000002B17C800000-memory.dmp

Filesize
64KB

Download
memory/3340-283-0x000002B17C7F0000-0x000002B17C800000-memory.dmp

Filesize
64KB

Download
memory/3620-288-0x000001DE7CEF0000-0x000001DE7CF00000-memory.dmp

Filesize
64KB

Download
memory/3620-274-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-270-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/3908-271-0x00000158C4510000-0x00000158C4520000-memory.dmp

Filesize
64KB

Download
memory/4232-291-0x00007FF900280000-0x00007FF900D41000-memory.dmp

Filesize
10.8MB

Download
memory/4232-136-0x00000173A17C0000-0x00000173A17D0000-memory.dmp

Filesize
64KB

Download