dcrat | 3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Size

1.2MB
MD5

1e1141a8c3483801e0520a803d004dfc
SHA1

4dd65bf996f2ab466e658208cc6d36b9bd63df7f
SHA256

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229
SHA512

cc1aa00306b66af19f3fe2e32c730d928da6e5f80b78c7131ef5936d9984d5a60190ec4a061446b77d797a44a7b9a5f034e64b1c39fb5bd52c8060ec1a24c562
SSDEEP

24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	2120	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3724-0-0x0000000000C20000-0x0000000000D5A000-memory.dmp	dcrat
C:\Users\Default\spoolsv.exe	dcrat

Detects executables containing bas64 encoded gzip files 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3724-0-0x0000000000C20000-0x0000000000D5A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
C:\Users\Default\spoolsv.exe	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3724-6-0x0000000002EA0000-0x0000000002EB0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-9-0x000000001B9A0000-0x000000001B9AA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-11-0x000000001BF00000-0x000000001BF0C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-14-0x000000001BF80000-0x000000001BF8C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-16-0x000000001C0A0000-0x000000001C0AA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-18-0x000000001C0C0000-0x000000001C0CC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3724-20-0x000000001C3E0000-0x000000001C3EA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Executes dropped EXE 14 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1160	csrss.exe
4472	csrss.exe
4904	csrss.exe
856	csrss.exe
2520	csrss.exe
4100	csrss.exe
3460	csrss.exe
2340	csrss.exe
3020	csrss.exe
4100	csrss.exe
3724	csrss.exe
372	csrss.exe
3544	csrss.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 25 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCX3944.tmp	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\ea1d8f6d871115	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Adobe\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Adobe\backgroundTaskHost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Adobe\eddb19405b7ce1	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\dotnet\swidtag\9e8d7a4ca61bd9	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows Mail\6cb0b6c459d5d3	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Adobe\backgroundTaskHost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dwm.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\MusNotification.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\886983d96e3d3e	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Mail\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Adobe\886983d96e3d3e	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\upfc.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\aa97147c4c782d	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Mail\9e8d7a4ca61bd9	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows Mail\dwm.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Adobe\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\upfc.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\Windows Mail\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\MusNotification.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Drops file in Windows directory 12 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\smss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\ServiceProfiles\smss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\ServiceProfiles\69ddcba757bf72	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Resources\backgroundTaskHost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Resources\eddb19405b7ce1	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Performance\e1ef82546f0b02	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\Resources\backgroundTaskHost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\Performance\SppExtComObj.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\INF\ServiceModelService 3.0.0.0\0000\9e8d7a4ca61bd9	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Performance\SppExtComObj.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2368	schtasks.exe
2524	schtasks.exe
4508	schtasks.exe
2368	schtasks.exe
4568	schtasks.exe
732	schtasks.exe
2484	schtasks.exe
2904	schtasks.exe
4964	schtasks.exe
1988	schtasks.exe
3676	schtasks.exe
3948	schtasks.exe
4196	schtasks.exe
1904	schtasks.exe
3004	schtasks.exe
1988	schtasks.exe
4896	schtasks.exe
2944	schtasks.exe
3120	schtasks.exe
3972	schtasks.exe
1956	schtasks.exe
1396	schtasks.exe
4800	schtasks.exe
892	schtasks.exe
2520	schtasks.exe
4928	schtasks.exe
4592	schtasks.exe
3500	schtasks.exe
2896	schtasks.exe
2124	schtasks.exe
2400	schtasks.exe
3948	schtasks.exe
4508	schtasks.exe
3532	schtasks.exe
4108	schtasks.exe
3308	schtasks.exe
2216	schtasks.exe
2080	schtasks.exe
2400	schtasks.exe
2720	schtasks.exe
3712	schtasks.exe
4300	schtasks.exe
2616	schtasks.exe
3824	schtasks.exe
2356	schtasks.exe
3500	schtasks.exe
4476	schtasks.exe
1436	schtasks.exe
4552	schtasks.exe
4900	schtasks.exe
4016	schtasks.exe
960	schtasks.exe
4596	schtasks.exe
3868	schtasks.exe

Modifies registry class 15 IoCs

Processes:

csrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

pid	process
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Token: SeDebugPrivilege	3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Token: SeDebugPrivilege	1160	csrss.exe
Token: SeDebugPrivilege	4472	csrss.exe
Token: SeDebugPrivilege	4904	csrss.exe
Token: SeDebugPrivilege	856	csrss.exe
Token: SeDebugPrivilege	2520	csrss.exe
Token: SeDebugPrivilege	4100	csrss.exe
Token: SeDebugPrivilege	3460	csrss.exe
Token: SeDebugPrivilege	2340	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	4100	csrss.exe
Token: SeDebugPrivilege	3724	csrss.exe
Token: SeDebugPrivilege	372	csrss.exe
Token: SeDebugPrivilege	3544	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	process	target process
PID 3724 wrote to memory of 3772	3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 3724 wrote to memory of 3772	3724	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 3772 wrote to memory of 1160	3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	csrss.exe
PID 3772 wrote to memory of 1160	3772	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	csrss.exe
PID 1160 wrote to memory of 5100	1160	csrss.exe	WScript.exe
PID 1160 wrote to memory of 5100	1160	csrss.exe	WScript.exe
PID 1160 wrote to memory of 800	1160	csrss.exe	WScript.exe
PID 1160 wrote to memory of 800	1160	csrss.exe	WScript.exe
PID 5100 wrote to memory of 4472	5100	WScript.exe	csrss.exe
PID 5100 wrote to memory of 4472	5100	WScript.exe	csrss.exe
PID 4472 wrote to memory of 2716	4472	csrss.exe	WScript.exe
PID 4472 wrote to memory of 2716	4472	csrss.exe	WScript.exe
PID 4472 wrote to memory of 4044	4472	csrss.exe	WScript.exe
PID 4472 wrote to memory of 4044	4472	csrss.exe	WScript.exe
PID 2716 wrote to memory of 4904	2716	WScript.exe	csrss.exe
PID 2716 wrote to memory of 4904	2716	WScript.exe	csrss.exe
PID 4904 wrote to memory of 432	4904	csrss.exe	WScript.exe
PID 4904 wrote to memory of 432	4904	csrss.exe	WScript.exe
PID 4904 wrote to memory of 4928	4904	csrss.exe	WScript.exe
PID 4904 wrote to memory of 4928	4904	csrss.exe	WScript.exe
PID 432 wrote to memory of 856	432	WScript.exe	csrss.exe
PID 432 wrote to memory of 856	432	WScript.exe	csrss.exe
PID 856 wrote to memory of 1968	856	csrss.exe	WScript.exe
PID 856 wrote to memory of 1968	856	csrss.exe	WScript.exe
PID 856 wrote to memory of 4000	856	csrss.exe	WScript.exe
PID 856 wrote to memory of 4000	856	csrss.exe	WScript.exe
PID 1968 wrote to memory of 2520	1968	WScript.exe	csrss.exe
PID 1968 wrote to memory of 2520	1968	WScript.exe	csrss.exe
PID 2520 wrote to memory of 3960	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 3960	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 3524	2520	csrss.exe	WScript.exe
PID 2520 wrote to memory of 3524	2520	csrss.exe	WScript.exe
PID 3960 wrote to memory of 4100	3960	WScript.exe	csrss.exe
PID 3960 wrote to memory of 4100	3960	WScript.exe	csrss.exe
PID 4100 wrote to memory of 2404	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 2404	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 4084	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 4084	4100	csrss.exe	WScript.exe
PID 2404 wrote to memory of 3460	2404	WScript.exe	csrss.exe
PID 2404 wrote to memory of 3460	2404	WScript.exe	csrss.exe
PID 3460 wrote to memory of 2032	3460	csrss.exe	WScript.exe
PID 3460 wrote to memory of 2032	3460	csrss.exe	WScript.exe
PID 3460 wrote to memory of 756	3460	csrss.exe	WScript.exe
PID 3460 wrote to memory of 756	3460	csrss.exe	WScript.exe
PID 2032 wrote to memory of 2340	2032	WScript.exe	csrss.exe
PID 2032 wrote to memory of 2340	2032	WScript.exe	csrss.exe
PID 2340 wrote to memory of 2184	2340	csrss.exe	WScript.exe
PID 2340 wrote to memory of 2184	2340	csrss.exe	WScript.exe
PID 2340 wrote to memory of 2468	2340	csrss.exe	WScript.exe
PID 2340 wrote to memory of 2468	2340	csrss.exe	WScript.exe
PID 2184 wrote to memory of 3020	2184	WScript.exe	csrss.exe
PID 2184 wrote to memory of 3020	2184	WScript.exe	csrss.exe
PID 3020 wrote to memory of 2832	3020	csrss.exe	WScript.exe
PID 3020 wrote to memory of 2832	3020	csrss.exe	WScript.exe
PID 3020 wrote to memory of 2064	3020	csrss.exe	WScript.exe
PID 3020 wrote to memory of 2064	3020	csrss.exe	WScript.exe
PID 2832 wrote to memory of 4100	2832	WScript.exe	csrss.exe
PID 2832 wrote to memory of 4100	2832	WScript.exe	csrss.exe
PID 4100 wrote to memory of 2340	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 2340	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 3000	4100	csrss.exe	WScript.exe
PID 4100 wrote to memory of 3000	4100	csrss.exe	WScript.exe
PID 2340 wrote to memory of 3724	2340	WScript.exe	csrss.exe
PID 2340 wrote to memory of 3724	2340	WScript.exe	csrss.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
"C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3724

C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
"C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3772

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0484d2e-5b5d-4015-8aeb-0914f46ca6a7.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4718970b-491d-4559-81e2-241ce32ab956.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d2ba4a4-a3b2-4115-a9d2-c2cf5c2670b5.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eebda2e-1458-44c8-a026-f6f61073c1c6.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18b45085-9f2a-4c1a-b8da-58148696564d.vbs"
12⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4c4919-aad7-4784-974a-aedbd69e2be4.vbs"
14⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b8691d-051d-4d19-b024-fad55e4ff853.vbs"
16⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc7e5ad-a187-4d62-8bb5-91ccf20d18a0.vbs"
18⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd0d06cb-34ad-4b99-8f15-3865a053d6a9.vbs"
20⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a154aef-5af9-45f0-91ff-19df3270a235.vbs"
22⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\845dff38-8a33-4d03-9f7c-80d642592889.vbs"
24⤵
PID:2684

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad7bdd45-112f-47fc-9f1c-db3e99845b66.vbs"
26⤵
PID:1604

C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe"
27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a342d2f0-0c68-4e9d-83d1-87794e7a03bd.vbs"
28⤵
PID:4816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\838bda50-2b04-4cb8-a3aa-bc36feef14f0.vbs"
28⤵
PID:656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70c85e4b-0e2a-40f4-b4c7-a9f7afb985e7.vbs"
26⤵
PID:2516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e290bed-cb89-4b4e-9f4a-b7629923fec8.vbs"
24⤵
PID:5108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab58187-19e2-400b-8aa5-7efa370e298a.vbs"
22⤵
PID:3000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee0d07d-7506-4873-b6e8-57f21f82a75d.vbs"
20⤵
PID:2064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8b73fa-f68c-4bbb-a64b-0bee1d94c153.vbs"
18⤵
PID:2468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e588477-d923-4691-a9a9-8e544c86b97b.vbs"
16⤵
PID:756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7fd21d0-0cc9-4387-8049-f1436a131252.vbs"
14⤵
PID:4084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9d7b914-d437-466c-baa9-ed052f89838d.vbs"
12⤵
PID:3524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72a410ac-774f-451b-bbfd-fa2f33c7ec1f.vbs"
10⤵
PID:4000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9743f246-d5c3-4bd4-99bd-94e8e2d434bb.vbs"
8⤵
PID:4928

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73cfc4ed-e115-4dea-9fbb-98a62ca71117.vbs"
6⤵
PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47ec5d77-7341-4ca7-b4f7-0e3794f416e5.vbs"
4⤵
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Resources\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\ServiceModelService 3.0.0.0\0000\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\18b45085-9f2a-4c1a-b8da-58148696564d.vbs
Filesize
732B

MD5
80073f7eea52af65b934fa8b20092f9f

SHA1
52b790e787feaaabd343e056fcb71cfd21a503b7

SHA256
6cbe8bb4cf7fb86af3e2610014e78c65c5fe119fa682c229b8f227ab514a5794

SHA512
1eb0ec5c5cbfa537893d622eb8f974fdfa904769635ed5b8199d39fa4a71fb83c485aca555674335efa5821365616dc53ec5ee7ae09fe586b36535e13378f314

Download Submit
C:\Users\Admin\AppData\Local\Temp\4718970b-491d-4559-81e2-241ce32ab956.vbs
Filesize
732B

MD5
0c5e1366d660b71a627c937fd9eabb6b

SHA1
52777eaa6e46327b38b80d91864ddb5eaee96add

SHA256
3da54b14574bd0977f3d3e285d282064dfaaa2f9179e2a70e3fc1776a228bff1

SHA512
92ca5159730685db9f1332347d493612a191c066a8a495d0c69fab12de0cad2195a70a2b4f764b4456647bf9d51e46aebb8badd478f891e256e9e978aff76df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\47ec5d77-7341-4ca7-b4f7-0e3794f416e5.vbs
Filesize
508B

MD5
f03a4d628ecae88cceca494af3b041d9

SHA1
16e29c77c9c864e74dbb34159f6d3a09274cbbfc

SHA256
f048b7c3e79cdad31f0fca170803b38fc05b6e1ebc281f24eb8e5c5c0d6baa88

SHA512
e69f618838ea80c8fa6365e6a14a688a60670308addee313ac83a66d84c62ee115e0086abec4f9e75a75b5ca06ec825ab40bab477dccd706d4a98e4c7de15c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859
Filesize
1KB

MD5
8142e6a0b202b7b196bd069c95064cf9

SHA1
7792cf50d44f491f57f7901295de7cfde0148d63

SHA256
13c5db88726180a9b57a4d2062f419ed4d7d4ac2c292b6be843efc7034da68c2

SHA512
683dc972634c71141a54df7a40b84c27a2071bb645f1380c077e6bf923cee7aed16a9e9b125829b650027ba193aa73b9e759d9ef836652ee9ba4219afcfaf6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d2ba4a4-a3b2-4115-a9d2-c2cf5c2670b5.vbs
Filesize
732B

MD5
cd9bf4d13602150e2facbcfabc999ce6

SHA1
13d70a901fc4ccf2563ee39b08be48af928a854c

SHA256
96841ad87c089c3a8cbf23131504bc4e2b82981a685fd73b3153116cdfffdb59

SHA512
ec5cda8b019cc1ff041a13b748de263c91bdc276c597a2c64c0df64e0be63ecfd6f69941939e3878c7fab34a4b6fc074cea1b0f851f1233c3e3a69c5c98aecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eebda2e-1458-44c8-a026-f6f61073c1c6.vbs
Filesize
731B

MD5
ceed50ec53bd633e1688ebf4ab469681

SHA1
511221c57ef139496f44d7c359541b1fcb8d0688

SHA256
2b23eedc8cb046fff02a5dc47bcee456ad4f2bfcd3e4b028a9d66d169b59fe2e

SHA512
23fad3a2a80c54fd65ed7db94029bfe6172f0dc7238fa3b67456c638ba8199151a85a853f8b6f07c366bbe76087f5ce6079a130d36b0018840d393abb0b05784

Download Submit
C:\Users\Admin\AppData\Local\Temp\845dff38-8a33-4d03-9f7c-80d642592889.vbs
Filesize
732B

MD5
29173ce3bcc201b8864432af430b1406

SHA1
bd30cf29f9de720eee656adc82f6cdf89fd25bee

SHA256
3d1f143374b3d994a1cbd8c446af7f7704ea9793aa8ff4d7e27a5d70d1e22721

SHA512
aa08b4e9f08454940c228d54d6c96bfdb0c89adddcd1890a8a632611a96e684817e11e635fbef0a3978bfafe400b3a8a6c12effd82baa487e7a1cb12696b7b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\a342d2f0-0c68-4e9d-83d1-87794e7a03bd.vbs
Filesize
732B

MD5
e7c203e6b4c487d525c76ae2e08f5db8

SHA1
b87c9f07651aed341a44d98fc726fe587399fe1f

SHA256
90e69020ef3e13211b696ed05e913bd7bc6f65d8a1c5343ca39322f8d104e373

SHA512
1d273e202d31c45125882d711175175818a394dcf73161896e13117f1f0f01a29d97335fdf69c6db34df34dd5ccbaa8f1aba4e29f8386ea54f14ff09a26559dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad7bdd45-112f-47fc-9f1c-db3e99845b66.vbs
Filesize
731B

MD5
560a7fdf370ba06413b5537dd9ade4ad

SHA1
18c246ca94af5357f49e81a99c30f7c059dcd764

SHA256
05e2f651e12ee28e1d739105aa97924552a0a7f22f77159c47ae976d87051bb0

SHA512
c29bed2fa57fb308f334eed1dd512484d6ed36a0f06e974bbb1b18c31c299bb446bbc4af31459655b449290ca08c09cba46c5fb84b1db3592053a99ee7e69fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\be4c4919-aad7-4784-974a-aedbd69e2be4.vbs
Filesize
732B

MD5
d64fe7096e7f62d8aab288a6d1c09831

SHA1
33a90aa5a7611a8990f51b8d69be1d19178d34d2

SHA256
24fe77d77bf9742246046833dcc231461edd1d639529dcc993376161ad621679

SHA512
029f478f0f0f7dd2deba01a70ea673110b8ab84ad270be79300b7b6b896a74adf4f498b933c96618ea8fcb2f81403b20a1555ba7592c034a9348d53b4a6578f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7b8691d-051d-4d19-b024-fad55e4ff853.vbs
Filesize
732B

MD5
81f19114ae640a40b181773d95df039b

SHA1
666017ef989650bc499170f17c401324f2043e75

SHA256
c48a8c0a083391dcf3f1e61fc2a77b9637fcfa40ef4704e43dabbea089740481

SHA512
ae8d2616de43bbd7499e6c829dc63cff9da690caa56fa1accc35b6fb118abfa3ec3b5eca3e41b74b522cdafe876a423254b19ff00d6acc1146c7a18942800bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0484d2e-5b5d-4015-8aeb-0914f46ca6a7.vbs
Filesize
732B

MD5
e05db664c868e04df66dcf1b0a91b8a0

SHA1
76f3399691e4f8d96f79206f633e01dba2974b36

SHA256
c7b8168211debfef214972809680429006e1e3f3ac38b19dc132aef0a72ddc0a

SHA512
10d8dfa40df8453d8e5d3647414ba1d73283e6c533bb5a042a9da31be8b93f48eb5b5afa9b4e1786062e2201d3ca1c3d9d1cc4fa10bbbe6fe9abc26dddc54137

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc7e5ad-a187-4d62-8bb5-91ccf20d18a0.vbs
Filesize
732B

MD5
3861e67c480ff6cb8bb0fddfb50b6d83

SHA1
0b03cb0cdb3d95f7c0d1c02ace9f55c9abdbaaef

SHA256
9885f51180313259c868e7448ae217576e7388d845596121ad33cd3c3caa314b

SHA512
e79a8f67cbf0c98bd03d11d5b0dde2d52ff69342f6c6d8ea976efc579cff08fe82a64349b1293fb84fd76864df9a1a57c15843c2ad6167060f78caa94eaea275

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd0d06cb-34ad-4b99-8f15-3865a053d6a9.vbs
Filesize
732B

MD5
276d9e7136a187aa71925d3ddc69bcca

SHA1
a8bb73aaea6c7c341f35841417a83a9c9678f347

SHA256
0ec15071d1304894f2eb897e5de59a6d2c8d8167f3614c087943b2c2f5368fc2

SHA512
af0a21cf74a90e87b851ebc58009e82009deab8608ff766e2417ef6129f0fd8300774d2847faf0b38a9d9e13e34187a9348ff2d32ad3a9da3f985fd6d62d2739

Download Submit
C:\Users\Default\spoolsv.exe
Filesize
1.2MB

MD5
1e1141a8c3483801e0520a803d004dfc

SHA1
4dd65bf996f2ab466e658208cc6d36b9bd63df7f

SHA256
3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229

SHA512
cc1aa00306b66af19f3fe2e32c730d928da6e5f80b78c7131ef5936d9984d5a60190ec4a061446b77d797a44a7b9a5f034e64b1c39fb5bd52c8060ec1a24c562

Download Submit
memory/372-332-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/372-343-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/856-228-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/856-239-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-199-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/1160-188-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-280-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/2340-291-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-241-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/2520-252-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-304-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-293-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-278-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-267-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-345-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-15-0x000000001C090000-0x000000001C098000-memory.dmp

Filesize
32KB

Download
memory/3724-19-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

Filesize
32KB

Download
memory/3724-1-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-72-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-2-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/3724-3-0x0000000002E70000-0x0000000002E8C000-memory.dmp

Filesize
112KB

Download
memory/3724-14-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/3724-4-0x000000001BF30000-0x000000001BF80000-memory.dmp

Filesize
320KB

Download
memory/3724-13-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/3724-12-0x000000001BF10000-0x000000001BF18000-memory.dmp

Filesize
32KB

Download
memory/3724-11-0x000000001BF00000-0x000000001BF0C000-memory.dmp

Filesize
48KB

Download
memory/3724-17-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

Filesize
56KB

Download
memory/3724-10-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

Filesize
48KB

Download
memory/3724-18-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/3724-330-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-8-0x0000000002EB0000-0x0000000002EB8000-memory.dmp

Filesize
32KB

Download
memory/3724-6-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/3724-16-0x000000001C0A0000-0x000000001C0AA000-memory.dmp

Filesize
40KB

Download
memory/3724-9-0x000000001B9A0000-0x000000001B9AA000-memory.dmp

Filesize
40KB

Download
memory/3724-20-0x000000001C3E0000-0x000000001C3EA000-memory.dmp

Filesize
40KB

Download
memory/3724-0-0x0000000000C20000-0x0000000000D5A000-memory.dmp

Filesize
1.2MB

Download
memory/3724-7-0x000000001BEE0000-0x000000001BEF6000-memory.dmp

Filesize
88KB

Download
memory/3724-319-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-21-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

Filesize
48KB

Download
memory/3724-5-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/3772-74-0x000000001B990000-0x000000001B9A0000-memory.dmp

Filesize
64KB

Download
memory/3772-187-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-73-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-306-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-317-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4100-265-0x00007FFD32440000-0x00007FFD32F01000-memory.dmp

Filesize
10.8MB

Download
memory/4100-254-0x00007FFD32440000-0x00007FFD32F01000-memory.dmp

Filesize
10.8MB

Download
memory/4472-213-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4472-202-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-226-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-215-0x00007FFD32A10000-0x00007FFD334D1000-memory.dmp

Filesize
10.8MB

Download