dcrat | c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Size

4.9MB
MD5

6cfaf22786065665e95db058e2a9a182
SHA1

d7d892832905f76a6d5b9fd6958d0026f32a64fd
SHA256

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98
SHA512

47fd9921b2ce73c24bb6df62130b7996fc936ec62cbfd634694cee5fbc1b6eeb4de0572ddc356b695129bf2a2f52a454bc35bee31105d2af83cf69d6059baf86
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1712	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1712	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exec35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2524-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2428	powershell.exe
2268	powershell.exe
2216	powershell.exe
536	powershell.exe
2156	powershell.exe
1436	powershell.exe
1296	powershell.exe
2240	powershell.exe
2072	powershell.exe
3060	powershell.exe
3064	powershell.exe
1608	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid process

2580 csrss.exe
2728 csrss.exe
2716 csrss.exe
1692 csrss.exe
324 csrss.exe
780 csrss.exe
1700 csrss.exe
2992 csrss.exe
2484 csrss.exe
2296 csrss.exe

pid	process
2580	csrss.exe
2728	csrss.exe
2716	csrss.exe
1692	csrss.exe
324	csrss.exe
780	csrss.exe
1700	csrss.exe
2992	csrss.exe
2484	csrss.exe
2296	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exec35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

Drops file in Program Files directory 12 IoCs

Processes:

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXAA44.tmp	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\69ddcba757bf72	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXB274.tmp	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXBAF0.tmp	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

Drops file in Windows directory 4 IoCs

Processes:

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

description	ioc	process
File created	C:\Windows\schemas\AvailableNetwork\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File created	C:\Windows\schemas\AvailableNetwork\c8ce31471fc57d	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXB4E5.tmp	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2752	schtasks.exe
2860	schtasks.exe
2660	schtasks.exe
1472	schtasks.exe
824	schtasks.exe
2328	schtasks.exe
2840	schtasks.exe
1244	schtasks.exe
2248	schtasks.exe
2600	schtasks.exe
1420	schtasks.exe
1812	schtasks.exe
2904	schtasks.exe
1860	schtasks.exe
1480	schtasks.exe
1716	schtasks.exe
2684	schtasks.exe
2276	schtasks.exe
2948	schtasks.exe
2864	schtasks.exe
2756	schtasks.exe
2636	schtasks.exe
1308	schtasks.exe
288	schtasks.exe
928	schtasks.exe
1304	schtasks.exe
2852	schtasks.exe
2456	schtasks.exe
528	schtasks.exe
1676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
536	powershell.exe
2268	powershell.exe
2216	powershell.exe
2156	powershell.exe
2240	powershell.exe
3060	powershell.exe
3064	powershell.exe
2072	powershell.exe
1608	powershell.exe
1296	powershell.exe
2428	powershell.exe
1436	powershell.exe
2580	csrss.exe
2728	csrss.exe
2716	csrss.exe
1692	csrss.exe
324	csrss.exe
780	csrss.exe
1700	csrss.exe
2992	csrss.exe
2484	csrss.exe
2296	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2580	csrss.exe
Token: SeDebugPrivilege	2728	csrss.exe
Token: SeDebugPrivilege	2716	csrss.exe
Token: SeDebugPrivilege	1692	csrss.exe
Token: SeDebugPrivilege	324	csrss.exe
Token: SeDebugPrivilege	780	csrss.exe
Token: SeDebugPrivilege	1700	csrss.exe
Token: SeDebugPrivilege	2992	csrss.exe
Token: SeDebugPrivilege	2484	csrss.exe
Token: SeDebugPrivilege	2296	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	process	target process
PID 2524 wrote to memory of 2268	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2268	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2268	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2216	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2216	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2216	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 536	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 536	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 536	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2240	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2240	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2240	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2072	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2072	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2072	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2156	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2156	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2156	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1436	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1436	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1436	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3060	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3060	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3060	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3064	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3064	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 3064	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1608	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1608	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1608	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2428	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2428	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 2428	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1296	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1296	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1296	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	powershell.exe
PID 2524 wrote to memory of 1584	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	cmd.exe
PID 2524 wrote to memory of 1584	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	cmd.exe
PID 2524 wrote to memory of 1584	2524	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe	cmd.exe
PID 1584 wrote to memory of 2168	1584	cmd.exe	w32tm.exe
PID 1584 wrote to memory of 2168	1584	cmd.exe	w32tm.exe
PID 1584 wrote to memory of 2168	1584	cmd.exe	w32tm.exe
PID 1584 wrote to memory of 2580	1584	cmd.exe	csrss.exe
PID 1584 wrote to memory of 2580	1584	cmd.exe	csrss.exe
PID 1584 wrote to memory of 2580	1584	cmd.exe	csrss.exe
PID 2580 wrote to memory of 1288	2580	csrss.exe	WScript.exe
PID 2580 wrote to memory of 1288	2580	csrss.exe	WScript.exe
PID 2580 wrote to memory of 1288	2580	csrss.exe	WScript.exe
PID 2580 wrote to memory of 1620	2580	csrss.exe	WScript.exe
PID 2580 wrote to memory of 1620	2580	csrss.exe	WScript.exe
PID 2580 wrote to memory of 1620	2580	csrss.exe	WScript.exe
PID 1288 wrote to memory of 2728	1288	WScript.exe	csrss.exe
PID 1288 wrote to memory of 2728	1288	WScript.exe	csrss.exe
PID 1288 wrote to memory of 2728	1288	WScript.exe	csrss.exe
PID 2728 wrote to memory of 1324	2728	csrss.exe	WScript.exe
PID 2728 wrote to memory of 1324	2728	csrss.exe	WScript.exe
PID 2728 wrote to memory of 1324	2728	csrss.exe	WScript.exe
PID 2728 wrote to memory of 2432	2728	csrss.exe	WScript.exe
PID 2728 wrote to memory of 2432	2728	csrss.exe	WScript.exe
PID 2728 wrote to memory of 2432	2728	csrss.exe	WScript.exe
PID 1324 wrote to memory of 2716	1324	WScript.exe	csrss.exe
PID 1324 wrote to memory of 2716	1324	WScript.exe	csrss.exe
PID 1324 wrote to memory of 2716	1324	WScript.exe	csrss.exe
PID 2716 wrote to memory of 1588	2716	csrss.exe	WScript.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.exec35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
"C:\Users\Admin\AppData\Local\Temp\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JwOJplm6tj.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2168

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d29cae5-9a77-4041-aa29-b01a18cccb53.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f891c33-8535-4345-b843-614f046665f5.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03983d8-3c1b-42cd-8a74-e8ac4f512800.vbs"
8⤵
PID:1588

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4341f05-8c42-428b-8b18-c7440c9ba2f2.vbs"
10⤵
PID:1308

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01726eaa-dc78-445a-92fa-b2c9f7bb2dd2.vbs"
12⤵
PID:1704

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ac7b24-1bcf-4944-9ed1-aca9eeebf8b2.vbs"
14⤵
PID:2616

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86a5c5bb-23c0-459d-928f-f6a217bc7a6d.vbs"
16⤵
PID:2256

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf79231b-6014-449d-81a3-8d22a159de80.vbs"
18⤵
PID:2540

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07073cab-23d3-4a82-9708-16d0b90e8ec5.vbs"
20⤵
PID:2984

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fc57387-af48-4323-ae1e-9b01859b8a29.vbs"
22⤵
PID:2020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7797b372-6a21-4376-b80d-317dcbab51d9.vbs"
22⤵
PID:2444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a252d17-3852-4855-9b30-54ba51aeed8d.vbs"
20⤵
PID:848

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16b815c-cd1e-42df-90aa-8acd8afca2b2.vbs"
18⤵
PID:1692

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38c33d0e-e9fc-4633-8770-749fc3cd6cd0.vbs"
16⤵
PID:1032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37864df3-3c60-4357-843e-5aab730e7dac.vbs"
14⤵
PID:2884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff53b231-41e7-479c-9a84-b95c6c980e2e.vbs"
12⤵
PID:2140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ce7b6b-636f-4d8e-b6ca-bc618aaeaf58.vbs"
10⤵
PID:2304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecbcedce-f5a1-46dc-b713-73109aac585d.vbs"
8⤵
PID:2376

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecf65f03-5779-490c-b587-d644a1c4425b.vbs"
6⤵
PID:2432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae871bf-d127-48f2-9e8d-6b054c331aa5.vbs"
4⤵
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98c" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\AvailableNetwork\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98c" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\AvailableNetwork\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe

Filesize
4.9MB

MD5
6cfaf22786065665e95db058e2a9a182

SHA1
d7d892832905f76a6d5b9fd6958d0026f32a64fd

SHA256
c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98

SHA512
47fd9921b2ce73c24bb6df62130b7996fc936ec62cbfd634694cee5fbc1b6eeb4de0572ddc356b695129bf2a2f52a454bc35bee31105d2af83cf69d6059baf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\01726eaa-dc78-445a-92fa-b2c9f7bb2dd2.vbs

Filesize
756B

MD5
cf001add78879ef5473f2d1d68eedc5f

SHA1
9f0f91b5d2fcd6e79263859199b4f9ad74d13963

SHA256
ab7beafa9fa13d8e019b595b5d2f490a1a5ed21fdfae9ab54999f4738903baed

SHA512
923b707d0e19c71a50173f09ac0e3ca1460d45b4992f16d44b1a0532d9be7cb33ac1572af322d9a5f03d2c9f66ca32e8692f5574a9b64180cb0b78b6254d779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\07073cab-23d3-4a82-9708-16d0b90e8ec5.vbs

Filesize
757B

MD5
97a684ede2aea0e343e91c698e7bc4e7

SHA1
e34781b1cd3704eeeb22162f291fe557f21d1baa

SHA256
ccc9cc94b585947c52751063e355a3fb90fae78a2bf72da28d08c06c06ea63f8

SHA512
71bd0024a3cac6dab48f9059cf5a266b262b8059a58024456666aff1f3ce03e5738bf3e4c9825192efd2aa3220454c2ef9a66e9c33f87cfae27aed903f1b43e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\37ac7b24-1bcf-4944-9ed1-aca9eeebf8b2.vbs

Filesize
756B

MD5
df0039a878deeff1e6e7fc0c0d6d6f8e

SHA1
70e902d8baea8b5875581dc05601db3eb99eb5ca

SHA256
abdcb1d50fb4f475450b729135398c905d9112f48a004b43373d14f06035001d

SHA512
d4e6a97b62b6b7f71f7943cf35fd5fe6fd55210e50ddae98b660e7472cfbf43e5ef55b61fd7ec3ca120074c73cea5f94e73c0805c1ec95faa5ba7d0cbabe35f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f891c33-8535-4345-b843-614f046665f5.vbs

Filesize
757B

MD5
acdf77dafd7148a229f8458ba10688cb

SHA1
8ba54a90878cc6f55f7487ed197e6e5ab0c5f2eb

SHA256
9803c8f7e89b8c928a714819601b0fd23a8ecb270854c0025a4b1cf7acc733c5

SHA512
d2d1343d22b7cad4a8e8861a3ce837f1819aeadd73738ce968407f577e8e7c6187059e53ba9df0027dfff7309b8627e62b58c1b63177319590be54467c304cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d29cae5-9a77-4041-aa29-b01a18cccb53.vbs

Filesize
757B

MD5
85ddcda47ef63a204ba610947b23cf16

SHA1
687eb4364a946f9acbf73bed47d79e039e9842b5

SHA256
4d1d87c6e05640b44d94e2a9b1f0050a9825a97061e11b1f3f89a2340d6baa2e

SHA512
3f9c5eb5427cc8fdace1f7ba79cc7ffcb8d3c00805a61eb2e7d96d700bf425d7fd4542464d9cc1897b3180f98022425fdd37fe712b1ec72b4f4423cb13b93ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fc57387-af48-4323-ae1e-9b01859b8a29.vbs

Filesize
757B

MD5
b65d88d8305fde3a8f900623c34d2231

SHA1
016e415b084119814fa976cece231656667ae9c4

SHA256
1571a3befd70b2e65ca3dbfc7adb7e34b7be62bb9eb408fdff9fb65e748a9d23

SHA512
2e2ece6df214a5661d2949059ba0604976931e9d5640b83ced37e2213b87ff0cc8ec20bab430cdb6bcf42cf2a4aadfc248b432f36a53628c515295c59f0f6ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\86a5c5bb-23c0-459d-928f-f6a217bc7a6d.vbs

Filesize
757B

MD5
2b20488d0f5c60757fd0c0ffcd3fd318

SHA1
5ac2993d18fe2660d7d1d291cb9f81f242ea1a4f

SHA256
a17c54f71aa822165f32778eccd21034ea15389c1defa2d2d66413088b3807e8

SHA512
940f7b7fa967d074fd711f027693c1d4b31eb6e0175bfc64e52b70d09a7bc89b3199bd9a9e772a5a4af9eb42f834816e1b3851c647090a097c57fabdc5c075c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JwOJplm6tj.bat

Filesize
246B

MD5
5d911dc2c02926fc2c7e1765651b779e

SHA1
551d14c34ae0515c50c4418a3c530e2b6e7ede62

SHA256
de3eba338eef6363660261bffb4e7b95e7a68f5a71cde5d0ea1ee848c3161b84

SHA512
8e2dffdd357e83df5f41c804e5b358dfb16c457d068071e2ae7bdacbd9aaa4c6c37215fc643e1e529d99779b0b06e0366e91cfc964b6407b0534e7011a2cbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4341f05-8c42-428b-8b18-c7440c9ba2f2.vbs

Filesize
757B

MD5
ad64f2d54666c2c0f21b2a0f3c733785

SHA1
938046753b002a8ee0408307350cd5bf549ab8d8

SHA256
9dd6065d845880fea6e5e8440a6ef0b2b599870a18852d41c5721f4525d7fdd1

SHA512
6e28b4a4ab5b1966efe88ceb7ec0e81cbb338b2ef25ba1f8794fb324d254a57b018f3d2c724202c173061e805fd9c9b7d566de28ef5b4b7cdd762ec539304b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf79231b-6014-449d-81a3-8d22a159de80.vbs

Filesize
757B

MD5
0dfb7a85bb50f393a90f727af1662841

SHA1
9f1def7543bb786c4850d5c33f32d9c9d45cba7e

SHA256
88e6d3f55620ab3ac73132fb5e813e383e14951241771682e28e26541b66ddde

SHA512
a6ffb4c79984a446b5281f582533023d7a6000b13a7a6b3c8db1b7d60f20458d00ab5307c1f6fab188ea86edbcfd30b353809cd16be884867db04637bcb18424

Download Submit
C:\Users\Admin\AppData\Local\Temp\eae871bf-d127-48f2-9e8d-6b054c331aa5.vbs

Filesize
533B

MD5
48e6656a082aad168608102735b7fac9

SHA1
5ce1da57b17aa453f1ff6a77eb4abdb6873c77fa

SHA256
10583d13e2536077bae9a1546821cb7e0845ea00648cffa5f1d639fa41445e52

SHA512
788cc6ba1be760c313b5a15af60b9981c219cfb722a9e7df9b2842615e01f5018929d3a8fa2e63e79a661702f1a460c1ec1a9b097f51d90825423d08a948529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f03983d8-3c1b-42cd-8a74-e8ac4f512800.vbs

Filesize
757B

MD5
d70ff1dc4a5de6102e9e2304616d505a

SHA1
fa7887d4124f0ad64c29d1e5028f7a137bdd4149

SHA256
b87c76a7400b9bfb97a67a91eb5556037d3d627a6e680c5ffa33cdabada91520

SHA512
10982b772f62a87ac1c2713e40b90faab63ef0ea13205669e820bcd8e39a1344d86b482e0ee656660d3d3fa27843c44da9a26f97364c5e851e3b183446b8cfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c756512db97a8aef02b21263a559802f

SHA1
20cf2fcdc28d8660a8347d3c1ba6addfa577aa88

SHA256
73d950578e327523a88808cc023beb9678294dc229f5873c4a44a2ba9eb2bfad

SHA512
f6e279a06b176083ae742a689123fda7b2996d650d9412e9e0183935b04b90074a74384c760a1e68fd05bb7226ee8f07b82ee5451d5d09f68fddfe06051f2cbb

Download Submit
memory/324-239-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/536-131-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/536-130-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/780-254-0x0000000001210000-0x0000000001704000-memory.dmp

Filesize
5.0MB

Download
memory/1692-223-0x0000000000E30000-0x0000000001324000-memory.dmp

Filesize
5.0MB

Download
memory/1692-224-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/1700-269-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2484-298-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2524-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2524-5-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2524-13-0x00000000006C0000-0x00000000006CE000-memory.dmp

Filesize
56KB

Download
memory/2524-12-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2524-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2524-1-0x0000000000820000-0x0000000000D14000-memory.dmp

Filesize
5.0MB

Download
memory/2524-10-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2524-128-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-9-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2524-8-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2524-7-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2524-6-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/2524-15-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2524-16-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2524-4-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2524-3-0x000000001B3D0000-0x000000001B4FE000-memory.dmp

Filesize
1.2MB

Download
memory/2524-14-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2580-180-0x0000000000910000-0x0000000000E04000-memory.dmp

Filesize
5.0MB

Download
memory/2716-208-0x0000000000970000-0x0000000000E64000-memory.dmp

Filesize
5.0MB

Download