dcrat | bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Size

4.9MB
MD5

ca190c3861eacdf16ba139b47d357da0
SHA1

10979d4dae3c2c9f91ab2d2411d0ac4badfaa59f
SHA256

bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370e
SHA512

b8f1fa6b568ed60daaaa67a7d9b3620568658630cc08ed54bc111e352e311e23524c4cc672148225b8b6f99f536567448a9a89cbe56ea05fac7408446c30fc9d
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2776	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2360-3-0x000000001B420000-0x000000001B54E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
3040	powershell.exe
2580	powershell.exe
2676	powershell.exe
2748	powershell.exe
2348	powershell.exe
2888	powershell.exe
2808	powershell.exe
2552	powershell.exe
2672	powershell.exe
2556	powershell.exe
2716	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2072	csrss.exe
2864	csrss.exe
2764	csrss.exe
3012	csrss.exe
2856	csrss.exe
2960	csrss.exe
2688	csrss.exe
2528	csrss.exe
2336	csrss.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX8DE.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Adobe\OSPPSVC.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\7ca43156cc95ba	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX66D.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\886983d96e3d3e	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXAE2.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\winlogon.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Windows Mail\ja-JP\cc11b995f2a76d	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Windows Sidebar\de-DE\886983d96e3d3e	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Adobe\1610b97d3ab4a7	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Uninstall Information\services.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCXFDEF.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files (x86)\Adobe\OSPPSVC.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX18AD.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Windows Mail\ja-JP\winlogon.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX469.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Branding\ShellBrd\24dbde2999530e	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCXCE5.tmp	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File opened for modification	C:\Windows\Branding\ShellBrd\WmiPrvSE.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
File created	C:\Windows\Branding\ShellBrd\WmiPrvSE.exe	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
1440	schtasks.exe
1628	schtasks.exe
1308	schtasks.exe
2724	schtasks.exe
1516	schtasks.exe
2456	schtasks.exe
1344	schtasks.exe
2248	schtasks.exe
2812	schtasks.exe
1468	schtasks.exe
1708	schtasks.exe
2140	schtasks.exe
696	schtasks.exe
1824	schtasks.exe
2880	schtasks.exe
1848	schtasks.exe
2996	schtasks.exe
2444	schtasks.exe
1976	schtasks.exe
772	schtasks.exe
2284	schtasks.exe
2856	schtasks.exe
1600	schtasks.exe
2004	schtasks.exe
1796	schtasks.exe
2420	schtasks.exe
2376	schtasks.exe
2784	schtasks.exe
2544	schtasks.exe
2472	schtasks.exe
2196	schtasks.exe
2608	schtasks.exe
2232	schtasks.exe
2588	schtasks.exe
1152	schtasks.exe
3068	schtasks.exe
1300	schtasks.exe
612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
2556	powershell.exe
3040	powershell.exe
2348	powershell.exe
2760	powershell.exe
2748	powershell.exe
2888	powershell.exe
2552	powershell.exe
2716	powershell.exe
2580	powershell.exe
2808	powershell.exe
2676	powershell.exe
2672	powershell.exe
2072	csrss.exe
2864	csrss.exe
2764	csrss.exe
3012	csrss.exe
2856	csrss.exe
2960	csrss.exe
2688	csrss.exe
2528	csrss.exe
2336	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2072	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	2764	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2960	csrss.exe
Token: SeDebugPrivilege	2688	csrss.exe
Token: SeDebugPrivilege	2528	csrss.exe
Token: SeDebugPrivilege	2336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	71
PID 2360 wrote to memory of 2748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	71
PID 2360 wrote to memory of 2748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	71
PID 2360 wrote to memory of 2348	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	72
PID 2360 wrote to memory of 2348	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	72
PID 2360 wrote to memory of 2348	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	72
PID 2360 wrote to memory of 2760	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	73
PID 2360 wrote to memory of 2760	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	73
PID 2360 wrote to memory of 2760	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	73
PID 2360 wrote to memory of 2556	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	74
PID 2360 wrote to memory of 2556	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	74
PID 2360 wrote to memory of 2556	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	74
PID 2360 wrote to memory of 2716	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	76
PID 2360 wrote to memory of 2716	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	76
PID 2360 wrote to memory of 2716	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	76
PID 2360 wrote to memory of 2888	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	77
PID 2360 wrote to memory of 2888	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	77
PID 2360 wrote to memory of 2888	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	77
PID 2360 wrote to memory of 3040	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	79
PID 2360 wrote to memory of 3040	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	79
PID 2360 wrote to memory of 3040	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	79
PID 2360 wrote to memory of 2808	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	80
PID 2360 wrote to memory of 2808	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	80
PID 2360 wrote to memory of 2808	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	80
PID 2360 wrote to memory of 2552	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	81
PID 2360 wrote to memory of 2552	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	81
PID 2360 wrote to memory of 2552	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	81
PID 2360 wrote to memory of 2580	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	82
PID 2360 wrote to memory of 2580	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	82
PID 2360 wrote to memory of 2580	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	82
PID 2360 wrote to memory of 2676	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	83
PID 2360 wrote to memory of 2676	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	83
PID 2360 wrote to memory of 2676	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	83
PID 2360 wrote to memory of 2672	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	86
PID 2360 wrote to memory of 2672	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	86
PID 2360 wrote to memory of 2672	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	86
PID 2360 wrote to memory of 748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	95
PID 2360 wrote to memory of 748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	95
PID 2360 wrote to memory of 748	2360	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe	95
PID 748 wrote to memory of 2856	748	cmd.exe	97
PID 748 wrote to memory of 2856	748	cmd.exe	97
PID 748 wrote to memory of 2856	748	cmd.exe	97
PID 748 wrote to memory of 2072	748	cmd.exe	98
PID 748 wrote to memory of 2072	748	cmd.exe	98
PID 748 wrote to memory of 2072	748	cmd.exe	98
PID 2072 wrote to memory of 2448	2072	csrss.exe	99
PID 2072 wrote to memory of 2448	2072	csrss.exe	99
PID 2072 wrote to memory of 2448	2072	csrss.exe	99
PID 2072 wrote to memory of 2912	2072	csrss.exe	100
PID 2072 wrote to memory of 2912	2072	csrss.exe	100
PID 2072 wrote to memory of 2912	2072	csrss.exe	100
PID 2448 wrote to memory of 2864	2448	WScript.exe	101
PID 2448 wrote to memory of 2864	2448	WScript.exe	101
PID 2448 wrote to memory of 2864	2448	WScript.exe	101
PID 2864 wrote to memory of 1708	2864	csrss.exe	102
PID 2864 wrote to memory of 1708	2864	csrss.exe	102
PID 2864 wrote to memory of 1708	2864	csrss.exe	102
PID 2864 wrote to memory of 2980	2864	csrss.exe	103
PID 2864 wrote to memory of 2980	2864	csrss.exe	103
PID 2864 wrote to memory of 2980	2864	csrss.exe	103
PID 1708 wrote to memory of 2764	1708	WScript.exe	104
PID 1708 wrote to memory of 2764	1708	WScript.exe	104
PID 1708 wrote to memory of 2764	1708	WScript.exe	104
PID 2764 wrote to memory of 2820	2764	csrss.exe	105

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe
"C:\Users\Admin\AppData\Local\Temp\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pOIrjwZGZX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2856
- - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
    "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2072
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6efe56-b459-41b4-ab2d-3bacfa6d9492.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3632e229-f3b9-488c-b89a-daff6713bfca.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f763b7-af53-4bf8-8894-0175e7439fe2.vbs"
        8⤵
        
        PID:2820
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f6e886-ade8-4d5e-a817-4182aa78a183.vbs"
        10⤵
        
        PID:2720
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42323b74-e5a8-4fe0-9b34-cbb7e1e38786.vbs"
        12⤵
        
        PID:2828
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2245ab-cd95-4c19-bd4f-b7e896ffd4da.vbs"
        14⤵
        
        PID:548
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c93063ef-8d65-434e-9cf2-76acd1e445f6.vbs"
        16⤵
        
        PID:3040
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78d849f0-af3a-43c5-bdbc-96660c11caf5.vbs"
        18⤵
        
        PID:3044
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e04a334b-5f5e-4d9c-bc73-35576ac0509d.vbs"
        20⤵
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63a984f4-51aa-4ec3-a5f6-a0e437d62bbd.vbs"
        20⤵
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8b50554-14c2-4fd9-b232-f614bbdfcfb3.vbs"
        18⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b006bb32-ef78-481d-9270-7b8609b138d9.vbs"
        16⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cefefb87-cc18-4da0-b9f3-3d7eccdcb11c.vbs"
        14⤵
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e732ed-487f-4be6-a8a0-0a021b406b0d.vbs"
        12⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8280ddef-2e84-4e71-94a7-c0b59b371417.vbs"
        10⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5626b5-52da-4a3e-8ded-2597d676138b.vbs"
        8⤵
        
        PID:1696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7468e420-0bee-4f49-9555-ad125d354e3c.vbs"
        6⤵
        
        PID:2980
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dcde7d2-dbdb-4ebf-95ee-411f161f7ce9.vbs"
      4⤵
      PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eNb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eNb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe

Filesize
4.9MB

MD5
58bcb24a5f770bfa06c76a179a6197c2

SHA1
f656da3cc9177b255f99a9ffc05aa4d15976d993

SHA256
9ecc621657029d3ca6cca234f7d8f3182c1dffca10ddb1289a7b93e8c4f2bc19

SHA512
b99163dbb99c413a0d32ee79e2047aa7544a5245c274605cdee2142edf1c9ebd795c7ff91f037b6ceccbffdb2e2136d6d27ff2496e75dcc29ab2aa8d862b11c5

Download Submit
C:\Program Files\Uninstall Information\services.exe

Filesize
4.9MB

MD5
ca190c3861eacdf16ba139b47d357da0

SHA1
10979d4dae3c2c9f91ab2d2411d0ac4badfaa59f

SHA256
bdccff9cd4748d8ec25b89bad32648a99d91d869b401c5c11a616055c801370e

SHA512
b8f1fa6b568ed60daaaa67a7d9b3620568658630cc08ed54bc111e352e311e23524c4cc672148225b8b6f99f536567448a9a89cbe56ea05fac7408446c30fc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d6efe56-b459-41b4-ab2d-3bacfa6d9492.vbs

Filesize
734B

MD5
c28e5fe9b83de75a94929c39414321a9

SHA1
98b1c41e8c38a8b20ab18ee7c1cb8dd65bda45c4

SHA256
6c895ac6856a1a11ea2a7e468aea354c9cb5bb3e38236a6f173afda8058fa739

SHA512
59983bc4a012f4045d4978941b6866f47dda8d764c8906de4f9b425b0aa4d3c974b5b80655a7cc31ee94f4c5c0fa4ef9f2a7d27bd6a986f0435ad80a2758519b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e2245ab-cd95-4c19-bd4f-b7e896ffd4da.vbs

Filesize
734B

MD5
cac493809932206f15503921706464a3

SHA1
36856be41ac6b199b43bbd781df0c5c8b45475da

SHA256
d557a7ff76efee14c80d637f37355fe390b070192ce9939f3d3e9ebe4ccca0d2

SHA512
1b6d5fc718e38d11bb51d7db732f81fc64c125d87fd102898ce523b2ab42224f8ada3ecf90403161e4c0fea39d51dedf648d3f83dbd2845616e3123bf164f2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3632e229-f3b9-488c-b89a-daff6713bfca.vbs

Filesize
734B

MD5
936851424d72b8e972dfece0a4c2af0d

SHA1
5c2cfd7d7ddff6959c1cb8771add986c625e8f10

SHA256
96ac727731270908a0118ef5ea19ea34cb2a53eafe4753ae76d2ebffe9fc82df

SHA512
a17f1c8dd088236977539e230987b22fc57291aba2f79d42aa6f290222f1eb97f104712b94550f15600365ee163c7353ff3518cb8ebb51d0c634f4ddb9ac56c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\42323b74-e5a8-4fe0-9b34-cbb7e1e38786.vbs

Filesize
734B

MD5
08cc5b2251b497cc4ff6f9c24cc22ed8

SHA1
4c9c1a8c3329609553374ac9a9a2fc57fbbdb992

SHA256
692ee429593d4ee41f9b3ffdaf31f92500deb2a9cc2277b0f0e6d267aef3b132

SHA512
ac01fcdcf6477d6689a076eac69626bb6d0fc17f5aaf12eacfeac4bf5bb4f219f63e3c02dfb01958fc323863d15eed3aa00e8189993cd46f3fc7a6a07becb6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\78d849f0-af3a-43c5-bdbc-96660c11caf5.vbs

Filesize
734B

MD5
15e910c146af58cb36881a4f0ec7cf83

SHA1
be6e8fd23e04c79c6c5c288f156bab18b20ad0a2

SHA256
9d54bc3be5b144fa9fd8600f5d5b9da7be3a5bce4f4d4571cdf7db702898e792

SHA512
8771c5f064ef644cfb26dcf15094ba0a9f3914eff46799ad973f773e88d2fc0db1a387404f9587a0c937677cbdd79d9ce537408d3accb4db805cf5a0dbf6a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dcde7d2-dbdb-4ebf-95ee-411f161f7ce9.vbs

Filesize
510B

MD5
fd99e42c98fdc8238d4e9d8341d08e59

SHA1
4087597fa06f5175fa262ea7119a38b480b30457

SHA256
97c6da789a5100d5b29cf0e96cb136a31e16e49c8a15e0bd0d39499f3f2f4a37

SHA512
f29b088529caf424913d2acb5bdcafceb3ca65d46becba0bd3f2040af2b1b36733b9489522d354e23175b2ccb2aa8602a75fb446788a41bd8e07b58e16243f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1f763b7-af53-4bf8-8894-0175e7439fe2.vbs

Filesize
734B

MD5
f023539ce0a8d89b81bbe557750c9c01

SHA1
5d3cb59de6e5a39c3583ea7fc409cbaa8a9e8e06

SHA256
4a30354367da22025f82cb6dd8f1f38d4a6e1ee80cc9d43404920439cc386d7d

SHA512
c5da85ca70448bda4cadf1178c0bff52d6c40ed0a3d4025f3a88b61be764a1f304ed0edb12f61cd7447f52cf4e7336cbad3a3f88de873fbe4b88fae0ded1e4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8f6e886-ade8-4d5e-a817-4182aa78a183.vbs

Filesize
734B

MD5
8d6b7f1691c28a798909f8c526c1dcba

SHA1
c2e58c60cb60ee52e1178f8b2dc50085fe687307

SHA256
5ab903c78fbf6d013030977e83a6655ed10dc03bf21ef2b1989ede2f3fa5de31

SHA512
35da537699f363ad4ffff238a7bdfe545f313e1115f6237e62edae0119fbf8e2d86b3b93e4cca2a52d720e9ac6a1b05c4b69075ad261d2379c7fae03a8b87fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c93063ef-8d65-434e-9cf2-76acd1e445f6.vbs

Filesize
734B

MD5
6ab08c1a98bbaad78fbdcd4a6d65416a

SHA1
de2418f62d979b058d5b09fa6e206bd91a486b22

SHA256
bc1b91ce4f58624a2e08634ed0145f87b1608a7b260fd61d0a6db2114ebf656b

SHA512
1d2446e9124a0f98f397a4078703d7d2bbddc44b52979edd0dbb2f33ec16993dc4b979df0bd19b75e25466b612d5e304e0533835d8ca655f0a60391cf6908093

Download Submit
C:\Users\Admin\AppData\Local\Temp\e04a334b-5f5e-4d9c-bc73-35576ac0509d.vbs

Filesize
734B

MD5
636ac7bed86979c1d02ae5fd38c1efef

SHA1
e1ce1ea25fe461c244efe9ba811810e517391692

SHA256
bd8d76ebe27857d154e627ccdd5b4203d2f534e1a4b6d7f3c7badef5ae733ed2

SHA512
1268feacd099d86ad23482ecdccf5e20e54fd0484fe238425de74086bc69f3d7471fac457480b9d8b9c666a105755fd5e21264d9a7a7e2e1ae80ce41e021eec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pOIrjwZGZX.bat

Filesize
223B

MD5
cb2bea03e88b01181cb354b0e1f3d87e

SHA1
74d79139f9ecd4aee5f4b16645e0a54773a5c3f7

SHA256
b1d0c4a1a79e075918a628bc04e4c7c49fee8c383f10a6c4bc8dc07d3cf10978

SHA512
9ae5154221d434e05774f53ef8d01da21f6ca4b8efd17e7e9bd40e6598e9912bc2c0177b3abfe2a02dcde13ba4778d7d665535edc4118fa7aa44ba308b9cf09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3FED.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc95ca2347abc6b44339ba154bb00a47

SHA1
e99e27c6577c7b62feafe4bdfd9d5cbaa05f4d37

SHA256
5f72c65bba8aca8cba23ea69bec2ffb2fa5ddf132b42f9bb7366a2587ec8fb4c

SHA512
af105ed013bae29a81530ae3dbef77ccc506d018fbb4d103528d0f10a7db2c137604e60e3161a60dace8b7eb5f1e0eb4a447302fc82e0965e8ed1d590b999044

Download Submit
memory/2072-205-0x0000000000FD0000-0x00000000014C4000-memory.dmp

Filesize
5.0MB

Download
memory/2360-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2360-13-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/2360-6-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2360-133-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2360-14-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/2360-16-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2360-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2360-200-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-15-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/2360-7-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2360-5-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2360-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2360-12-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/2360-3-0x000000001B420000-0x000000001B54E000-memory.dmp

Filesize
1.2MB

Download
memory/2360-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-1-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/2360-11-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2360-10-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2360-9-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2528-309-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/2556-165-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-294-0x00000000001F0000-0x00000000006E4000-memory.dmp

Filesize
5.0MB

Download
memory/2764-234-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2856-265-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2856-264-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/2864-219-0x0000000000FE0000-0x00000000014D4000-memory.dmp

Filesize
5.0MB

Download
memory/3012-249-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/3040-188-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download