dcrat | 66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Size

4.9MB
MD5

82301881d8e1da67e88f7a2de51323e3
SHA1

c9e273ef20eeb06b51919a37abaa4fa0b2f76ee5
SHA256

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c
SHA512

b7b66dbadcff31c0bbb9fd2eb33f1aadb30ec77e26c8db3dc275e3003bc2480dcc829b920a22e71668720e0852ef631746c4a0a0ec7294e47a010d9cc09197ad
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1812	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1812	schtasks.exe	28

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1628-2-0x000000001B820000-0x000000001B94E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1516	powershell.exe
1444	powershell.exe
1520	powershell.exe
2024	powershell.exe
1648	powershell.exe
1984	powershell.exe
1840	powershell.exe
464	powershell.exe
1012	powershell.exe
1920	powershell.exe
1692	powershell.exe
2268	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2776	csrss.exe
2560	csrss.exe
1700	csrss.exe
1004	csrss.exe
1292	csrss.exe
2496	csrss.exe
2216	csrss.exe
2036	csrss.exe
2576	csrss.exe
628	csrss.exe
1280	csrss.exe
764	csrss.exe
2704	csrss.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.exe66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 8 IoCs

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX91C6.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX95CF.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\5940a34987c991	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\c5b4cb5e9653cc	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

Drops file in Windows directory 4 IoCs

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\spoolsv.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellNew\spoolsv.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellNew\f3b6ecef712a24	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\ShellNew\RCX93CA.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3036	schtasks.exe
2120	schtasks.exe
2576	schtasks.exe
2868	schtasks.exe
2488	schtasks.exe
2812	schtasks.exe
2928	schtasks.exe
3060	schtasks.exe
2636	schtasks.exe
2732	schtasks.exe
2424	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
2024	powershell.exe
1840	powershell.exe
2268	powershell.exe
1444	powershell.exe
1984	powershell.exe
1516	powershell.exe
1648	powershell.exe
1012	powershell.exe
1920	powershell.exe
464	powershell.exe
1692	powershell.exe
1520	powershell.exe
2776	csrss.exe
2560	csrss.exe
1700	csrss.exe
1004	csrss.exe
1292	csrss.exe
2496	csrss.exe
2216	csrss.exe
2036	csrss.exe
2576	csrss.exe
628	csrss.exe
1280	csrss.exe
764	csrss.exe
2704	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2560	csrss.exe
Token: SeDebugPrivilege	1700	csrss.exe
Token: SeDebugPrivilege	1004	csrss.exe
Token: SeDebugPrivilege	1292	csrss.exe
Token: SeDebugPrivilege	2496	csrss.exe
Token: SeDebugPrivilege	2216	csrss.exe
Token: SeDebugPrivilege	2036	csrss.exe
Token: SeDebugPrivilege	2576	csrss.exe
Token: SeDebugPrivilege	628	csrss.exe
Token: SeDebugPrivilege	1280	csrss.exe
Token: SeDebugPrivilege	764	csrss.exe
Token: SeDebugPrivilege	2704	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	Process	procid_target
PID 1628 wrote to memory of 1516	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	41
PID 1628 wrote to memory of 1516	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	41
PID 1628 wrote to memory of 1516	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	41
PID 1628 wrote to memory of 1444	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	42
PID 1628 wrote to memory of 1444	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	42
PID 1628 wrote to memory of 1444	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	42
PID 1628 wrote to memory of 464	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	43
PID 1628 wrote to memory of 464	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	43
PID 1628 wrote to memory of 464	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	43
PID 1628 wrote to memory of 1012	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	44
PID 1628 wrote to memory of 1012	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	44
PID 1628 wrote to memory of 1012	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	44
PID 1628 wrote to memory of 1520	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	45
PID 1628 wrote to memory of 1520	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	45
PID 1628 wrote to memory of 1520	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	45
PID 1628 wrote to memory of 1920	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	46
PID 1628 wrote to memory of 1920	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	46
PID 1628 wrote to memory of 1920	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	46
PID 1628 wrote to memory of 1692	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	47
PID 1628 wrote to memory of 1692	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	47
PID 1628 wrote to memory of 1692	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	47
PID 1628 wrote to memory of 2024	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	48
PID 1628 wrote to memory of 2024	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	48
PID 1628 wrote to memory of 2024	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	48
PID 1628 wrote to memory of 2268	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	51
PID 1628 wrote to memory of 2268	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	51
PID 1628 wrote to memory of 2268	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	51
PID 1628 wrote to memory of 1984	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	53
PID 1628 wrote to memory of 1984	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	53
PID 1628 wrote to memory of 1984	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	53
PID 1628 wrote to memory of 1840	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	54
PID 1628 wrote to memory of 1840	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	54
PID 1628 wrote to memory of 1840	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	54
PID 1628 wrote to memory of 1648	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	55
PID 1628 wrote to memory of 1648	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	55
PID 1628 wrote to memory of 1648	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	55
PID 1628 wrote to memory of 2776	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	65
PID 1628 wrote to memory of 2776	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	65
PID 1628 wrote to memory of 2776	1628	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	65
PID 2776 wrote to memory of 2072	2776	csrss.exe	66
PID 2776 wrote to memory of 2072	2776	csrss.exe	66
PID 2776 wrote to memory of 2072	2776	csrss.exe	66
PID 2776 wrote to memory of 2516	2776	csrss.exe	67
PID 2776 wrote to memory of 2516	2776	csrss.exe	67
PID 2776 wrote to memory of 2516	2776	csrss.exe	67
PID 2072 wrote to memory of 2560	2072	WScript.exe	68
PID 2072 wrote to memory of 2560	2072	WScript.exe	68
PID 2072 wrote to memory of 2560	2072	WScript.exe	68
PID 2560 wrote to memory of 1364	2560	csrss.exe	71
PID 2560 wrote to memory of 1364	2560	csrss.exe	71
PID 2560 wrote to memory of 1364	2560	csrss.exe	71
PID 2560 wrote to memory of 1544	2560	csrss.exe	72
PID 2560 wrote to memory of 1544	2560	csrss.exe	72
PID 2560 wrote to memory of 1544	2560	csrss.exe	72
PID 1364 wrote to memory of 1700	1364	WScript.exe	73
PID 1364 wrote to memory of 1700	1364	WScript.exe	73
PID 1364 wrote to memory of 1700	1364	WScript.exe	73
PID 1700 wrote to memory of 1652	1700	csrss.exe	74
PID 1700 wrote to memory of 1652	1700	csrss.exe	74
PID 1700 wrote to memory of 1652	1700	csrss.exe	74
PID 1700 wrote to memory of 2796	1700	csrss.exe	75
PID 1700 wrote to memory of 2796	1700	csrss.exe	75
PID 1700 wrote to memory of 2796	1700	csrss.exe	75
PID 1652 wrote to memory of 1004	1652	WScript.exe	76

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
"C:\Users\Admin\AppData\Local\Temp\66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00dbd02b-78df-4cfd-aba2-887eeb81f8e0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2560
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a1bed0-15e1-471a-b28a-d1c7b512c4ea.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e03f3d78-4422-459f-b283-6ec735cb35f7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e05ec208-d38e-452c-a149-09bccf40e4ff.vbs"
        9⤵
        
        PID:2940
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4838994-2e22-4b1d-8b6e-f4bd08f11268.vbs"
        11⤵
        
        PID:1592
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fa2d7ba-a191-45d8-b6d6-3e6e49dfcbbf.vbs"
        13⤵
        
        PID:1148
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69bb4d68-81b2-4c50-873a-8ba496f008c4.vbs"
        15⤵
        
        PID:1852
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4c62b16-f687-4349-a94d-f577357e1ace.vbs"
        17⤵
        
        PID:2040
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\076841c2-135f-47c8-9e73-4fd72676b1ea.vbs"
        19⤵
        
        PID:1292
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee41563c-d9d9-41ac-9c28-f9a90c0d1144.vbs"
        21⤵
        
        PID:2948
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbd601f8-9aff-45df-b30f-412d134bf588.vbs"
        23⤵
        
        PID:920
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82081c70-0459-4796-b6dc-bca5ac0ab647.vbs"
        25⤵
        
        PID:1284
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe"
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb1d594-a27d-4a8b-9931-fb87a549345b.vbs"
        27⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f879b631-8170-41b1-a40b-7b5806630e83.vbs"
        27⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf229e4c-a8dc-471e-a528-904ebb83dda4.vbs"
        25⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c474477d-c12b-4e25-bafb-f7073fe4ad1d.vbs"
        23⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87beb0fc-c74a-4c85-bea9-7009e9146b97.vbs"
        21⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af9857c-1d0a-460d-bb21-6a4cd5131e01.vbs"
        19⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14df977b-1e7d-4439-802c-ad618c188b27.vbs"
        17⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\847246b6-37da-4588-8bf5-5afce76ae4bc.vbs"
        15⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca28c47a-8b7a-45c4-bb9d-c34ebe395731.vbs"
        13⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c97efaae-63ed-473c-9440-4353a6c5aef0.vbs"
        11⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8d22110-3a62-420a-b059-ddc28bcdfcd7.vbs"
        9⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2315d6db-5eea-4ecc-9e94-baf11a126731.vbs"
        7⤵
        
        PID:2796
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e774f664-8286-42e0-9cf4-7d5b37808604.vbs"
        5⤵
        
        PID:1544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fce6941-1b9d-4942-9d4d-f55e5cd3913a.vbs"
    3⤵
    PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
4.9MB

MD5
82301881d8e1da67e88f7a2de51323e3

SHA1
c9e273ef20eeb06b51919a37abaa4fa0b2f76ee5

SHA256
66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c

SHA512
b7b66dbadcff31c0bbb9fd2eb33f1aadb30ec77e26c8db3dc275e3003bc2480dcc829b920a22e71668720e0852ef631746c4a0a0ec7294e47a010d9cc09197ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\00dbd02b-78df-4cfd-aba2-887eeb81f8e0.vbs

Filesize
748B

MD5
15b39ac239c7466d7744069d3f28b450

SHA1
a5048c6e4d042e3abe669ed3fc3ab469fe8453bd

SHA256
248ff292983d474cc0f90dbcf9200d70c77a2429c5175bde3583b2c1335631eb

SHA512
885ce6b5fe396ef629b47358f34ed7c93a646e1fd6929b6c700d403648f0078ebccbc37f042fb44399f2ccf0db897cbb81b20ca8c343489e527cfaba3c01d74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\076841c2-135f-47c8-9e73-4fd72676b1ea.vbs

Filesize
748B

MD5
e802419fdc373bcced6d382451cda61a

SHA1
4876c5561f457e428c0b84daafc33c803c90d2c6

SHA256
e8b2e29ad58d22a21a37fc8080be670d2ce4dba24c0160e2f1f2530d8c78c86b

SHA512
6a08d00f8c94aab35391a10fc7257e671b4cdc30936e844f9151221e4c98515687841cc45ed707ca37b7d745dd380c8a29b91fed3a08e81a6005b815cb1c0488

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fa2d7ba-a191-45d8-b6d6-3e6e49dfcbbf.vbs

Filesize
748B

MD5
6a802785f793a92690c9c9d40867e959

SHA1
f03a131252d90e912ebd074880c4623120f238c9

SHA256
a8c46eb2a57571c3104d75facc673b30ba11bc577a843c223befff013d3d559a

SHA512
b482412ed4b36baf4ce9a4af4b6ffd5931c8a1d068e9787ee2c0f5ed9ef888bcb8da06df35e3732e6006cade247331259fdc158adee2f9cccb423d0714f1f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fb1d594-a27d-4a8b-9931-fb87a549345b.vbs

Filesize
748B

MD5
69487b221ee98ef7608142747e173f97

SHA1
b9541df4c014e73e9b33966560d50a8468d0865f

SHA256
1ae5697bbbbee028c7a4187c50daff7cb192d0549dac5f2f005fde048dcb8a3c

SHA512
b85d1c47d2b67ccabd6a81b691fb15576b9e11b0902bc231e5b66c1b671932587aff919172ebb7ac46e7d815209300f0817b54a49ea2aabcffb4ee0a555c86d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a1bed0-15e1-471a-b28a-d1c7b512c4ea.vbs

Filesize
748B

MD5
ef33e8ac4dc607175ca3a753da3e4668

SHA1
5a9d85bfd57e38ce7e33b9bc1a7f70cf2fd2b410

SHA256
3443d23d7e5153bb1d32399119d45f4e0f074a9d49066bccd998455b407fc5d3

SHA512
b2bf3eca634b760568ca3bfdd29fc6895b214b7f2f34486b61e716f5529076240c77708119ef57d16ee2071daa0c39d6ccc336fa9ad832ac5b1633006dcd9ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bb4d68-81b2-4c50-873a-8ba496f008c4.vbs

Filesize
748B

MD5
95a19791a4b1f1506bc1cd82b814855e

SHA1
1539b376bfd60a78ad69903494321a30099f2930

SHA256
b178d73fc284e4b1482a64850ed06a00cad610136d8273d0fc3ba1ce208bcc8e

SHA512
3473db9580ccfa80afae882071dee1ee533733c1fca7c7ceb5c62b05f058431034edb23ac5eb7a326d11f75436d4a69240932f3c66fd0ca7621007f4af5040c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\82081c70-0459-4796-b6dc-bca5ac0ab647.vbs

Filesize
747B

MD5
55a51104ba510d53f8f969f4a5314f9e

SHA1
b0b4a12c8299f46a7b98b9274512b50056fca1a2

SHA256
1f7da1f4e85cabb5551edc64084f53b6ebddac07135541a197d5af2b118b1a07

SHA512
8b54c5d335a34a290cd905be0498757b9348ccac8c5e9339c864517c2326fc1ba3d8f64889b7995406fdb73604bb273cd43cfe4bcf499ea8f7faaebb31628464

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fce6941-1b9d-4942-9d4d-f55e5cd3913a.vbs

Filesize
524B

MD5
f1b71a05d8d9823170b2bedecfb9910f

SHA1
db4d357a67f7d36fc66c3816b53fa30d8a05de1d

SHA256
6dcaa7653b779e9539c03e30b4cb35c97867e15425e6252893640fa073c6abb1

SHA512
676e6b957160fcab4f32f023ad6bd7b90286765f192f14aa6e6079afff58ad2297ba195f76721cdc2d4907f001767463236ee785ed0de89fa089919cfe370396

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbd601f8-9aff-45df-b30f-412d134bf588.vbs

Filesize
748B

MD5
4be8d0f3504427e394cc08787fa93bef

SHA1
fc271ed5a5f4a497832aa4efd1c4c677dcd908ec

SHA256
c99a39b05ed64bbe018938fa21573809e5130779aaf86d9982390bf17df1baa8

SHA512
7a7e3e46e184716ca63586628829e31fba371762ab5b1e3d2dd39c72354b85113eada7bd652227d75c74fe2a6d90f5c36148f24d10c66289f2ad58bf9d08c772

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c62b16-f687-4349-a94d-f577357e1ace.vbs

Filesize
748B

MD5
ac3b555ffad5ca56259d51426c8fdded

SHA1
e6ff59bf1dba8f449779363f00b6196a0a0eb695

SHA256
f5db4436cf35fb9e0492b261cac6835776e1c77d36c66223e00d7d0711b772b6

SHA512
7d299b0d3b023166174d4fa1ab50cae30fc395fabc5062b2b32035a2d6e00716f2691576f17b3b2570073a4973bdde0e1b9caa5bd1645f201e9feceffd4dd551

Download Submit
C:\Users\Admin\AppData\Local\Temp\e03f3d78-4422-459f-b283-6ec735cb35f7.vbs

Filesize
748B

MD5
05c1c28b4c9faca24d0a536913786b5e

SHA1
a427375f484836f82451598992723392708ef561

SHA256
8a3a12b94f3795a49f7dc7d21e9aa627736f4646504b8b595dda0c46d480b18f

SHA512
0894c577f0f8a1cafaa17ef41bd5ac5747ec81f09b00725a2ca79f42f2856b19fb931763f23f82c91a44bee3c1867f2c1757064b1ab7beeb7c991101cbb55a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\e05ec208-d38e-452c-a149-09bccf40e4ff.vbs

Filesize
748B

MD5
3d5d99c8edbe3496c15790f12f6cb0ed

SHA1
da261addffc0d94cd8f5a6f63609aff3b12cac9e

SHA256
6886ede755f6a4250f00e2825cc2ba8ecf7fc26d902eb0e8f4732e6671e05b63

SHA512
0ddfdc68237978e437d58e7f558ae50b0b01f728ec43148766eacf086ccbe76423e293b69690fce7114c42f965243d21a441e5360fc86dbf2a70249bb0f35fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4838994-2e22-4b1d-8b6e-f4bd08f11268.vbs

Filesize
748B

MD5
580cbfaa0bb50cac200104c15e5ae1c5

SHA1
e8baff9d21107f8e63493902662bf63346339a2f

SHA256
a5ec229a959b3a4a74a2f3497caba666bc2635d8cd3dc2eed13e2b46bb54499a

SHA512
a2a898a0aeb74bf7f3c2f1dbadea9375ee6003490972fff83cf67cd8013eab4fea12ab1cefc93142b0cb4431a357a86bbc2a77c30e2ff1ae53a4ef0502982f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee41563c-d9d9-41ac-9c28-f9a90c0d1144.vbs

Filesize
747B

MD5
2560c902d47b632a19499c00bc8875c2

SHA1
1c4e09da2299deeba1e7aeacb8464a8f22a49f98

SHA256
b341d38b4afd680aa7f519f8475964eeae9ab22902c76399be9dab0fa3effe32

SHA512
151a7246034999eaefbec225c19578fe8491d22576720c965ae94d94945ae18c57e7e9b120e63e4c107fa07a115bb1082e48d76b29f9c2584035b46a6a42770b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA573.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
61a2ef54de74875b54749e328bdc2bc1

SHA1
3a9f5e9516488d42f0d82db0d5ead070dd8e1340

SHA256
d2c1a478321a0fbbd34a480839ed7d729a5e2a379215a1e0f1b442df12357aad

SHA512
607d7bbb72cca2c1d511ec3f0c50c5d777d925b131981a3850156020259fb0b903a168e0659ac10d15790a45469b79cf0490549bae7f7e6933a2b406bdd01eec

Download Submit
memory/628-259-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/1280-274-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/1628-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/1628-3-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/1628-1-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/1628-8-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1628-2-0x000000001B820000-0x000000001B94E000-memory.dmp

Filesize
1.2MB

Download
memory/1628-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1628-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1628-63-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1628-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1628-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1628-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1628-0-0x000007FEF5423000-0x000007FEF5424000-memory.dmp

Filesize
4KB

Download
memory/1628-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1628-10-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1628-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1628-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1700-155-0x00000000013D0000-0x00000000018C4000-memory.dmp

Filesize
5.0MB

Download
memory/2024-109-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2024-85-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2036-228-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2036-227-0x0000000000A20000-0x0000000000F14000-memory.dmp

Filesize
5.0MB

Download
memory/2216-212-0x0000000000360000-0x0000000000854000-memory.dmp

Filesize
5.0MB

Download
memory/2560-139-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download
memory/2560-140-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2576-244-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2576-243-0x0000000000A60000-0x0000000000F54000-memory.dmp

Filesize
5.0MB

Download
memory/2704-303-0x00000000013B0000-0x00000000013C2000-memory.dmp

Filesize
72KB

Download
memory/2776-62-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2776-120-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download