dcrat | 76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Size

4.9MB
MD5

0f75edb514278b6e45793f61c9a91a50
SHA1

e767580f580339a4b7091fc105ffebfbb7d00f03
SHA256

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
SHA512

940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2068	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2068	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2992-3-0x000000001B370000-0x000000001B49E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1264	powershell.exe
2024	powershell.exe
2572	powershell.exe
2280	powershell.exe
1440	powershell.exe
3028	powershell.exe
2840	powershell.exe
2888	powershell.exe
2016	powershell.exe
2628	powershell.exe
2704	powershell.exe
2600	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2104	csrss.exe
3048	csrss.exe
2364	csrss.exe
2512	csrss.exe
1856	csrss.exe
1732	csrss.exe
1512	csrss.exe
2632	csrss.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.exe76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 12 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\b75386f1303e64	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCXC9A9.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\taskhost.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXD022.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXD69B.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\taskhost.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\56085415360792	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\886983d96e3d3e	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

Drops file in Windows directory 9 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

description	ioc	Process
File opened for modification	C:\Windows\en-US\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\en-US\886983d96e3d3e	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\Fonts\RCXD497.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\en-US\886983d96e3d3e	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\Fonts\WmiPrvSE.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\Fonts\24dbde2999530e	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\en-US\RCXC7A5.tmp	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File opened for modification	C:\Windows\Fonts\WmiPrvSE.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
File created	C:\Windows\en-US\csrss.exe	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1492	schtasks.exe
1748	schtasks.exe
2200	schtasks.exe
2724	schtasks.exe
1148	schtasks.exe
2388	schtasks.exe
2184	schtasks.exe
2848	schtasks.exe
1324	schtasks.exe
1988	schtasks.exe
1916	schtasks.exe
1780	schtasks.exe
2732	schtasks.exe
2680	schtasks.exe
2568	schtasks.exe
1356	schtasks.exe
1092	schtasks.exe
1084	schtasks.exe
1632	schtasks.exe
2720	schtasks.exe
1984	schtasks.exe
2592	schtasks.exe
404	schtasks.exe
296	schtasks.exe
2152	schtasks.exe
1340	schtasks.exe
2280	schtasks.exe
2252	schtasks.exe
3032	schtasks.exe
1380	schtasks.exe
1756	schtasks.exe
2080	schtasks.exe
836	schtasks.exe
2744	schtasks.exe
2676	schtasks.exe
2580	schtasks.exe
3008	schtasks.exe
688	schtasks.exe
2264	schtasks.exe
948	schtasks.exe
2760	schtasks.exe
2588	schtasks.exe
2840	schtasks.exe
1536	schtasks.exe
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
2840	powershell.exe
2600	powershell.exe
1440	powershell.exe
2016	powershell.exe
2572	powershell.exe
3028	powershell.exe
2888	powershell.exe
2628	powershell.exe
2024	powershell.exe
1264	powershell.exe
2280	powershell.exe
2704	powershell.exe
2104	csrss.exe
3048	csrss.exe
2364	csrss.exe
2512	csrss.exe
1856	csrss.exe
1732	csrss.exe
1512	csrss.exe
2632	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2104	csrss.exe
Token: SeDebugPrivilege	3048	csrss.exe
Token: SeDebugPrivilege	2364	csrss.exe
Token: SeDebugPrivilege	2512	csrss.exe
Token: SeDebugPrivilege	1856	csrss.exe
Token: SeDebugPrivilege	1732	csrss.exe
Token: SeDebugPrivilege	1512	csrss.exe
Token: SeDebugPrivilege	2632	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	Process	procid_target
PID 2992 wrote to memory of 2280	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	77
PID 2992 wrote to memory of 2280	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	77
PID 2992 wrote to memory of 2280	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	77
PID 2992 wrote to memory of 2628	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	78
PID 2992 wrote to memory of 2628	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	78
PID 2992 wrote to memory of 2628	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	78
PID 2992 wrote to memory of 1440	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	80
PID 2992 wrote to memory of 1440	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	80
PID 2992 wrote to memory of 1440	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	80
PID 2992 wrote to memory of 3028	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	82
PID 2992 wrote to memory of 3028	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	82
PID 2992 wrote to memory of 3028	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	82
PID 2992 wrote to memory of 2024	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	83
PID 2992 wrote to memory of 2024	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	83
PID 2992 wrote to memory of 2024	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	83
PID 2992 wrote to memory of 2704	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	85
PID 2992 wrote to memory of 2704	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	85
PID 2992 wrote to memory of 2704	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	85
PID 2992 wrote to memory of 2016	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	86
PID 2992 wrote to memory of 2016	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	86
PID 2992 wrote to memory of 2016	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	86
PID 2992 wrote to memory of 2600	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	88
PID 2992 wrote to memory of 2600	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	88
PID 2992 wrote to memory of 2600	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	88
PID 2992 wrote to memory of 2888	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	90
PID 2992 wrote to memory of 2888	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	90
PID 2992 wrote to memory of 2888	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	90
PID 2992 wrote to memory of 2840	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	91
PID 2992 wrote to memory of 2840	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	91
PID 2992 wrote to memory of 2840	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	91
PID 2992 wrote to memory of 1264	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	95
PID 2992 wrote to memory of 1264	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	95
PID 2992 wrote to memory of 1264	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	95
PID 2992 wrote to memory of 2572	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	96
PID 2992 wrote to memory of 2572	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	96
PID 2992 wrote to memory of 2572	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	96
PID 2992 wrote to memory of 2908	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	101
PID 2992 wrote to memory of 2908	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	101
PID 2992 wrote to memory of 2908	2992	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe	101
PID 2908 wrote to memory of 1340	2908	cmd.exe	103
PID 2908 wrote to memory of 1340	2908	cmd.exe	103
PID 2908 wrote to memory of 1340	2908	cmd.exe	103
PID 2908 wrote to memory of 2104	2908	cmd.exe	104
PID 2908 wrote to memory of 2104	2908	cmd.exe	104
PID 2908 wrote to memory of 2104	2908	cmd.exe	104
PID 2104 wrote to memory of 1688	2104	csrss.exe	105
PID 2104 wrote to memory of 1688	2104	csrss.exe	105
PID 2104 wrote to memory of 1688	2104	csrss.exe	105
PID 2104 wrote to memory of 2548	2104	csrss.exe	106
PID 2104 wrote to memory of 2548	2104	csrss.exe	106
PID 2104 wrote to memory of 2548	2104	csrss.exe	106
PID 1688 wrote to memory of 3048	1688	WScript.exe	107
PID 1688 wrote to memory of 3048	1688	WScript.exe	107
PID 1688 wrote to memory of 3048	1688	WScript.exe	107
PID 3048 wrote to memory of 1828	3048	csrss.exe	108
PID 3048 wrote to memory of 1828	3048	csrss.exe	108
PID 3048 wrote to memory of 1828	3048	csrss.exe	108
PID 3048 wrote to memory of 1324	3048	csrss.exe	109
PID 3048 wrote to memory of 1324	3048	csrss.exe	109
PID 3048 wrote to memory of 1324	3048	csrss.exe	109
PID 1828 wrote to memory of 2364	1828	WScript.exe	110
PID 1828 wrote to memory of 2364	1828	WScript.exe	110
PID 1828 wrote to memory of 2364	1828	WScript.exe	110
PID 2364 wrote to memory of 1816	2364	csrss.exe	111

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
"C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ULc4Icvci.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1340
- - C:\Users\Public\Downloads\csrss.exe
    "C:\Users\Public\Downloads\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2104
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f51f3597-e06f-422b-b15e-5d8ef78b1495.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3048
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c36570-c5cf-456f-8f5e-b7d791d23b91.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cf56d55-10ae-469b-a36c-5bbdb8fc56fc.vbs"
        8⤵
        
        PID:1816
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000aef8a-49ae-42db-bb71-887b90fba13c.vbs"
        10⤵
        
        PID:760
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\205a948d-0b3b-40a6-a40d-80e8c252b38a.vbs"
        12⤵
        
        PID:2900
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b62d04-f18a-4cc5-8bc9-62a2452f870a.vbs"
        14⤵
        
        PID:2916
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c88393e3-4c79-405d-9b61-4bbae0f2c6d6.vbs"
        16⤵
        
        PID:2584
        
        C:\Users\Public\Downloads\csrss.exe
        
        C:\Users\Public\Downloads\csrss.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6b5d8b2-03ea-4dae-8f97-60f6158a07eb.vbs"
        18⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e2dccb-076e-4c7e-8897-91b9cc0ff31a.vbs"
        18⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea09f719-7ba5-446d-9790-9c0dcfdada4b.vbs"
        16⤵
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f53172e-3d4e-49d3-b5b6-75d337d8fec2.vbs"
        14⤵
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96aa7993-f0ce-4379-a02f-43182608ee21.vbs"
        12⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bc41449-6ff0-4531-a779-0c5dca467305.vbs"
        10⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e131eb95-b901-4d77-ae68-3bc530101715.vbs"
        8⤵
        
        PID:1920
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1fae34a-0e18-467b-adcd-fd95b40e8ece.vbs"
        6⤵
        
        PID:1324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82bff004-6efd-4192-8bfe-073d7915e1ce.vbs"
      4⤵
      PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\dllhost.exe

Filesize
4.9MB

MD5
6e741d05d322b8b7835d202b3dda6560

SHA1
a34e5c360c7473d52d872d005c72e1196bec5027

SHA256
1a7d602f9820506cd2bb50682d12f4616043ad619e4722a1cfb54aa45ebad688

SHA512
2d4f27a77c5b79ea6ad85fef91c574b9104cfe88b4fd8082310b630d038fbd13c811b4a4ea8064294db0cc873f0114b90573ca91449dc92e8bb62eac927521d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\000aef8a-49ae-42db-bb71-887b90fba13c.vbs

Filesize
711B

MD5
407139c43a0ec025bde91f5834f1753d

SHA1
627c58002d843391d3dc3defcf14a97662082e13

SHA256
69cc1c6708883d52aa40ddc6297f6422101d709b9169802c74e688fe76d5bcf5

SHA512
60938c1647aa4ed0279ea85254ed2f501c1575c8b1cfecda6165123f089591dccc1da8fc54ea8d460b02a581692b553bccecc1f5238dc6b63693fa4c3dc51536

Download Submit
C:\Users\Admin\AppData\Local\Temp\205a948d-0b3b-40a6-a40d-80e8c252b38a.vbs

Filesize
711B

MD5
b77c7b0cd1b20e536b8c33193b7dc581

SHA1
3005a110eb07cf5bfc35fa11f7c46219fda85f9c

SHA256
f10dcc1e6d5fffc72209f81155fdcde640b8b51275953136842a876e2d0dfa00

SHA512
118cd5c0a24339135bafaf3c2ee71cb46659e77897c955108d3b892f506a6e5356042b2152d011692e28bc12a2e3161a8aa774905b339bcfe8cccbaef3bace00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cf56d55-10ae-469b-a36c-5bbdb8fc56fc.vbs

Filesize
711B

MD5
8347ded194a225f9895e58e145cf9594

SHA1
dd6c859386baa111bfc9c7c81cb05953310f4305

SHA256
69bed53c419009cfc1693fd54d0b04191a7e8222d6fd05eb5a65881aba3c3ef7

SHA512
49ab2bba02f34fc33fa3af1388f795c42ad15c8c8f64a75d3fd421b2747dbe629ef5363be5f502106c3d61459ca60c97b68e763602e681b998abb89787fb8fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\82bff004-6efd-4192-8bfe-073d7915e1ce.vbs

Filesize
487B

MD5
d864cb9771216005cee6822a24c9eae3

SHA1
b51d12d01407e56e7d6a60d3193150aff3617912

SHA256
e1c8f8aac9e97b19f85f44a3f7ccab721b0d27c61e8bda393dd15198bb7c3ece

SHA512
25332e85f4277b5372bee08ba4f13089c310d75ace4685f004eca694a1198058885504ea4abba97a97fea8f71d037b03e7d447f68dfe40f99f30b5ac46ac21de

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ULc4Icvci.bat

Filesize
200B

MD5
d77c9f34f0fe3271769eda3bc1d62464

SHA1
4554851686287f978db697d8221307be5ccadc06

SHA256
3f119f4fac6e8d7b7968a4c8742ec7d52bd2bd42ce98f5dc2a139d76688d1b51

SHA512
01890d7b419e5f61f26b4657b82dae196eb6baee7e88f6934ea85f85397f9d954e75a3c484b28535be5cc64de712b3597cbe1798c7e7f6f19bae62f0d425deb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1b62d04-f18a-4cc5-8bc9-62a2452f870a.vbs

Filesize
711B

MD5
7f1bc7f0b9e744a59879e2ef49b6e03d

SHA1
2be2476de3dbbf14f84d2542b868077f79ec838a

SHA256
d456c4768e64348bc29f825543c1a2e5e26bb411285f7a7245d9dca0eeee2e54

SHA512
a22cf84cc7df3978a99671be7be88443be6ce8b44cb586f5b540cf90c6d733fd2212e6ea12366a896ada85a6d73c7e5b32de51618f1864f4c102bbcdf2c15611

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6b5d8b2-03ea-4dae-8f97-60f6158a07eb.vbs

Filesize
711B

MD5
54bb466e3c1d152f7c40fd388ae9e5aa

SHA1
5ba8691ee48510d9b58be5f264fc9c0752844c06

SHA256
824b6869217a26e84807ce825dbcb8560e73f14e79cb1685eebd6625f24ac0ed

SHA512
2f22763ac4786dbd8c01a3e9a5b55ca055a45686285168ec914c6d72b56aae98fc7b2b9cf4f3abbcdd77a4b31ead5cca123b5a8c4c280765685ff6c1e80c8075

Download Submit
C:\Users\Admin\AppData\Local\Temp\c88393e3-4c79-405d-9b61-4bbae0f2c6d6.vbs

Filesize
711B

MD5
341dbf64c93ae83fe30886c0cfc730fa

SHA1
c604ae13e005f0e90187d885ae7f1618f9f67e71

SHA256
828730521b2bdfafe4e295d0c70698d98f054a020d0f7d960fa2e53cc099e107

SHA512
1c938b8c97cc6d6c77b61fa6455074dfb3fe72c488d24d2d9243183edfeada890204d2b45c3ba847ef7977eaa8362e5744d732249e8ebbdd4f3dc103551f58ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0c36570-c5cf-456f-8f5e-b7d791d23b91.vbs

Filesize
711B

MD5
e3abdc85a8afc46955f705cc74baa62f

SHA1
6422051673311e2534eb0f945bdb353f6f52258d

SHA256
c23ac88e619ad851cfbcf4129d931161c0fa21001286fb3082623f28490a83ce

SHA512
4d1ee48ceb6adec64d64e54163a8f3fc77ad553a71a0a67262bc19f26e6d7222e8f4fa57979ca83eb4771974dc1990230400c0f6d31cb88edea3efa93d74f3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f51f3597-e06f-422b-b15e-5d8ef78b1495.vbs

Filesize
711B

MD5
7df9cf04b428900f4da0a560a933565e

SHA1
a88a7fafc2a3f5f77c133d8f498cedfaeeba25b0

SHA256
aefc3acef2a9a31cd537c59ab87238c5bd415ff87595832c4f1b98cbd66310b4

SHA512
67a87affd91ad5cdd2e65f072682650f259763eaea29b9afffc6820d240a6ebba8a104d4c97b9fca2d348dd42e4298146c3d4d1099d24665d2b654ccbc690180

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11CC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
839bbed420dddae0b850aa407a8d29c1

SHA1
57d3be35c7b3cfcf7b3879f91b32a4dbe743e3e3

SHA256
964f653254caa9a9124d8bab2528593127619890d7de88289f9167e9833fcc0e

SHA512
3177b84f5a134b2e686b98760ff27bad0717e5ccb7e835b388d550dd2242b5eb5aafaf8aaeb413334b7ca861e243d6d7b007f7f7d33d2a335f72d81f12588fce

Download Submit
C:\Users\Default\Videos\csrss.exe

Filesize
4.9MB

MD5
0f75edb514278b6e45793f61c9a91a50

SHA1
e767580f580339a4b7091fc105ffebfbb7d00f03

SHA256
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c

SHA512
940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed

Download Submit
memory/1512-308-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/1732-293-0x0000000000A40000-0x0000000000F34000-memory.dmp

Filesize
5.0MB

Download
memory/1856-278-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2104-218-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2104-217-0x0000000000EC0000-0x00000000013B4000-memory.dmp

Filesize
5.0MB

Download
memory/2364-248-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download
memory/2512-263-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2600-166-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2632-323-0x0000000001090000-0x0000000001584000-memory.dmp

Filesize
5.0MB

Download
memory/2632-324-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2840-167-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2992-11-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/2992-6-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2992-145-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-136-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2992-16-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/2992-15-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2992-1-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/2992-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-14-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2992-13-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2992-12-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2992-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2992-9-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/2992-8-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2992-7-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2992-165-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2992-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2992-4-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/2992-3-0x000000001B370000-0x000000001B49E000-memory.dmp

Filesize
1.2MB

Download
memory/3048-233-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/3048-232-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download