dcrat | bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Size

4.9MB
MD5

a521b23108ca72a0a8e837bb4bc6c309
SHA1

a80623d726004b9c0086377c19f822a67af0c490
SHA256

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec
SHA512

33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:j

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2864	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2324-2-0x000000001B570000-0x000000001B69E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe
1656	powershell.exe
1496	powershell.exe
1460	powershell.exe
1208	powershell.exe
2332	powershell.exe
1880	powershell.exe
1664	powershell.exe
2780	powershell.exe
1152	powershell.exe
1032	powershell.exe
692	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2348	csrss.exe
3020	csrss.exe
1016	csrss.exe
2264	csrss.exe
2860	csrss.exe
2800	csrss.exe
1128	csrss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bee0cf49df1c26	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\RCXE66C.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1692	schtasks.exe
2872	schtasks.exe
2232	schtasks.exe
2952	schtasks.exe
3036	schtasks.exe
2848	schtasks.exe
2920	schtasks.exe
2804	schtasks.exe
2856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1664	powershell.exe
1460	powershell.exe
1880	powershell.exe
1496	powershell.exe
1032	powershell.exe
1152	powershell.exe
2332	powershell.exe
1656	powershell.exe
692	powershell.exe
1208	powershell.exe
2780	powershell.exe
1644	powershell.exe
2348	csrss.exe
3020	csrss.exe
1016	csrss.exe
2264	csrss.exe
2860	csrss.exe
2800	csrss.exe
1128	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2348	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	1016	csrss.exe
Token: SeDebugPrivilege	2264	csrss.exe
Token: SeDebugPrivilege	2860	csrss.exe
Token: SeDebugPrivilege	2800	csrss.exe
Token: SeDebugPrivilege	1128	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1496	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	41
PID 2324 wrote to memory of 1496	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	41
PID 2324 wrote to memory of 1496	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	41
PID 2324 wrote to memory of 1460	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	42
PID 2324 wrote to memory of 1460	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	42
PID 2324 wrote to memory of 1460	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	42
PID 2324 wrote to memory of 1664	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 2324 wrote to memory of 1664	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 2324 wrote to memory of 1664	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 2324 wrote to memory of 1880	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 2324 wrote to memory of 1880	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 2324 wrote to memory of 1880	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 2324 wrote to memory of 692	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 2324 wrote to memory of 692	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 2324 wrote to memory of 692	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 2324 wrote to memory of 1032	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 2324 wrote to memory of 1032	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 2324 wrote to memory of 1032	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 2324 wrote to memory of 1152	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 2324 wrote to memory of 1152	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 2324 wrote to memory of 1152	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 2324 wrote to memory of 2780	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 2324 wrote to memory of 2780	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 2324 wrote to memory of 2780	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 2324 wrote to memory of 1656	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 2324 wrote to memory of 1656	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 2324 wrote to memory of 1656	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 2324 wrote to memory of 1644	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 2324 wrote to memory of 1644	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 2324 wrote to memory of 1644	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 2324 wrote to memory of 2332	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 2324 wrote to memory of 2332	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 2324 wrote to memory of 2332	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 2324 wrote to memory of 1208	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	55
PID 2324 wrote to memory of 1208	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	55
PID 2324 wrote to memory of 1208	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	55
PID 2324 wrote to memory of 2348	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	65
PID 2324 wrote to memory of 2348	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	65
PID 2324 wrote to memory of 2348	2324	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	65
PID 2348 wrote to memory of 2844	2348	csrss.exe	66
PID 2348 wrote to memory of 2844	2348	csrss.exe	66
PID 2348 wrote to memory of 2844	2348	csrss.exe	66
PID 2348 wrote to memory of 2496	2348	csrss.exe	67
PID 2348 wrote to memory of 2496	2348	csrss.exe	67
PID 2348 wrote to memory of 2496	2348	csrss.exe	67
PID 2844 wrote to memory of 3020	2844	WScript.exe	68
PID 2844 wrote to memory of 3020	2844	WScript.exe	68
PID 2844 wrote to memory of 3020	2844	WScript.exe	68
PID 3020 wrote to memory of 2616	3020	csrss.exe	69
PID 3020 wrote to memory of 2616	3020	csrss.exe	69
PID 3020 wrote to memory of 2616	3020	csrss.exe	69
PID 3020 wrote to memory of 1884	3020	csrss.exe	70
PID 3020 wrote to memory of 1884	3020	csrss.exe	70
PID 3020 wrote to memory of 1884	3020	csrss.exe	70
PID 2616 wrote to memory of 1016	2616	WScript.exe	71
PID 2616 wrote to memory of 1016	2616	WScript.exe	71
PID 2616 wrote to memory of 1016	2616	WScript.exe	71
PID 1016 wrote to memory of 536	1016	csrss.exe	72
PID 1016 wrote to memory of 536	1016	csrss.exe	72
PID 1016 wrote to memory of 536	1016	csrss.exe	72
PID 1016 wrote to memory of 1352	1016	csrss.exe	73
PID 1016 wrote to memory of 1352	1016	csrss.exe	73
PID 1016 wrote to memory of 1352	1016	csrss.exe	73
PID 536 wrote to memory of 2264	536	WScript.exe	74

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
"C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Users\Default\csrss.exe
  "C:\Users\Default\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9e1273b-47f4-4eae-9e5c-e06c3dfec1fa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Default\csrss.exe
      C:\Users\Default\csrss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0be0e06-5ac8-42e2-be5d-e744c91f9760.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Users\Default\csrss.exe
        
        C:\Users\Default\csrss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbc1c22e-ad9d-4638-a008-9a1b1609aefe.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Default\csrss.exe
        
        C:\Users\Default\csrss.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46fe92b7-844d-432f-9fb7-3868b967e873.vbs"
        9⤵
        
        PID:1888
        
        C:\Users\Default\csrss.exe
        
        C:\Users\Default\csrss.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6fe586-5240-4eeb-8e7e-6e74ee18e329.vbs"
        11⤵
        
        PID:1708
        
        C:\Users\Default\csrss.exe
        
        C:\Users\Default\csrss.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c77f2eb-580c-480d-b5dd-e8981ee65f70.vbs"
        13⤵
        
        PID:2304
        
        C:\Users\Default\csrss.exe
        
        C:\Users\Default\csrss.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47992415-9fff-457a-b709-8d32f2f40f95.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\083d621f-8ed9-46ec-b0ba-0a70843f9c20.vbs"
        15⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de2ef33-5230-4724-a026-f1b56d708bf4.vbs"
        13⤵
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6abcd21-1849-477a-85ee-b3b2a003e48b.vbs"
        11⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b55ff2e5-54d3-4ab3-9cbc-98fed31b7602.vbs"
        9⤵
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56997623-e58c-4162-ae45-499468bdeb1c.vbs"
        7⤵
        
        PID:1352
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ae082d-2018-43a8-a707-5fdc01f8a9d7.vbs"
        5⤵
        
        PID:1884
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1058ae0f-a37b-4154-b5f9-a2f47798505c.vbs"
    3⤵
    PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1058ae0f-a37b-4154-b5f9-a2f47798505c.vbs

Filesize
478B

MD5
8adedcb38ab2008d7aab6ad64a93e04b

SHA1
06397f3e5941393c40f8b613e596d4c7270db0d5

SHA256
957150f6b15f8bce4c2f8ea9283d8bdb034a0416496992a046535d761b63f809

SHA512
835df9c17ab253b6d4d03056d4fae1950ea8f9f0699e5b880df1ccc23b5dcacf3c34869cbe5b5b6f76e0800e7b2ccd7bce3ca8aaebc63e61d4f45cbf65a26013

Download Submit
C:\Users\Admin\AppData\Local\Temp\46fe92b7-844d-432f-9fb7-3868b967e873.vbs

Filesize
702B

MD5
f55f2b94f42f52a56e12041b05454cbc

SHA1
d50939c38fa61af572b3f8a6b7a773c0e68bd0ed

SHA256
ee5be6c6e7c61113ef1079a52f58a24f50ff933a96c3b321168a139c9fb9e1a7

SHA512
23a28f9a138a5350a1d3131107e37770fc8a4f834e746e21e21478b85ef0bf3a5d9baffba8a45479f309a36bde89410552001548748978b5ee854c97351be6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\47992415-9fff-457a-b709-8d32f2f40f95.vbs

Filesize
702B

MD5
17b8c4e013239a1e59b42fb428522139

SHA1
1883fd5cef2adacc59e417a70c0f7e0a1723cea8

SHA256
a371052a0955f5523f41078222ab5328db53a0923bfdae62d38ce42a1b3c339a

SHA512
c1a9a6f0e32cd96dde828e8886f31c97ac77207614a70ae294495f98ed098d29da3507b9c9131de0eb364e8ed879d7de754bd38d33924e8572eb78b950082819

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c77f2eb-580c-480d-b5dd-e8981ee65f70.vbs

Filesize
702B

MD5
cfc77ed2c79b86d7d4842a557aaee7cf

SHA1
aa67130b72f32bae48dcd307a26c6f92d9243a39

SHA256
e32a9787eab3bc4bf86ce8521e90ce2cc16481c5aa5569b0c76ad6784c68ef55

SHA512
bad563abd78ede912ab5fa336aa6c3880be6ed1fcfe113cf21db64523d2f11588f526527a8011f5e00f823da0919648e002c4f469f96ddf3b374a20c591687ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbc1c22e-ad9d-4638-a008-9a1b1609aefe.vbs

Filesize
702B

MD5
ce3b627ea8d71b3faa3c089bb42f2239

SHA1
d771bf010d44b4e5b89ed06fd3d6f4b8980a6e27

SHA256
4c5ac8495e579f98c958cba19f70feab28867fae83f3082e09c769eaf9443939

SHA512
bd2386cee9598746719b2b6db33d59de60b7386aea4d5d6a12e0a624b1208d8330c6c3c2001dbf4dd7e88196f3489ff2993be68bd1c7cf40177f665d8b632fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0be0e06-5ac8-42e2-be5d-e744c91f9760.vbs

Filesize
702B

MD5
c4f73af7c7c9fea42a46e01c87181fbd

SHA1
5ffd6ebe8a4b044c0130adcabc27148b3aa43eae

SHA256
70298bbee3bc4d6f9bf6d656862fde0c245f7f49f36a0e89966c5248d56f491d

SHA512
f9825ab199286cdb9fb81c033b0275cfc8e2a953957cedecc33d349de84eb9f6b254a8f6232861491f2da4ee93e7488b0e9b2167a1df41c012a4ded14e82eeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\da6fe586-5240-4eeb-8e7e-6e74ee18e329.vbs

Filesize
702B

MD5
ef0b5109a5837f1b77097936ecd76c98

SHA1
62d2a70f7c7dc6bc8d4bbefd49c9fb3131f20cce

SHA256
dcc723ffb38c9b784d0252e9d7b9f9be97dbff29c9241d616a07f10974305842

SHA512
0fe6f3411b650734f1eb3fe99cf33694509bc184b19074200f8b16208ec0a8d6150375d1822c983b54795cb8721292ff3f42038a4ad51d25b42766a25c7736cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9e1273b-47f4-4eae-9e5c-e06c3dfec1fa.vbs

Filesize
702B

MD5
133050fe70df45effc09dd9e9345e2ff

SHA1
2f62dc8489edb3e9e227ef31de1188e27e788d10

SHA256
0ca2b7b9517e7414b3f7568486069269e3237dfd93a16cc44b5ce2e9df6e2d3f

SHA512
34f59f0fd7146f1fb40f5e19c709ed2f9daeef22b115f2ab2b2f653077d521107bf0dc5d0058587d409997d0cb5de53476056b91a66dec2d18a4a40784457bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp399.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGCDGBUBL6VFF7HCZMLL.temp

Filesize
7KB

MD5
c3bddd39f7772239b83ef377ce8edd6a

SHA1
ff43cf2c7645f4e9faa9406c4747f687ec81448d

SHA256
70ca71fc1526a1e96dafc199947b4013e81165ba32740aea3bc1ccd526d38409

SHA512
ab0fb8eb1005d255c45ac2b99c70cada8b0f238f0e29bbe92923fb611c9306b9b9f74bec066587c54e169f9d7cb15c54f1d11d65efc0c3f305b6b77eeb7da9e2

Download Submit
C:\Users\Default\csrss.exe

Filesize
4.9MB

MD5
a521b23108ca72a0a8e837bb4bc6c309

SHA1
a80623d726004b9c0086377c19f822a67af0c490

SHA256
bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

SHA512
33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e

Download Submit
memory/1016-141-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/1128-201-0x00000000009E0000-0x0000000000ED4000-memory.dmp

Filesize
5.0MB

Download
memory/1664-73-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/1664-74-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/2324-9-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/2324-10-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/2324-15-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2324-14-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2324-13-0x0000000000C60000-0x0000000000C6E000-memory.dmp

Filesize
56KB

Download
memory/2324-12-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/2324-16-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/2324-80-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-11-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2324-4-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2324-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/2324-2-0x000000001B570000-0x000000001B69E000-memory.dmp

Filesize
1.2MB

Download
memory/2324-8-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2324-7-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2324-6-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2324-5-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2324-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-76-0x0000000000E50000-0x0000000001344000-memory.dmp

Filesize
5.0MB

Download
memory/2800-185-0x0000000000900000-0x0000000000DF4000-memory.dmp

Filesize
5.0MB

Download
memory/2800-186-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2860-170-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/3020-126-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/3020-125-0x0000000001040000-0x0000000001534000-memory.dmp

Filesize
5.0MB

Download