dcrat | 19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Size

4.9MB
MD5

25496308c3b681092d00992320e7dcf0
SHA1

f016822cb907ffbd1aa6ffaf9b4e00dfc789e7bf
SHA256

19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f
SHA512

811433d23078a129180f7067aa9c9d904e0c001b8adb9876bcaee096014814d57faf457c4d3a8f20ca05b0d4c08d4a311599bc1cfe57db478ee5b5282196038e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2808	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2808	schtasks.exe	31

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2688-3-0x000000001B5D0000-0x000000001B6FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2768	powershell.exe
2820	powershell.exe
2720	powershell.exe
2612	powershell.exe
2260	powershell.exe
2456	powershell.exe
2752	powershell.exe
2992	powershell.exe
2632	powershell.exe
2620	powershell.exe
2776	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1544	spoolsv.exe
2400	spoolsv.exe
3032	spoolsv.exe
1760	spoolsv.exe
1084	spoolsv.exe
2928	spoolsv.exe
2588	spoolsv.exe
3060	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\WmiPrvSE.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\System.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\27d1bcfc3c54e0	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows NT\6ccacd8608530f	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXE1DC.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\System.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows NT\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\24dbde2999530e	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows NT\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\WmiPrvSE.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCXEB33.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows NT\RCXEF3A.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\RCXF13E.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\AppPatch\6ccacd8608530f	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\AppPatch\RCXE6BE.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\AppPatch\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\L2Schemas\taskhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\L2Schemas\f3b6ecef712a24	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\L2Schemas\RCXDA0B.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\L2Schemas\b75386f1303e64	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\AppPatch\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXF3AF.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\System.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\L2Schemas\taskhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\L2Schemas\spoolsv.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\L2Schemas\spoolsv.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1560	schtasks.exe
1124	schtasks.exe
1048	schtasks.exe
2416	schtasks.exe
2124	schtasks.exe
2196	schtasks.exe
676	schtasks.exe
2080	schtasks.exe
1076	schtasks.exe
2608	schtasks.exe
1080	schtasks.exe
1808	schtasks.exe
1768	schtasks.exe
1984	schtasks.exe
1920	schtasks.exe
2744	schtasks.exe
2876	schtasks.exe
2376	schtasks.exe
2984	schtasks.exe
2624	schtasks.exe
2932	schtasks.exe
2472	schtasks.exe
2320	schtasks.exe
2336	schtasks.exe
2972	schtasks.exe
3020	schtasks.exe
2240	schtasks.exe
2556	schtasks.exe
2844	schtasks.exe
2640	schtasks.exe
1600	schtasks.exe
2732	schtasks.exe
2676	schtasks.exe
2144	schtasks.exe
2988	schtasks.exe
1200	schtasks.exe
908	schtasks.exe
2904	schtasks.exe
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
2612	powershell.exe
2752	powershell.exe
2260	powershell.exe
2620	powershell.exe
2632	powershell.exe
2456	powershell.exe
2992	powershell.exe
2776	powershell.exe
2768	powershell.exe
2720	powershell.exe
2756	powershell.exe
2820	powershell.exe
1544	spoolsv.exe
2400	spoolsv.exe
3032	spoolsv.exe
1760	spoolsv.exe
1084	spoolsv.exe
2928	spoolsv.exe
2588	spoolsv.exe
3060	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1544	spoolsv.exe
Token: SeDebugPrivilege	2400	spoolsv.exe
Token: SeDebugPrivilege	3032	spoolsv.exe
Token: SeDebugPrivilege	1760	spoolsv.exe
Token: SeDebugPrivilege	1084	spoolsv.exe
Token: SeDebugPrivilege	2928	spoolsv.exe
Token: SeDebugPrivilege	2588	spoolsv.exe
Token: SeDebugPrivilege	3060	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2260	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	71
PID 2688 wrote to memory of 2260	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	71
PID 2688 wrote to memory of 2260	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	71
PID 2688 wrote to memory of 2456	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	72
PID 2688 wrote to memory of 2456	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	72
PID 2688 wrote to memory of 2456	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	72
PID 2688 wrote to memory of 2756	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	74
PID 2688 wrote to memory of 2756	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	74
PID 2688 wrote to memory of 2756	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	74
PID 2688 wrote to memory of 2752	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	75
PID 2688 wrote to memory of 2752	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	75
PID 2688 wrote to memory of 2752	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	75
PID 2688 wrote to memory of 2612	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	76
PID 2688 wrote to memory of 2612	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	76
PID 2688 wrote to memory of 2612	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	76
PID 2688 wrote to memory of 2768	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	77
PID 2688 wrote to memory of 2768	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	77
PID 2688 wrote to memory of 2768	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	77
PID 2688 wrote to memory of 2820	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	78
PID 2688 wrote to memory of 2820	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	78
PID 2688 wrote to memory of 2820	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	78
PID 2688 wrote to memory of 2992	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	79
PID 2688 wrote to memory of 2992	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	79
PID 2688 wrote to memory of 2992	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	79
PID 2688 wrote to memory of 2632	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	80
PID 2688 wrote to memory of 2632	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	80
PID 2688 wrote to memory of 2632	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	80
PID 2688 wrote to memory of 2776	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	81
PID 2688 wrote to memory of 2776	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	81
PID 2688 wrote to memory of 2776	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	81
PID 2688 wrote to memory of 2720	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	82
PID 2688 wrote to memory of 2720	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	82
PID 2688 wrote to memory of 2720	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	82
PID 2688 wrote to memory of 2620	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	83
PID 2688 wrote to memory of 2620	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	83
PID 2688 wrote to memory of 2620	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	83
PID 2688 wrote to memory of 2908	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	95
PID 2688 wrote to memory of 2908	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	95
PID 2688 wrote to memory of 2908	2688	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	95
PID 2908 wrote to memory of 2644	2908	cmd.exe	97
PID 2908 wrote to memory of 2644	2908	cmd.exe	97
PID 2908 wrote to memory of 2644	2908	cmd.exe	97
PID 2908 wrote to memory of 1544	2908	cmd.exe	98
PID 2908 wrote to memory of 1544	2908	cmd.exe	98
PID 2908 wrote to memory of 1544	2908	cmd.exe	98
PID 1544 wrote to memory of 2388	1544	spoolsv.exe	99
PID 1544 wrote to memory of 2388	1544	spoolsv.exe	99
PID 1544 wrote to memory of 2388	1544	spoolsv.exe	99
PID 1544 wrote to memory of 1580	1544	spoolsv.exe	100
PID 1544 wrote to memory of 1580	1544	spoolsv.exe	100
PID 1544 wrote to memory of 1580	1544	spoolsv.exe	100
PID 2388 wrote to memory of 2400	2388	WScript.exe	101
PID 2388 wrote to memory of 2400	2388	WScript.exe	101
PID 2388 wrote to memory of 2400	2388	WScript.exe	101
PID 2400 wrote to memory of 1048	2400	spoolsv.exe	102
PID 2400 wrote to memory of 1048	2400	spoolsv.exe	102
PID 2400 wrote to memory of 1048	2400	spoolsv.exe	102
PID 2400 wrote to memory of 836	2400	spoolsv.exe	103
PID 2400 wrote to memory of 836	2400	spoolsv.exe	103
PID 2400 wrote to memory of 836	2400	spoolsv.exe	103
PID 1048 wrote to memory of 3032	1048	WScript.exe	104
PID 1048 wrote to memory of 3032	1048	WScript.exe	104
PID 1048 wrote to memory of 3032	1048	WScript.exe	104
PID 3032 wrote to memory of 2888	3032	spoolsv.exe	105

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
"C:\Users\Admin\AppData\Local\Temp\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fScxiynZx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2644
- - C:\Windows\L2Schemas\spoolsv.exe
    "C:\Windows\L2Schemas\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1544
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912dcd35-06aa-416d-ae76-5a352812e977.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e348be5-2a63-415b-ba35-7fae3dc585bf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd688a49-680f-4e75-89d3-ac244cc654c9.vbs"
        8⤵
        
        PID:2888
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cef4987-21e6-4a3d-9ca3-057cee09242f.vbs"
        10⤵
        
        PID:2156
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e2a5e68-e0cb-4850-8c67-f52e45a4539b.vbs"
        12⤵
        
        PID:2308
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c507990-fa92-4ed6-a1fa-23cbf6bb6277.vbs"
        14⤵
        
        PID:1124
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23d1ff18-cd35-454b-be33-52f075638e46.vbs"
        16⤵
        
        PID:536
        
        C:\Windows\L2Schemas\spoolsv.exe
        
        C:\Windows\L2Schemas\spoolsv.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e80a77-cb23-467a-9784-e11f341a2e21.vbs"
        18⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a7d993f-c00b-4e4c-95fc-3c0647db6609.vbs"
        18⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5765b542-2ad9-40f0-90e2-f93542d1a4ab.vbs"
        16⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdd602ee-f441-4bd7-8b0c-0ee1948d54b2.vbs"
        14⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e20f8705-aaec-491e-81cd-72347767b5be.vbs"
        12⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19fdb4e-bbed-4571-b213-53c57dee20d6.vbs"
        10⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71059be-a112-47c7-9f9f-508097a935ac.vbs"
        8⤵
        
        PID:2500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d3e56c-4200-4355-8274-79b24f224769.vbs"
        6⤵
        
        PID:836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\228605e0-6e85-4d23-a976-56bb5746cf8f.vbs"
      4⤵
      PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Stationery\RCXEB33.tmp

Filesize
4.9MB

MD5
d3494a648e41d1733e9ec5b713b6236e

SHA1
b74ee0d5a4b92263a34cd3cbfb83f4e1d99b9a09

SHA256
410c0f95a6093781f89e433476e4170f421b4cdea59949443485e6a8670608e7

SHA512
f0d67cca200730175d63a67ad7bc268f3402bd9571203cdedc74c84e24f7393ff8bafcccacc2bd52d0a98bfffb41dcb218a8ab7563326a9e66b4f138fdc909f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\228605e0-6e85-4d23-a976-56bb5746cf8f.vbs

Filesize
484B

MD5
011485311fdd5878358bfb24e9e420c1

SHA1
a1dd86f808940bf6d325ffee8e72eab9806ccb10

SHA256
1b07696297f00a423deb61807053abe419bb9f0933767578ef284f1994d28bd9

SHA512
0ef338e274bdf809dccf0e435c16598bd34d1dd8c8f2971e41fc0cab9020c9d2f0fbd4795be6897b5f56d40dade056b42a435cd686210fedac93a3f703b8536d

Download Submit
C:\Users\Admin\AppData\Local\Temp\23d1ff18-cd35-454b-be33-52f075638e46.vbs

Filesize
708B

MD5
a61f61c9ffe83f6fb9bbeeea40a2ce04

SHA1
93c9af873019baaf7270475d69cbff9b9f014566

SHA256
c0a6a2f7c006f540ac79843bdaab0a312e5453a71c7ccf7860ddf6b23c729e54

SHA512
66d7f2f726b5a02de01d0a23d06c088f822bcd3209bb1049a6e1e9bfb61524c53d712fe080e83a92e5853a0e1b3ce58f5b8fde4770eb2b5c96ccd7e48727ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\30e80a77-cb23-467a-9784-e11f341a2e21.vbs

Filesize
708B

MD5
9edc18645dcd6be83224fa159d666217

SHA1
9fa6d53dd6cef1d7691bc4ee9ad787ba103561f5

SHA256
10fc6eaf18385ef8f49f923fd2f9e80b5b8064d1cf35bd1e1b729996a16ab8c3

SHA512
7ffe8c5280458f232977444ae51064088544089386f1b978f7c874031d7a881e7b3ee92f58f5daa464328019f16ec3f6b495b864d533e88b17af6228a37661e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fScxiynZx.bat

Filesize
197B

MD5
9c46623d41725030531fea9d6ea20ee0

SHA1
a945397d536501e90ea7becdff157e93681f059d

SHA256
580e8e08b02b55127fd91836841fd0ea0c196618f4df96ed40e6b7bfa5a5285b

SHA512
b95d85c2d93a7e262c6b1ca51e94371de8ce8a71f7366121de6985c1175d97fe1bf50b4da47b1a79b53256887f190b980add7211a81d5cf1748f262284904b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c507990-fa92-4ed6-a1fa-23cbf6bb6277.vbs

Filesize
708B

MD5
00828bccc0cfebc9f920627a61cbcfe8

SHA1
1ab92c8030d5711b652b650ef4ac5c2fe764d4c6

SHA256
072d397d68300095c9ff53cf0701f422e66a477f6cb320abaacdbe5e9d092efd

SHA512
264c0244969a933ce85a6d4ea1fe541595b8aeb032c77f6da254c694496aef00585c53e65309a0e3e6459676c97df6e5e211672b30bbbe51b8b0b3d504a05438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e348be5-2a63-415b-ba35-7fae3dc585bf.vbs

Filesize
708B

MD5
e31a493eb3be463a93d9d29fa5a08819

SHA1
9091c9f57fb59a3130481f41edbcceca9a13d56f

SHA256
f68bd0462c70649046d31cbff5f53facae2216c500b70829db0f090cc7e46732

SHA512
b2ace9ba682f6da7c9a7dc074017b78c120b029979fc3eb1baa37374fd2de5eca7cca209be56636f5decd3912b1179cf100be177c08bff17f7a70646b008db33

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cef4987-21e6-4a3d-9ca3-057cee09242f.vbs

Filesize
708B

MD5
ec7965e7036ae33dfe23172b72c4aebd

SHA1
4d3f0991daf4c9d70ed6c5a6b3354d159c227f79

SHA256
b72867cb91b2ac31be1da746f0e0c51c345b960f8d59203a6caf09de75d4376f

SHA512
a0b7f2a920d2fd503f68011463b5bae618b960fa76df7b85a1c1022fc02affb89c8ff7434a527fece144543896b6606e49e856e38f4ceec816022a628bd469d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e2a5e68-e0cb-4850-8c67-f52e45a4539b.vbs

Filesize
708B

MD5
4fc755ec63a3b8992479d51d317fa7d2

SHA1
6c1366946036d508d4286869e52a3ac325d3ed76

SHA256
7f60b91a8319bdc8ff94525f4cae172febfce1e5c19aef4e7c5d1aeb02352b6e

SHA512
d074a577b8629fd0958e649ebfeb5819113fac411ef29456e56ad3be5cf0cfbabe14ab90d3a64da6a717540ad3a52093ac3c17c7845f3a5ae9a7030d1f3ab183

Download Submit
C:\Users\Admin\AppData\Local\Temp\912dcd35-06aa-416d-ae76-5a352812e977.vbs

Filesize
708B

MD5
8544d684366bf5faf5cf75c728d4815b

SHA1
a683628591675df1ab27210c7878e345c686a809

SHA256
5964770a5a0ca39da445a5eb84caba60f16a9ee5f2b3e0a5283401d9059f33a3

SHA512
027266a03a4a731dd51dd4fa9e2f50d6fa50e2b4b27ccc073719a32c55afb5c8c546686c7e7142a1374f06f1fadce3ca4e5e270dd2146f958ecccff2d90fb9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd688a49-680f-4e75-89d3-ac244cc654c9.vbs

Filesize
708B

MD5
c54baac1108a88794203e9d1742c7fcd

SHA1
f3aa46548c86435769ab4a4f661abaea8fe78c22

SHA256
2e2714a9784423c0983fce8c607386d9b3ca2df3d6ffd1d401ed2b092864c8a8

SHA512
5d008884c44e508e530b41f0551e77feadc1fb518d4079706eec51e37e14d6303aa1368b787df117c0ee1cdcd68eb9b0207e2fa438a46e9dc61899b56f1efe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A83.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bb57cacb9d4ccb853f1857d474879324

SHA1
3eecc9bf48e6aabb7cff90120bd4e2b72ba532cd

SHA256
be752b6432adc72841d94d0f2fc32b9de8e752937a28d951b437545632f4d1a4

SHA512
d396587c8fddeed76b819c79281388c54f0127ce95a6d100f8c1ccec51ce0cf8790cc92e63a72079e7ad4287fd4380a80a26883ad71a6c0e80187a33e128afc5

Download Submit
C:\Users\Default\csrss.exe

Filesize
4.9MB

MD5
25496308c3b681092d00992320e7dcf0

SHA1
f016822cb907ffbd1aa6ffaf9b4e00dfc789e7bf

SHA256
19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f

SHA512
811433d23078a129180f7067aa9c9d904e0c001b8adb9876bcaee096014814d57faf457c4d3a8f20ca05b0d4c08d4a311599bc1cfe57db478ee5b5282196038e

Download Submit
C:\Windows\L2Schemas\spoolsv.exe

Filesize
4.9MB

MD5
9428c7bc160092b5bf5d5b2d00c2724d

SHA1
62ba61608f5e38021ef27546af3ee9cd066c192a

SHA256
09e5c38001b845b286ad0bfba9f6f810518fa2de69005ce4e9da42b4f904d7ce

SHA512
33a76e9a1d39b56e62595236e922ace5bfde518e6532781688ce3261ce626cb32b8daf7a5fa86da30026cda5e2ea12be59e615f534f27e5a8b332671d10a6331

Download Submit
memory/1084-257-0x0000000001040000-0x0000000001534000-memory.dmp

Filesize
5.0MB

Download
memory/1544-197-0x0000000000A50000-0x0000000000F44000-memory.dmp

Filesize
5.0MB

Download
memory/1544-198-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1760-242-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download
memory/2400-212-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/2588-288-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2588-287-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/2612-148-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2612-171-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2688-11-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/2688-9-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/2688-125-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2688-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2688-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2688-14-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2688-13-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/2688-12-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/2688-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2688-1-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/2688-10-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/2688-137-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-8-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/2688-7-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/2688-6-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/2688-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-5-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2688-4-0x0000000000A10000-0x0000000000A2C000-memory.dmp

Filesize
112KB

Download
memory/2688-3-0x000000001B5D0000-0x000000001B6FE000-memory.dmp

Filesize
1.2MB

Download
memory/2928-272-0x0000000000180000-0x0000000000674000-memory.dmp

Filesize
5.0MB

Download
memory/3032-227-0x0000000001070000-0x0000000001564000-memory.dmp

Filesize
5.0MB

Download
memory/3060-303-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download