dcrat | 7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Size

3.4MB
MD5

9040d1f68050a9b2533ac7e8b59c2aa0
SHA1

1b38a5284d4510423c0c4ac77066fc6eb41b9286
SHA256

7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
SHA512

e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39
SSDEEP

49152:s3GMesEktOcTPuKyI1qd5i6JTnl9gs6ToWbepfutWiNFg20+5J3pS8Dzy:nuEktPuu1qbhwDoWHgt+5JZS8fy

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2052	schtasks.exe
		1528	schtasks.exe
		5028	schtasks.exe
		1940	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
		3712	schtasks.exe
		2956	schtasks.exe
		4908	schtasks.exe
		2956	schtasks.exe
		4960	schtasks.exe
		4728	schtasks.exe
		1676	schtasks.exe
		116	schtasks.exe
File created	C:\Program Files\WindowsPowerShell\ea1d8f6d871115		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
		1084	schtasks.exe
		4700	schtasks.exe
		3484	schtasks.exe
		608	schtasks.exe
		3600	schtasks.exe
		2152	schtasks.exe
		3908	schtasks.exe
		4012	schtasks.exe
		208	schtasks.exe
		1560	schtasks.exe
		916	schtasks.exe
		2720	schtasks.exe
		680	schtasks.exe
		2752	schtasks.exe
		3052	schtasks.exe
		4420	schtasks.exe
		4248	schtasks.exe
		2608	schtasks.exe
		4732	schtasks.exe
		4740	schtasks.exe
		2444	schtasks.exe
File created	C:\Windows\TAPI\ea1d8f6d871115		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
		5032	schtasks.exe
		3128	schtasks.exe
		2512	schtasks.exe
		4004	schtasks.exe
		2980	schtasks.exe
		1180	schtasks.exe
		1140	schtasks.exe
		652	schtasks.exe
		3896	schtasks.exe
		1212	schtasks.exe
		4960	schtasks.exe
		1572	schtasks.exe
		1212	schtasks.exe
		5092	schtasks.exe
		2268	schtasks.exe
		2352	schtasks.exe
		1932	schtasks.exe
		3548	schtasks.exe
		432	schtasks.exe
		4448	schtasks.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\5940a34987c991		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
		116	schtasks.exe
		3056	schtasks.exe
		5020	schtasks.exe
		3988	schtasks.exe
		372	schtasks.exe
		3084	schtasks.exe
File created	C:\Program Files (x86)\Common Files\Services\22eafd247d37c3		7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4952	schtasks.exe	83

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2436-1-0x0000000000980000-0x0000000000CEA000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b99-48.dat	dcrat

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe

Executes dropped EXE 10 IoCs

pid	Process
1660	csrss.exe
4880	csrss.exe
1520	csrss.exe
4640	csrss.exe
4052	csrss.exe
3548	csrss.exe
2500	csrss.exe
1656	csrss.exe
804	csrss.exe
3636	csrss.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
45	pastebin.com
54	pastebin.com
60	pastebin.com
22	pastebin.com
42	pastebin.com
57	pastebin.com
67	pastebin.com
70	pastebin.com
23	pastebin.com
48	pastebin.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\upfc.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\Common Files\Services\22eafd247d37c3	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\WindowsPowerShell\ea1d8f6d871115	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ea9f0e6c9e2dcd	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea9f0e6c9e2dcd	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\Common Files\Services\TextInputHost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\taskhostw.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sysmon.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\121e5b5079f7c0	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\38384e6a620884	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\7-Zip\Lang\conhost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Program Files\7-Zip\Lang\088424020bedd6	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\upfc.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\TAPI\ea1d8f6d871115	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\ShellComponents\Registry.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\ShellComponents\ee2ad38f3d4382	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\dllhost.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\5940a34987c991	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
File created	C:\Windows\Boot\DVD\PCAT\es-ES\WmiPrvSE.exe	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4740	schtasks.exe
2956	schtasks.exe
1940	schtasks.exe
1560	schtasks.exe
2936	schtasks.exe
3988	schtasks.exe
2980	schtasks.exe
680	schtasks.exe
3128	schtasks.exe
4908	schtasks.exe
652	schtasks.exe
1676	schtasks.exe
1212	schtasks.exe
3908	schtasks.exe
1572	schtasks.exe
4700	schtasks.exe
2720	schtasks.exe
116	schtasks.exe
3588	schtasks.exe
2752	schtasks.exe
372	schtasks.exe
2956	schtasks.exe
4960	schtasks.exe
5032	schtasks.exe
1084	schtasks.exe
3896	schtasks.exe
3548	schtasks.exe
432	schtasks.exe
1104	schtasks.exe
4960	schtasks.exe
3056	schtasks.exe
916	schtasks.exe
1932	schtasks.exe
2512	schtasks.exe
5092	schtasks.exe
2052	schtasks.exe
3600	schtasks.exe
4012	schtasks.exe
4728	schtasks.exe
1624	schtasks.exe
2268	schtasks.exe
4732	schtasks.exe
1528	schtasks.exe
2608	schtasks.exe
5020	schtasks.exe
608	schtasks.exe
4248	schtasks.exe
1180	schtasks.exe
4448	schtasks.exe
4792	schtasks.exe
1212	schtasks.exe
3712	schtasks.exe
208	schtasks.exe
2220	schtasks.exe
3484	schtasks.exe
1140	schtasks.exe
4276	schtasks.exe
3052	schtasks.exe
4412	schtasks.exe
2352	schtasks.exe
116	schtasks.exe
2608	schtasks.exe
3084	schtasks.exe
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe
1660	csrss.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Token: SeDebugPrivilege	4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Token: SeDebugPrivilege	1660	csrss.exe
Token: SeDebugPrivilege	4880	csrss.exe
Token: SeDebugPrivilege	1520	csrss.exe
Token: SeDebugPrivilege	4640	csrss.exe
Token: SeDebugPrivilege	4052	csrss.exe
Token: SeDebugPrivilege	3548	csrss.exe
Token: SeDebugPrivilege	2500	csrss.exe
Token: SeDebugPrivilege	1656	csrss.exe
Token: SeDebugPrivilege	804	csrss.exe
Token: SeDebugPrivilege	3636	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1244	2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe	114
PID 2436 wrote to memory of 1244	2436	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe	114
PID 1244 wrote to memory of 5048	1244	cmd.exe	116
PID 1244 wrote to memory of 5048	1244	cmd.exe	116
PID 1244 wrote to memory of 4716	1244	cmd.exe	122
PID 1244 wrote to memory of 4716	1244	cmd.exe	122
PID 4716 wrote to memory of 3820	4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe	165
PID 4716 wrote to memory of 3820	4716	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe	165
PID 3820 wrote to memory of 4480	3820	cmd.exe	167
PID 3820 wrote to memory of 4480	3820	cmd.exe	167
PID 3820 wrote to memory of 1660	3820	cmd.exe	175
PID 3820 wrote to memory of 1660	3820	cmd.exe	175
PID 1660 wrote to memory of 3056	1660	csrss.exe	177
PID 1660 wrote to memory of 3056	1660	csrss.exe	177
PID 1660 wrote to memory of 852	1660	csrss.exe	178
PID 1660 wrote to memory of 852	1660	csrss.exe	178
PID 3056 wrote to memory of 4880	3056	WScript.exe	183
PID 3056 wrote to memory of 4880	3056	WScript.exe	183
PID 4880 wrote to memory of 2956	4880	csrss.exe	186
PID 4880 wrote to memory of 2956	4880	csrss.exe	186
PID 4880 wrote to memory of 1428	4880	csrss.exe	187
PID 4880 wrote to memory of 1428	4880	csrss.exe	187
PID 2956 wrote to memory of 1520	2956	WScript.exe	189
PID 2956 wrote to memory of 1520	2956	WScript.exe	189
PID 1520 wrote to memory of 1608	1520	csrss.exe	191
PID 1520 wrote to memory of 1608	1520	csrss.exe	191
PID 1520 wrote to memory of 1940	1520	csrss.exe	192
PID 1520 wrote to memory of 1940	1520	csrss.exe	192
PID 1608 wrote to memory of 4640	1608	WScript.exe	194
PID 1608 wrote to memory of 4640	1608	WScript.exe	194
PID 4640 wrote to memory of 1444	4640	csrss.exe	196
PID 4640 wrote to memory of 1444	4640	csrss.exe	196
PID 4640 wrote to memory of 4332	4640	csrss.exe	197
PID 4640 wrote to memory of 4332	4640	csrss.exe	197
PID 1444 wrote to memory of 4052	1444	WScript.exe	199
PID 1444 wrote to memory of 4052	1444	WScript.exe	199
PID 4052 wrote to memory of 2524	4052	csrss.exe	202
PID 4052 wrote to memory of 2524	4052	csrss.exe	202
PID 4052 wrote to memory of 1416	4052	csrss.exe	203
PID 4052 wrote to memory of 1416	4052	csrss.exe	203
PID 2524 wrote to memory of 3548	2524	WScript.exe	205
PID 2524 wrote to memory of 3548	2524	WScript.exe	205
PID 3548 wrote to memory of 1408	3548	csrss.exe	207
PID 3548 wrote to memory of 1408	3548	csrss.exe	207
PID 3548 wrote to memory of 2292	3548	csrss.exe	208
PID 3548 wrote to memory of 2292	3548	csrss.exe	208
PID 1408 wrote to memory of 2500	1408	WScript.exe	210
PID 1408 wrote to memory of 2500	1408	WScript.exe	210
PID 2500 wrote to memory of 1112	2500	csrss.exe	212
PID 2500 wrote to memory of 1112	2500	csrss.exe	212
PID 2500 wrote to memory of 1652	2500	csrss.exe	213
PID 2500 wrote to memory of 1652	2500	csrss.exe	213
PID 1112 wrote to memory of 1656	1112	WScript.exe	216
PID 1112 wrote to memory of 1656	1112	WScript.exe	216
PID 1656 wrote to memory of 2220	1656	csrss.exe	218
PID 1656 wrote to memory of 2220	1656	csrss.exe	218
PID 1656 wrote to memory of 1456	1656	csrss.exe	219
PID 1656 wrote to memory of 1456	1656	csrss.exe	219
PID 2220 wrote to memory of 804	2220	WScript.exe	221
PID 2220 wrote to memory of 804	2220	WScript.exe	221
PID 804 wrote to memory of 2732	804	csrss.exe	223
PID 804 wrote to memory of 2732	804	csrss.exe	223
PID 804 wrote to memory of 208	804	csrss.exe	224
PID 804 wrote to memory of 208	804	csrss.exe	224

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
"C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxpTX0jnF4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe
    "C:\Users\Admin\AppData\Local\Temp\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4716
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SGf9HQxzsq.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4480
    - - C:\Users\Default\SendTo\csrss.exe
        
        "C:\Users\Default\SendTo\csrss.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9158ad72-a2db-4516-8887-8463402864ad.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1a80e3-8bf3-47b1-ae57-95b5ec5dea79.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b14b978-b79f-4922-b65c-977d3c8886c2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6d16ec9-9b13-4793-8fa8-189d6cccaa3a.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35e2409-6719-4a87-b951-4279cee960c5.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d80db8b-797c-4575-911b-dbaff8d43a2a.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b161e294-11df-42ff-9152-0d90a8bf07d9.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa91c47-b0ba-4796-b7ed-f167779eb0c0.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d115c27a-02bf-4d6c-b6ee-bbe1598e1570.vbs"
        22⤵
        
        PID:2732
        
        C:\Users\Default\SendTo\csrss.exe
        
        C:\Users\Default\SendTo\csrss.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ed8ce0-43d1-4b82-b814-a3a9b54fd3d1.vbs"
        24⤵
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd78cafd-9f57-47b5-b0ea-1ddc61d7951c.vbs"
        24⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61d0727b-1044-4c8a-a8ab-9dc0ef302b42.vbs"
        22⤵
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8517b49-ac4a-4147-be50-74f572e207e9.vbs"
        20⤵
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ebb62c-696b-4c0d-9d88-23e9ab3cc8c1.vbs"
        18⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb2e520a-fd44-4278-bb1a-9730e4bf572d.vbs"
        16⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2afe9a-dac8-49d5-bf91-0617576022ce.vbs"
        14⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5aa0c68-e74c-4c69-8140-bf0e113daedf.vbs"
        12⤵
        
        PID:4332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60970aa5-daf7-42ae-b7c1-955e55997cfb.vbs"
        10⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8012a505-ff1b-4021-bcee-7867bce67f70.vbs"
        8⤵
        
        PID:1428
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3605b1f-4991-43b0-a8f4-852b927cb774.vbs"
        6⤵
        
        PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\TAPI\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\eb603fa6eb1f1fdefda6ce5d5c1c889a\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\System.exe

Filesize
3.4MB

MD5
9040d1f68050a9b2533ac7e8b59c2aa0

SHA1
1b38a5284d4510423c0c4ac77066fc6eb41b9286

SHA256
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67

SHA512
e2121c2d4156af7968d3e608affc33519933a9e8c3ae6b2ad49af059e3b6cca12b1e3f36bc0283df2ae9645c199192d45f6b1e8053af6adf08724d11791a1f39

Download Submit
C:\Recovery\WindowsRE\ea1d8f6d871115

Filesize
47B

MD5
7b8edd4fda3de54822e41a945c320b14

SHA1
9fd8fae624f3fbc3943b599a4f57294dc73fd984

SHA256
edef5ca747f3f3d9b4ec10f70e66f566c58f99a85634d4a55880d88662fdd05c

SHA512
351a70a2f0950d0e9c328b4753e19d0d3af2a6a4c6c54beed525455e53c3abba94b9d70f09fe3786ca3bbd47147a2ee2ca35a3929beac6e2e5eec918de109af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67N.exe.log

Filesize
1KB

MD5
655010c15ea0ca05a6e5ddcd84986b98

SHA1
120bf7e516aeed462c07625fbfcdab5124ad05d3

SHA256
2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14

SHA512
e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b14b978-b79f-4922-b65c-977d3c8886c2.vbs

Filesize
709B

MD5
81ddd641ed06b40fd062f55b8cb823ba

SHA1
907f5d9f6eac50ba9465fbadb30b3e0ee86fd48a

SHA256
e9686f4ab1188a4379a132e05131bb23e636ff60f3b2da78bee6d07ef98e0549

SHA512
e225dc4a1db88bbb769a8052afa7509a256d40d29155d7a1867723f0588c70a077a043e33b993b48ec06f5e76cdfc8bd82836b388a1b4b0f3695a03a6dc1753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ed8ce0-43d1-4b82-b814-a3a9b54fd3d1.vbs

Filesize
709B

MD5
b4f544c629c7abf1ea52ba5fe3920892

SHA1
f076e288cd2c15570a0b38e9b287d7994b5996c2

SHA256
2980ccd517138e920b8c64febc8f2f7a602072646e3e4d3289de820138aea1bc

SHA512
6e0f681401d29b63dc94e029cdcf1757582f5287771a5b749a85299f95fec188964455d69eb7d2b44cdadd32994e83dabec6ccc7747895242a5608f4edc2fd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d80db8b-797c-4575-911b-dbaff8d43a2a.vbs

Filesize
709B

MD5
76a566538b66283b0bb0e2443a1938a5

SHA1
22127951bdcf01fb76ddf552e3ec7ac78a7d0a91

SHA256
132034e24f5fbff735b1fe8a2cccfc583b091ef265a63f846de80287804c6429

SHA512
0087da201fa9fd454298110f8147a2def672976ed4c1f43a1c326e4ee3cce674a1586083e97d20a6a9cfdc321cfcfc23fae43a4e860decedec367443a112d147

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e1a80e3-8bf3-47b1-ae57-95b5ec5dea79.vbs

Filesize
709B

MD5
135387dbbe9ac54dba1dccc5c846b24f

SHA1
327f72b7c96dd89723fb02bed69e4c95d8c56c7d

SHA256
6d0af361eb28a15019a00d4eb252d90fada323eeb842fee82ba428aad3d39cee

SHA512
dd2bf1023677e4345a75fc8bb9ebdb0ff77d2dee2ded70efbac2bc7e400573c477beda93a1526f94539161778393791e00e19f6201ebfd5b8d5c0fa3c44b297e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9158ad72-a2db-4516-8887-8463402864ad.vbs

Filesize
709B

MD5
6c6b93260e367112fa2cb80994c7366e

SHA1
d6fcc67ef3475d15129fb1345b464590843a7600

SHA256
4c592a42573897518182285543608100aeb01e1c021e021bff145a1dd377716b

SHA512
7a51f39df57741ced9235a8d3793f454b7b33723d81046673646a72a01cb04fa1eac811c2e0099c9ae7409cfed83b250e8a2d3887d6bff881046038ee6e50591

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGf9HQxzsq.bat

Filesize
198B

MD5
de6f250881a28dea3ae64886fc05f5aa

SHA1
da480f3ed77f3e4f15e8998a200b9d174a48cfe7

SHA256
3f6ffdab92e11451b4d65d44261cd8f05dfc78cd381dbdc1050974cacbfb6b80

SHA512
1b12477c84a275b367979af884ea3df774fa43fe215c0824c5fe744a2d273f16291f68f5846b9344bd08c013a1bf51b4f73a9041c219a62e552041040233410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b161e294-11df-42ff-9152-0d90a8bf07d9.vbs

Filesize
709B

MD5
592efa2e6d9d1b54f88893ff2c4dfe95

SHA1
e21b8f23ffa1b3663159f31064451058f1409b07

SHA256
be91ba9fb0f6ff767d8d67c08604a246d82a39e6295778329e1b35ea0be31cae

SHA512
5869ed634065d430bcbeff5656da62b774f675ff934432b1635a98afb3fcb46919fa5b23586c6a1c5a82bfc60ab0a33b5ee2d846052580f9279c4db5ccb12850

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxpTX0jnF4.bat

Filesize
268B

MD5
e6c837099b10413bca5a11368c4ed927

SHA1
04a476c9404bf5289a4ae539511ba9f1041c21ab

SHA256
e4e002c7c421b3d30c0cc4658852e348d5838cc46a8008efe05f52c790ee648a

SHA512
c89e60d83015b228a90ce38706126b0dc2cf52c0c971bc1772de806a47fdf18d371f017fa97fdda406c4195f81c752af28287f0daabba63aff1db04be4d62318

Download Submit
C:\Users\Admin\AppData\Local\Temp\d115c27a-02bf-4d6c-b6ee-bbe1598e1570.vbs

Filesize
708B

MD5
463f11834e0c146e3f4d1413a1222249

SHA1
42c00138384c30ab829ab82f7733dea7bd4394e5

SHA256
de9f43e721458d42f85581ceb86aa31c06d3b7936a3eb5f94557239963be30ef

SHA512
a04d5c5e05e3dfa49df52f0af0b1aeeff1e8e26256b2ff2c9872ca0ca1d19f2509be696a94119cd53aa1dfb72a8a8611015043fb2d3b7adf56c03ccfa233e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3605b1f-4991-43b0-a8f4-852b927cb774.vbs

Filesize
485B

MD5
13710f0f59a6c9fea8cceadbba5d8086

SHA1
a255467b1e4b515dd06082bf37309e333129049f

SHA256
2fbfa079768a093ca9ac5b1b56e0e4bf3feff55378a700390a9df2493f7f230f

SHA512
e53375b273c0ca1a0941364404496fc0bee4ee1b5b940d3209591f8f0a9b1ca94e32b9afb4141a17e868a59fe7ec5ddbbc6355de9658d521bf35369829796423

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6d16ec9-9b13-4793-8fa8-189d6cccaa3a.vbs

Filesize
709B

MD5
60f1283a120e0a310c623ad33dc42613

SHA1
45bc531dd24b43997ee2bb998709ed9bd759ea7f

SHA256
f7e5a0bef85da78ea79db233bf3e03ee944a34bc8dda3aaff0ce39bec7b07c89

SHA512
65a1eb829bae2c5910ca6bd22072c56c3672469f22a69c258491fc3bb5f8955a4a0dee320e7005cd4cd6e49829b927675985d35c309aa15b3d0847fafd2d07b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\daa91c47-b0ba-4796-b7ed-f167779eb0c0.vbs

Filesize
709B

MD5
bcf42f65f5ec86d273a7fb19941dc65e

SHA1
35b9a87069ee0e88eec2641bd7aaaf0ce7799686

SHA256
3447480a5f6826f7a98b0e52f59529d184ee7167185c189392830f14b5251551

SHA512
398f33ea9618ff5da5760755275d04a40947767d34904f989b1ff1571eeb0fbaca3b39adb5d0a8601aab9a85e2f736d0beafddaa3b838b81d350557f565914e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e35e2409-6719-4a87-b951-4279cee960c5.vbs

Filesize
709B

MD5
0ccc6112be7025303c19b050bdee580a

SHA1
4c020eb772def60cfa50a475b495bde198580cdc

SHA256
e52bddea6c6d50897321f6293ae66f73e873f31100e82708454d65b8739b078c

SHA512
3dcc16a43aba315e22b9ee6718fc0d1033884453133f9fed082f26279017b66174dcb60e4560e6af2679455a18cd400eee91cd4043f54a30581c39c8b8bd6457

Download Submit
C:\Users\Default User\55b276f4edf653

Filesize
628B

MD5
c0c8a1222ca865eff088c26bf91533ab

SHA1
d03ec96145b5583ea4c8fbab9a51d5af57aeacb7

SHA256
f8dbc06e61eb5d718c32c3b0a14e59e4970d8dcc73c312ad0359cbcd22d502cc

SHA512
9846d5c137ac461cea52fbaea4660752e49386229710b7de351877310622e9bf177f532269fe51cdd8a2d55a350018c8ca78d3c3ad9a016ee6550f570ccf9b33

Download Submit
memory/2436-15-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/2436-39-0x000000001C660000-0x000000001C66C000-memory.dmp

Filesize
48KB

Download
memory/2436-20-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/2436-21-0x000000001C330000-0x000000001C338000-memory.dmp

Filesize
32KB

Download
memory/2436-22-0x000000001C340000-0x000000001C352000-memory.dmp

Filesize
72KB

Download
memory/2436-23-0x000000001C8A0000-0x000000001CDC8000-memory.dmp

Filesize
5.2MB

Download
memory/2436-24-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/2436-25-0x000000001C380000-0x000000001C38C000-memory.dmp

Filesize
48KB

Download
memory/2436-27-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

Filesize
48KB

Download
memory/2436-26-0x000000001C390000-0x000000001C398000-memory.dmp

Filesize
32KB

Download
memory/2436-28-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

Filesize
48KB

Download
memory/2436-29-0x000000001C630000-0x000000001C638000-memory.dmp

Filesize
32KB

Download
memory/2436-30-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

Filesize
48KB

Download
memory/2436-32-0x000000001C4E0000-0x000000001C4EE000-memory.dmp

Filesize
56KB

Download
memory/2436-31-0x000000001C4D0000-0x000000001C4DA000-memory.dmp

Filesize
40KB

Download
memory/2436-34-0x000000001C600000-0x000000001C60E000-memory.dmp

Filesize
56KB

Download
memory/2436-33-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

Filesize
32KB

Download
memory/2436-36-0x000000001C620000-0x000000001C62C000-memory.dmp

Filesize
48KB

Download
memory/2436-35-0x000000001C610000-0x000000001C618000-memory.dmp

Filesize
32KB

Download
memory/2436-38-0x000000001C650000-0x000000001C65A000-memory.dmp

Filesize
40KB

Download
memory/2436-37-0x000000001C640000-0x000000001C648000-memory.dmp

Filesize
32KB

Download
memory/2436-19-0x000000001BA90000-0x000000001BA98000-memory.dmp

Filesize
32KB

Download
memory/2436-18-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/2436-17-0x000000001BA30000-0x000000001BA86000-memory.dmp

Filesize
344KB

Download
memory/2436-66-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/2436-16-0x000000001BA20000-0x000000001BA2A000-memory.dmp

Filesize
40KB

Download
memory/2436-1-0x0000000000980000-0x0000000000CEA000-memory.dmp

Filesize
3.4MB

Download
memory/2436-0-0x00007FFA03C43000-0x00007FFA03C45000-memory.dmp

Filesize
8KB

Download
memory/2436-14-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/2436-13-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/2436-12-0x000000001BA00000-0x000000001BA12000-memory.dmp

Filesize
72KB

Download
memory/2436-11-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/2436-10-0x0000000002F80000-0x0000000002F96000-memory.dmp

Filesize
88KB

Download
memory/2436-8-0x0000000001680000-0x0000000001688000-memory.dmp

Filesize
32KB

Download
memory/2436-9-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/2436-7-0x0000000002FC0000-0x0000000003010000-memory.dmp

Filesize
320KB

Download
memory/2436-6-0x0000000002F50000-0x0000000002F6C000-memory.dmp

Filesize
112KB

Download
memory/2436-5-0x0000000001670000-0x0000000001678000-memory.dmp

Filesize
32KB

Download
memory/2436-2-0x00007FFA03C40000-0x00007FFA04701000-memory.dmp

Filesize
10.8MB

Download
memory/2436-4-0x00000000013B0000-0x00000000013BE000-memory.dmp

Filesize
56KB

Download
memory/2436-3-0x00000000013A0000-0x00000000013AE000-memory.dmp

Filesize
56KB

Download
memory/2500-176-0x000000001CBB0000-0x000000001CC06000-memory.dmp

Filesize
344KB

Download
memory/4716-68-0x000000001B460000-0x000000001B472000-memory.dmp

Filesize
72KB

Download