dcrat | 4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Size

4.9MB
MD5

9e718941cf243658ef2a455bed6fa4d3
SHA1

50b656f1febb89c83047c3ebc428581cf78a292a
SHA256

4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7
SHA512

1768abc55733d59965b84c4c4a74a9812fcb548d630f4c1ef078e796173e90726a3e7ed780821d432494ce3b5fcf04381c75e9eb8be45f0534f84649d3910ec0
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8B:h

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2748	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2748	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1868-3-0x000000001B420000-0x000000001B54E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe
808	powershell.exe
1624	powershell.exe
2868	powershell.exe
2512	powershell.exe
2604	powershell.exe
2024	powershell.exe
552	powershell.exe
1548	powershell.exe
1320	powershell.exe
984	powershell.exe
592	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
948	explorer.exe
1508	explorer.exe
2120	explorer.exe
852	explorer.exe
2564	explorer.exe
536	explorer.exe
1516	explorer.exe
2768	explorer.exe
2020	explorer.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXF37.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\Idle.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\OSPPSVC.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\en-US\csrss.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\en-US\886983d96e3d3e	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\OSPPSVC.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\en-US\RCX60F.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\en-US\csrss.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\system\RCXD24.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\RCX1C96.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Panther\UnattendGC\dllhost.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\system\Idle.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\system\6ccacd8608530f	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Globalization\cc11b995f2a76d	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX890.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Globalization\RCX1A82.tmp	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Panther\UnattendGC\5940a34987c991	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Globalization\winlogon.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\1610b97d3ab4a7	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Panther\UnattendGC\dllhost.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
File opened for modification	C:\Windows\Globalization\winlogon.exe	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
2704	schtasks.exe
616	schtasks.exe
1652	schtasks.exe
2440	schtasks.exe
944	schtasks.exe
268	schtasks.exe
1616	schtasks.exe
1540	schtasks.exe
1588	schtasks.exe
3040	schtasks.exe
388	schtasks.exe
544	schtasks.exe
2872	schtasks.exe
2940	schtasks.exe
2800	schtasks.exe
636	schtasks.exe
2972	schtasks.exe
820	schtasks.exe
1060	schtasks.exe
984	schtasks.exe
1660	schtasks.exe
2856	schtasks.exe
1340	schtasks.exe
568	schtasks.exe
596	schtasks.exe
3020	schtasks.exe
2056	schtasks.exe
704	schtasks.exe
1984	schtasks.exe
2884	schtasks.exe
1864	schtasks.exe
2804	schtasks.exe
2588	schtasks.exe
2288	schtasks.exe
1228	schtasks.exe
1972	schtasks.exe
1772	schtasks.exe
1584	schtasks.exe
2916	schtasks.exe
2196	schtasks.exe
2336	schtasks.exe
1560	schtasks.exe
2752	schtasks.exe
2552	schtasks.exe
2540	schtasks.exe
592	schtasks.exe
1492	schtasks.exe
864	schtasks.exe
316	schtasks.exe
900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
552	powershell.exe
592	powershell.exe
2024	powershell.exe
1624	powershell.exe
808	powershell.exe
984	powershell.exe
1548	powershell.exe
1336	powershell.exe
2512	powershell.exe
2868	powershell.exe
2604	powershell.exe
1320	powershell.exe
948	explorer.exe
1508	explorer.exe
2120	explorer.exe
852	explorer.exe
2564	explorer.exe
536	explorer.exe
1516	explorer.exe
2768	explorer.exe
2020	explorer.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	948	explorer.exe
Token: SeDebugPrivilege	1508	explorer.exe
Token: SeDebugPrivilege	2120	explorer.exe
Token: SeDebugPrivilege	852	explorer.exe
Token: SeDebugPrivilege	2564	explorer.exe
Token: SeDebugPrivilege	536	explorer.exe
Token: SeDebugPrivilege	1516	explorer.exe
Token: SeDebugPrivilege	2768	explorer.exe
Token: SeDebugPrivilege	2020	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 552	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	83
PID 1868 wrote to memory of 552	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	83
PID 1868 wrote to memory of 552	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	83
PID 1868 wrote to memory of 2024	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	85
PID 1868 wrote to memory of 2024	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	85
PID 1868 wrote to memory of 2024	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	85
PID 1868 wrote to memory of 592	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	86
PID 1868 wrote to memory of 592	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	86
PID 1868 wrote to memory of 592	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	86
PID 1868 wrote to memory of 1336	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	87
PID 1868 wrote to memory of 1336	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	87
PID 1868 wrote to memory of 1336	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	87
PID 1868 wrote to memory of 1320	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	88
PID 1868 wrote to memory of 1320	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	88
PID 1868 wrote to memory of 1320	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	88
PID 1868 wrote to memory of 1548	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	91
PID 1868 wrote to memory of 1548	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	91
PID 1868 wrote to memory of 1548	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	91
PID 1868 wrote to memory of 808	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	92
PID 1868 wrote to memory of 808	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	92
PID 1868 wrote to memory of 808	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	92
PID 1868 wrote to memory of 1624	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	93
PID 1868 wrote to memory of 1624	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	93
PID 1868 wrote to memory of 1624	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	93
PID 1868 wrote to memory of 2868	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	95
PID 1868 wrote to memory of 2868	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	95
PID 1868 wrote to memory of 2868	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	95
PID 1868 wrote to memory of 2604	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	96
PID 1868 wrote to memory of 2604	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	96
PID 1868 wrote to memory of 2604	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	96
PID 1868 wrote to memory of 2512	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	99
PID 1868 wrote to memory of 2512	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	99
PID 1868 wrote to memory of 2512	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	99
PID 1868 wrote to memory of 984	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	100
PID 1868 wrote to memory of 984	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	100
PID 1868 wrote to memory of 984	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	100
PID 1868 wrote to memory of 948	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	107
PID 1868 wrote to memory of 948	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	107
PID 1868 wrote to memory of 948	1868	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe	107
PID 948 wrote to memory of 2852	948	explorer.exe	108
PID 948 wrote to memory of 2852	948	explorer.exe	108
PID 948 wrote to memory of 2852	948	explorer.exe	108
PID 948 wrote to memory of 1564	948	explorer.exe	109
PID 948 wrote to memory of 1564	948	explorer.exe	109
PID 948 wrote to memory of 1564	948	explorer.exe	109
PID 2852 wrote to memory of 1508	2852	WScript.exe	110
PID 2852 wrote to memory of 1508	2852	WScript.exe	110
PID 2852 wrote to memory of 1508	2852	WScript.exe	110
PID 1508 wrote to memory of 2800	1508	explorer.exe	111
PID 1508 wrote to memory of 2800	1508	explorer.exe	111
PID 1508 wrote to memory of 2800	1508	explorer.exe	111
PID 1508 wrote to memory of 1144	1508	explorer.exe	112
PID 1508 wrote to memory of 1144	1508	explorer.exe	112
PID 1508 wrote to memory of 1144	1508	explorer.exe	112
PID 2800 wrote to memory of 2120	2800	WScript.exe	113
PID 2800 wrote to memory of 2120	2800	WScript.exe	113
PID 2800 wrote to memory of 2120	2800	WScript.exe	113
PID 2120 wrote to memory of 328	2120	explorer.exe	114
PID 2120 wrote to memory of 328	2120	explorer.exe	114
PID 2120 wrote to memory of 328	2120	explorer.exe	114
PID 2120 wrote to memory of 2400	2120	explorer.exe	115
PID 2120 wrote to memory of 2400	2120	explorer.exe	115
PID 2120 wrote to memory of 2400	2120	explorer.exe	115
PID 328 wrote to memory of 852	328	WScript.exe	116

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe
"C:\Users\Admin\AppData\Local\Temp\4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
  "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96c75b8f-6e4c-43ba-ba85-29be0d01fb55.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
      "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cac2de0-5d38-479b-b2fd-3dc972522678.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\989e8b82-0a95-4cff-93bf-064a063dee2c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e060f6d1-cfe3-4148-bf2d-2c1ede0082fb.vbs"
        9⤵
        
        PID:2208
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed3ee5c7-56f6-423b-ab89-9f428fad3f7c.vbs"
        11⤵
        
        PID:2452
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb1ad28-e201-4f04-a3e7-b1b2263c4a7c.vbs"
        13⤵
        
        PID:3032
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa90a319-1af4-41f2-82d7-fb0b35d34e0d.vbs"
        15⤵
        
        PID:2960
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44f0db40-68bd-4910-8a92-d1783bb2234d.vbs"
        17⤵
        
        PID:1520
        
        C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe
        
        "C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7816dcc3-7212-4024-9555-6495224d58c4.vbs"
        19⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c345589-f29c-4eff-bdb2-b86234604978.vbs"
        19⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e45d2e-be1d-4849-8159-0e89065e894c.vbs"
        17⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164a19f7-38f6-4b6b-acb5-8dea4c81b983.vbs"
        15⤵
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05d180ad-792d-4ac0-ac6f-1247b7bee31a.vbs"
        13⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\579f5ae8-2eda-49f2-b3d4-af30a013b400.vbs"
        11⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4432eb3-e3e8-4fea-b3fa-f3fc7ea7e65c.vbs"
        9⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0923b7-ea85-4945-b624-16f25915aa04.vbs"
        7⤵
        
        PID:2400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1797f05-bc6e-45ca-8aed-691507eba500.vbs"
        5⤵
        
        PID:1144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4faaf6dd-6c16-4a2e-837d-4667c876ec71.vbs"
    3⤵
    PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\UnattendGC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\system\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Landscapes\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Landscapes\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCX186F.tmp

Filesize
4.9MB

MD5
7d0ea454bec1e1a469e24710d9c1301e

SHA1
6e89447ab6c4ce996dda04e4b8476d992d2da47b

SHA256
76b54d49568d9991224b0dd5d40d57c64b2f1347fa8a8fde07fdcba77c858bc4

SHA512
8fa989db6ccbe16048eb77898954557e31a2d975f2faf71154fe8f2025bb4557f57e1cee6742b779a4a51dadd2fc301e866ccbc679fe627082b98336e7d2e0c7

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe

Filesize
4.9MB

MD5
8e39d414f0e0386b6232208dfe784c2e

SHA1
fa016fe070e12c9b1b7e9c68dcddcdf1562df4b4

SHA256
b59afa8cab6eb3d6e8f06d36d04bd290a6ca9f645d01e655343367bd1b449136

SHA512
dabac5dc1150a6788a7daaa34bd25cc780ed11f7df91aed822a361e3b394a262315c4234dacfee18cfb9e96793c08afd5afca3ef5bee798ee27678f5c47d4f1d

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe

Filesize
4.9MB

MD5
c817c02e956bed9f3b6486b9fa4a4ca3

SHA1
dc396c97074738dc1152b3c8c9f8386fe08fec43

SHA256
d418706bfd7b5179e7cf1e280511d395ec7e1def4a1dc43a7f9f892f90cbbf55

SHA512
80373c613d415cec47d947d2f986657f932678c66bea41c6d494e60968ec5b8b5ad8f1d37a02979f153d973869775babf069f3919a343a2bccfac8c5d70ea3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\44f0db40-68bd-4910-8a92-d1783bb2234d.vbs

Filesize
736B

MD5
c762330391f81a349f1f4c6094134a55

SHA1
f6da0f8d2e179dd8de43f7f716085de27d69bb97

SHA256
e61882eef2134b2618234f4292abee51d1957f8897c6fd335d389d17a4baf22a

SHA512
73d3320ed5aa54dec388765954d44cdf290fe287ed45a8805a1aa3b487c592f637aa54fc3ad4c320427cbbcf0a88212cd7959adb8f8b3bd82c21f6792d785dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4faaf6dd-6c16-4a2e-837d-4667c876ec71.vbs

Filesize
512B

MD5
c4bc68e4143b50d82dc95e8a1b243fe4

SHA1
5ea9ec5ce61f853206b0ccb59eb1669c62bf4625

SHA256
db72d8945481c75648246663b1432439dfb1f79abb6ef14ca8ad7ca0d8d36c4f

SHA512
153c036030fd9b298e81aa91c15bbd302021d5b37ff99ce79049773d48aa3336cdd8fd8931981ef5193edb22810fad3d9c87354018e664744f9552afd71feec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb1ad28-e201-4f04-a3e7-b1b2263c4a7c.vbs

Filesize
735B

MD5
bd994f3acfbe828f033ef28226cf4909

SHA1
65511e69127144eeb99def5c92ff0593325e6de3

SHA256
21465b9ddd2fdc0ec03a907eac409eda967ba9d28551345fa17d982cdfb2fab3

SHA512
4a2a5463de6f1e4b6307f8e1013621a111ab3eecff8cbc110a94fdd3c7fbee7dab6ffaa39469754d9524f03c328d190605f61714e2d7e4fcddeea2e2a237aec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7816dcc3-7212-4024-9555-6495224d58c4.vbs

Filesize
736B

MD5
29f73bf3ce2a3e777cca045ef3dc5e5d

SHA1
d8fa24784c491b6507febc3c7c015e033a678034

SHA256
eac987aec3c74f64a34d75ecd8e7bfe527e8d95af67f790ace18f557b8018eae

SHA512
345ccec9feb4bab0f251bbf46d49ab36f71214d65ca836cc7534151c4b1f1177d913abe7dea6da67657202503214f97dfd8b6944e83cde5794a3d34d0949c7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cac2de0-5d38-479b-b2fd-3dc972522678.vbs

Filesize
736B

MD5
b8e88093b2fe409655f7494a15d631e6

SHA1
35d34a7e1641c9e4c7e0dd1cf7b8497bf0727ca6

SHA256
452e2c6594524572b9c8579a75a04cd90c0fa67d13e42555189b98f12838490e

SHA512
ee834d0b241aae80ea088e5424e90d0a4692c155e412c89f4a30b37b1c6875757c3619923534461e79ae354862bfac9c486a2442bd96685627c257e1624d11b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c75b8f-6e4c-43ba-ba85-29be0d01fb55.vbs

Filesize
735B

MD5
8f4d61261b4f70135a1b9d3a75f84a84

SHA1
75a76fd9f9e892bf44fc81a5892a6d3ee16cfd99

SHA256
d90a91d2107a718d37619e84a5c1c7d30515c154b926ea9e9c1bf6293dda0e1c

SHA512
afe5c88ccabfda36e508e34a122c231ec88dfe70cc73d127f470d1652f4da880da4929922e6882d46032f8b8c3046dbd84e8f58bfd6ce768b26f333b0ab223a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\989e8b82-0a95-4cff-93bf-064a063dee2c.vbs

Filesize
736B

MD5
df12b1b227a6989e6f9feb467278c3ad

SHA1
ea46a9db725491a5dd6ae226fc0259471fb662be

SHA256
191b698cb6c6f05275c675e6484f1920054a523c6c7168548251e940760b4846

SHA512
7cda020c7dfd1de708db2886e3091107024659a498a3d51ea278c4abdce5896faad6bb3d920ba59352ce32cf85435dd1f3d6554763686eb3a1c25164a73899b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa90a319-1af4-41f2-82d7-fb0b35d34e0d.vbs

Filesize
736B

MD5
97b46ae922d798a7f625abeeb78154a1

SHA1
9acb30273aec18dfd537e49934495cb9b2454790

SHA256
12c399a91683283795effa2e86235baeb348184ab86dfed06d850712569588a9

SHA512
ff682ff0e21b04c24f0806068a2125320bf723c465bae975d1f7e8d6a6ec774c1567b777477b018fbf88634faf42e760262110e5bd1115f49ba0f3a560ebf0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\e060f6d1-cfe3-4148-bf2d-2c1ede0082fb.vbs

Filesize
735B

MD5
98a84ff9c7df4d2d833e3ec6a80d2b3d

SHA1
c2d201e3ccf952059e26460b1122bf87faa6971e

SHA256
6cd4562e7f6dcc62f041523699190b2b60a5be3d8c6edc1349cf9565d52aac7e

SHA512
d6c7b6e68cfc82f810d6dcf2c26882f279d50a1782a043e871623ec88b13824003aff62b58eee39f9dc59d85a87a707c34649b806b599737aeab0721644444a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed3ee5c7-56f6-423b-ab89-9f428fad3f7c.vbs

Filesize
736B

MD5
9694a6b141b3a509d578e268892d5aa7

SHA1
061f54bf374bb5ed42fadb27d06d8bb35091918e

SHA256
5c1e2a1e70411ed0066721d99bf3b4f7ed26d05054e11f4eb3b831c0cd228a44

SHA512
85235431d72004184d034a8280ddd4d06d07275ba633eddf80575856e65d52c45edad7a731d4903f29eddd2897b7a723ae4c33b2afca588611c9bfed6e164735

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp38AD.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4429247b4d9a0dacccb55ca5bca7d146

SHA1
658fb0de33800c162ddc95ed1424fe931201719f

SHA256
aa2b17463357df0ad97bed3f698818b3193382b9cf6e981bee97923122f0ea81

SHA512
1963c41e68a0ed43e97b2bed25563310313151391189e4e539378660e6a44f13ce37d7d9a4383f1c4491b82f40199ca3362a75e723ce4ab8f8eafbaac2b3bde3

Download Submit
C:\Users\Admin\Music\dllhost.exe

Filesize
4.9MB

MD5
76f147c98a87900b603b9e95bde8cc66

SHA1
b17d0aa7a4d59e42279e04b762714647aeea5fa7

SHA256
d64a2601fb412a321dae96ebe623b43c45b0981db6379705e782900590bfd7fd

SHA512
aebf374a7da50a1013c605c7ecfb651fca5d9cd335ea2f3f881d9459393d390c0d359a9431d67ed8402d0f525a79eff35a76e61e55ca8dbf99f7eae9679d450d

Download Submit
C:\Windows\en-US\csrss.exe

Filesize
4.9MB

MD5
9e718941cf243658ef2a455bed6fa4d3

SHA1
50b656f1febb89c83047c3ebc428581cf78a292a

SHA256
4d425d8c84c292e3c68039e9c4996fe41866975ce47e3e896082260de8c0b7d7

SHA512
1768abc55733d59965b84c4c4a74a9812fcb548d630f4c1ef078e796173e90726a3e7ed780821d432494ce3b5fcf04381c75e9eb8be45f0534f84649d3910ec0

Download Submit
memory/592-207-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/592-192-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/852-276-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/948-189-0x0000000000BB0000-0x00000000010A4000-memory.dmp

Filesize
5.0MB

Download
memory/948-231-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1508-246-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1508-245-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download
memory/1516-321-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1516-320-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/1868-9-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/1868-7-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/1868-12-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/1868-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1868-11-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/1868-10-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/1868-15-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/1868-13-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/1868-14-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1868-8-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1868-1-0x0000000000980000-0x0000000000E74000-memory.dmp

Filesize
5.0MB

Download
memory/1868-209-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1868-142-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1868-6-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1868-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1868-5-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1868-4-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/1868-16-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/1868-128-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1868-3-0x000000001B420000-0x000000001B54E000-memory.dmp

Filesize
1.2MB

Download
memory/2020-350-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/2020-351-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/2120-261-0x00000000001F0000-0x00000000006E4000-memory.dmp

Filesize
5.0MB

Download
memory/2564-291-0x0000000001200000-0x00000000016F4000-memory.dmp

Filesize
5.0MB

Download