dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410897f36809104096c8b600eb3a0444.exe
Size

1.1MB
MD5

410897f36809104096c8b600eb3a0444
SHA1

18e8b8e65471f7f19b3612ba93a20bd6a702e7dc
SHA256

1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed
SHA512

479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0
SSDEEP

12288:qmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:qh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\Windows\\System32\\spwinsat\\lsm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\", \"C:\\Windows\\System32\\deskadp\\dllhost.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\", \"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\", \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\Windows\\System32\\spwinsat\\lsm.exe\", \"C:\\Program Files\\Java\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\", \"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\""	410897f36809104096c8b600eb3a0444.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2608	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2608	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2404	powershell.exe
1896	powershell.exe
1884	powershell.exe
2360	powershell.exe
112	powershell.exe
2376	powershell.exe
2344	powershell.exe
2036	powershell.exe
2196	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	410897f36809104096c8b600eb3a0444.exe

Executes dropped EXE 10 IoCs

pid	Process
2380	csrss.exe
2840	csrss.exe
2044	csrss.exe
1904	csrss.exe
1900	csrss.exe
2952	csrss.exe
1144	csrss.exe
1688	csrss.exe
1644	csrss.exe
1408	csrss.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\Microsoft\\RAC\\StateData\\csrss.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\drmmgrtn\\sppsvc.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\deskadp\\dllhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\dwm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\spwinsat\\lsm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\spwinsat\\lsm.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\deskadp\\dllhost.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\KBDRU1\\spoolsv.exe\""	410897f36809104096c8b600eb3a0444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Java\\wininit.exe\""	410897f36809104096c8b600eb3a0444.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	410897f36809104096c8b600eb3a0444.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\deskadp\dllhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\spwinsat\101b941d020240	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\deskadp\dllhost.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\drmmgrtn\0a1fd5f707cd16	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\KBDRU1\f3b6ecef712a24	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\drmmgrtn\RCXFDF0.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\spwinsat\RCX9F7.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\deskadp\RCX61.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\KBDRU1\RCX4E6.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\KBDRU1\spoolsv.exe	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\spwinsat\lsm.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\drmmgrtn\sppsvc.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\deskadp\5940a34987c991	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\KBDRU1\spoolsv.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Windows\System32\spwinsat\lsm.exe	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Windows\System32\drmmgrtn\sppsvc.exe	410897f36809104096c8b600eb3a0444.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\RCXBFA.tmp	410897f36809104096c8b600eb3a0444.exe
File opened for modification	C:\Program Files\Java\wininit.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Program Files\Java\wininit.exe	410897f36809104096c8b600eb3a0444.exe
File created	C:\Program Files\Java\56085415360792	410897f36809104096c8b600eb3a0444.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
560	schtasks.exe
1020	schtasks.exe
2980	schtasks.exe
2584	schtasks.exe
2140	schtasks.exe
2064	schtasks.exe
2888	schtasks.exe
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
2768	410897f36809104096c8b600eb3a0444.exe
112	powershell.exe
2360	powershell.exe
1896	powershell.exe
2196	powershell.exe
1884	powershell.exe
2036	powershell.exe
2344	powershell.exe
2404	powershell.exe
2376	powershell.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe
2380	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	410897f36809104096c8b600eb3a0444.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2380	csrss.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2840	csrss.exe
Token: SeDebugPrivilege	2044	csrss.exe
Token: SeDebugPrivilege	1904	csrss.exe
Token: SeDebugPrivilege	1900	csrss.exe
Token: SeDebugPrivilege	2952	csrss.exe
Token: SeDebugPrivilege	1144	csrss.exe
Token: SeDebugPrivilege	1688	csrss.exe
Token: SeDebugPrivilege	1644	csrss.exe
Token: SeDebugPrivilege	1408	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 112	2768	410897f36809104096c8b600eb3a0444.exe	40
PID 2768 wrote to memory of 112	2768	410897f36809104096c8b600eb3a0444.exe	40
PID 2768 wrote to memory of 112	2768	410897f36809104096c8b600eb3a0444.exe	40
PID 2768 wrote to memory of 2360	2768	410897f36809104096c8b600eb3a0444.exe	41
PID 2768 wrote to memory of 2360	2768	410897f36809104096c8b600eb3a0444.exe	41
PID 2768 wrote to memory of 2360	2768	410897f36809104096c8b600eb3a0444.exe	41
PID 2768 wrote to memory of 2196	2768	410897f36809104096c8b600eb3a0444.exe	43
PID 2768 wrote to memory of 2196	2768	410897f36809104096c8b600eb3a0444.exe	43
PID 2768 wrote to memory of 2196	2768	410897f36809104096c8b600eb3a0444.exe	43
PID 2768 wrote to memory of 2036	2768	410897f36809104096c8b600eb3a0444.exe	45
PID 2768 wrote to memory of 2036	2768	410897f36809104096c8b600eb3a0444.exe	45
PID 2768 wrote to memory of 2036	2768	410897f36809104096c8b600eb3a0444.exe	45
PID 2768 wrote to memory of 2344	2768	410897f36809104096c8b600eb3a0444.exe	47
PID 2768 wrote to memory of 2344	2768	410897f36809104096c8b600eb3a0444.exe	47
PID 2768 wrote to memory of 2344	2768	410897f36809104096c8b600eb3a0444.exe	47
PID 2768 wrote to memory of 1884	2768	410897f36809104096c8b600eb3a0444.exe	49
PID 2768 wrote to memory of 1884	2768	410897f36809104096c8b600eb3a0444.exe	49
PID 2768 wrote to memory of 1884	2768	410897f36809104096c8b600eb3a0444.exe	49
PID 2768 wrote to memory of 1896	2768	410897f36809104096c8b600eb3a0444.exe	50
PID 2768 wrote to memory of 1896	2768	410897f36809104096c8b600eb3a0444.exe	50
PID 2768 wrote to memory of 1896	2768	410897f36809104096c8b600eb3a0444.exe	50
PID 2768 wrote to memory of 2376	2768	410897f36809104096c8b600eb3a0444.exe	52
PID 2768 wrote to memory of 2376	2768	410897f36809104096c8b600eb3a0444.exe	52
PID 2768 wrote to memory of 2376	2768	410897f36809104096c8b600eb3a0444.exe	52
PID 2768 wrote to memory of 2404	2768	410897f36809104096c8b600eb3a0444.exe	53
PID 2768 wrote to memory of 2404	2768	410897f36809104096c8b600eb3a0444.exe	53
PID 2768 wrote to memory of 2404	2768	410897f36809104096c8b600eb3a0444.exe	53
PID 2768 wrote to memory of 2380	2768	410897f36809104096c8b600eb3a0444.exe	58
PID 2768 wrote to memory of 2380	2768	410897f36809104096c8b600eb3a0444.exe	58
PID 2768 wrote to memory of 2380	2768	410897f36809104096c8b600eb3a0444.exe	58
PID 2380 wrote to memory of 2968	2380	csrss.exe	59
PID 2380 wrote to memory of 2968	2380	csrss.exe	59
PID 2380 wrote to memory of 2968	2380	csrss.exe	59
PID 2380 wrote to memory of 2724	2380	csrss.exe	60
PID 2380 wrote to memory of 2724	2380	csrss.exe	60
PID 2380 wrote to memory of 2724	2380	csrss.exe	60
PID 2968 wrote to memory of 2840	2968	WScript.exe	61
PID 2968 wrote to memory of 2840	2968	WScript.exe	61
PID 2968 wrote to memory of 2840	2968	WScript.exe	61
PID 2840 wrote to memory of 2892	2840	csrss.exe	62
PID 2840 wrote to memory of 2892	2840	csrss.exe	62
PID 2840 wrote to memory of 2892	2840	csrss.exe	62
PID 2840 wrote to memory of 2964	2840	csrss.exe	63
PID 2840 wrote to memory of 2964	2840	csrss.exe	63
PID 2840 wrote to memory of 2964	2840	csrss.exe	63
PID 2892 wrote to memory of 2044	2892	WScript.exe	64
PID 2892 wrote to memory of 2044	2892	WScript.exe	64
PID 2892 wrote to memory of 2044	2892	WScript.exe	64
PID 2044 wrote to memory of 1944	2044	csrss.exe	65
PID 2044 wrote to memory of 1944	2044	csrss.exe	65
PID 2044 wrote to memory of 1944	2044	csrss.exe	65
PID 2044 wrote to memory of 1856	2044	csrss.exe	66
PID 2044 wrote to memory of 1856	2044	csrss.exe	66
PID 2044 wrote to memory of 1856	2044	csrss.exe	66
PID 1944 wrote to memory of 1904	1944	WScript.exe	67
PID 1944 wrote to memory of 1904	1944	WScript.exe	67
PID 1944 wrote to memory of 1904	1944	WScript.exe	67
PID 1904 wrote to memory of 1740	1904	csrss.exe	68
PID 1904 wrote to memory of 1740	1904	csrss.exe	68
PID 1904 wrote to memory of 1740	1904	csrss.exe	68
PID 1904 wrote to memory of 932	1904	csrss.exe	69
PID 1904 wrote to memory of 932	1904	csrss.exe	69
PID 1904 wrote to memory of 932	1904	csrss.exe	69
PID 1740 wrote to memory of 1900	1740	WScript.exe	70

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	410897f36809104096c8b600eb3a0444.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe
"C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\410897f36809104096c8b600eb3a0444.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\RAC\StateData\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\drmmgrtn\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\deskadp\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\KBDRU1\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\spwinsat\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
  "C:\ProgramData\Microsoft\RAC\StateData\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2380
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9253b4b8-1ca5-4c7a-9afb-648981831a17.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
      C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b69256e0-90a5-4e84-b5f3-cdabaec8c42a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5eaf92-9afb-44aa-913c-a7f75cc7bdc3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e405fdf-68e1-44d3-83c2-644e0c1c5a17.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe662d53-a071-4167-919d-3407ac706be7.vbs"
        11⤵
        
        PID:2336
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d2f4080-2966-41b8-9219-6366dd43ac56.vbs"
        13⤵
        
        PID:544
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df638cc7-5181-46ca-a918-ab814257e1f9.vbs"
        15⤵
        
        PID:2692
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7ec10a5-c912-45e4-a5f8-19a54012fcd8.vbs"
        17⤵
        
        PID:2524
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cef8c89f-554c-48f5-8f45-25ef969fe64e.vbs"
        19⤵
        
        PID:1864
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5267b4f1-9a63-40e0-b6df-3b1c7793a3ac.vbs"
        21⤵
        
        PID:2340
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        
        C:\ProgramData\Microsoft\RAC\StateData\csrss.exe
        22⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b52a0662-41cc-4938-9d8a-8db8e1751584.vbs"
        23⤵
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\362248b2-a08f-489c-b376-b799b06b1bf9.vbs"
        23⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc07fbf0-77f3-4fb6-97aa-47eab1df1fda.vbs"
        21⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\999e5310-0d36-42a7-9486-d72ac5c12ef6.vbs"
        19⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54250279-c1ae-4e85-99de-6be5bdea8658.vbs"
        17⤵
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7712ddd-f945-425a-929f-79306658635e.vbs"
        15⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22ae0656-df84-4b2e-b1bd-abde506abf70.vbs"
        13⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49194993-5993-40ae-8f95-b1a3331f2c53.vbs"
        11⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8b6113-aa01-4470-bca7-d86d1ab02b07.vbs"
        9⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b553f2-7c6b-498f-ba9c-2febecef1543.vbs"
        7⤵
        
        PID:1856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6fdcaa-9665-4e60-acf5-7257c53e0599.vbs"
        5⤵
        
        PID:2964
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1a2115-b8b5-4a33-954b-25b9a13f157c.vbs"
    3⤵
    PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\RAC\StateData\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\drmmgrtn\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\deskadp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDRU1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\spwinsat\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c1a2115-b8b5-4a33-954b-25b9a13f157c.vbs

Filesize
500B

MD5
b3bde2f236a95c43d3f3440426468fe0

SHA1
18e6b9ff05341499b053950a0cb319458c2a3095

SHA256
6b8ac886fb23ca6c3b90d3392ce5024a53b94f5db93d6257d19fb859e2950b97

SHA512
4ae07358aed32f4cce722ec1aca95910f9fcc0808f0e8d1869bd5e4056d0a8f4780dde373a8db270b2556902a22aa2b2c926ad6ff03791be892f74164297de48

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e405fdf-68e1-44d3-83c2-644e0c1c5a17.vbs

Filesize
724B

MD5
1aa7812acf36c9c8afde030cd2bee94d

SHA1
41eaf5acbb88360b06cb325264060b83d0ef3c0d

SHA256
e446b9690c29935cd471f77a1141e9a29f375162bd966eeecbce85195ee2e04f

SHA512
43a59183f586292b925f097a243764dad6c4a69c247ce69cfbdd70870689b2c6eb2327fb342d6a19e23e814e23fc2daa6266c00f3b6912cf828d4cfe1c7c6be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5267b4f1-9a63-40e0-b6df-3b1c7793a3ac.vbs

Filesize
724B

MD5
f54cb1fb1a7b6c2c6d4f91f75369950a

SHA1
76206c5daea826c44c6271b51b12244dec97efe3

SHA256
9c6e48a48f5a4ee115319f57211cadba7f9fc17f81999ab63091533ad01e7237

SHA512
79247db5a5a8a936c83761cccc3eb03721b62207fa24653b9222f591851d22d1dbf313f34ec618422e454e7a718777d5dae25c592b2ef8be14eeea86ea32dd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d5eaf92-9afb-44aa-913c-a7f75cc7bdc3.vbs

Filesize
724B

MD5
6d0d5f914dd9267c4c4cf170be5f9f4b

SHA1
4baead23d7b35bf64dbc457125a0e82832eb6a39

SHA256
8efa6478e26e2b1f4a29eb8b28be4f136f01bb4f40125ca6129e1bcb9f82fbee

SHA512
c9c86167fb3f6718a4eda03a0637bd74f9d04fb04ab64cfd68b1033bbf04e367b40109086bb73f049c1aec1fc486c374736b22549109de6c43093739c9bd69b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d2f4080-2966-41b8-9219-6366dd43ac56.vbs

Filesize
724B

MD5
7b3af5e27d8edc7119c3bf6e94062e76

SHA1
8a5127c7625e4d3d22af56c987530a41830cbf49

SHA256
1bbc87fb9e198fd34c3c1013231a7cbd1e91094194b8b4db0a71facc7d0656f3

SHA512
633ae25e41017369493fc79928bf72500a3258788c70f4f1df252a9aaadb0fa7e41e4792525e6426686c5f65f9596739bfd0f755a7d243cca64ab0e7f51aa262

Download Submit
C:\Users\Admin\AppData\Local\Temp\9253b4b8-1ca5-4c7a-9afb-648981831a17.vbs

Filesize
724B

MD5
d5075fd616e942cd80c19da8b59671fd

SHA1
48a0ac59afa57f6f6f5d3d42f15b2f8e0c8fa6ca

SHA256
9da30509d807cb792b8534f246014847cfc2a476b24b6c4a445f8ecbfeebee3f

SHA512
3598f5846bbe0b3492ade39a8f557b8abb70924c7ecc17e968f8c4fc8432300523bb6e04edcecaf5c84df7e370068ab3150c7ba8f7bbb5890007d1afa6038234

Download Submit
C:\Users\Admin\AppData\Local\Temp\b52a0662-41cc-4938-9d8a-8db8e1751584.vbs

Filesize
724B

MD5
ba739d0e39b027b03f66edffe3f7eccf

SHA1
1af72fc955f7ce6b80558b025833056f878a4e47

SHA256
006818a51e2efaf8c401775cb88f94d5d9c792dafee02e79bb80843791cf284b

SHA512
4ac3a160bb798200e19423820d259d6a0492d82d097639411b4d32adfff40ecf7e7ae23e4a88008db675d03b38a19c0422e0889d7649a7205a80b057e10e6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\b69256e0-90a5-4e84-b5f3-cdabaec8c42a.vbs

Filesize
724B

MD5
9aeafafc3a6900c86360e58929d65ffe

SHA1
c87f09f172aeb2476ae440e11ad0f36789ed5aac

SHA256
f7c9e57fafbd39f9fe5d680d981d8cae735f81aca50c2ba5d8306f7e27ff0af6

SHA512
e19f8027ae05c23f1dec3460bc288c5a9063766f124eaf6adcd3692f6b79be416d905a97af6706b2c19ca3f7aec1ef443829f415e4e396f04c682fb20a659167

Download Submit
C:\Users\Admin\AppData\Local\Temp\cef8c89f-554c-48f5-8f45-25ef969fe64e.vbs

Filesize
724B

MD5
7a0ff747e165f578e35ea406ea32cc5b

SHA1
6ca17a597572fd2c7ca8f0758a7263af09a57915

SHA256
eae0ce43e5f6db933bc79722a5170369224e71ca219d9e69a2cecfcb15c11375

SHA512
47ba4d72e4ef11a96097457e5363d63dd38963a410910afe0e713a40254dadf3414e30858eac86051e516070bd4f7ca256b4ed4d245f72f562f85c455285fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\df638cc7-5181-46ca-a918-ab814257e1f9.vbs

Filesize
724B

MD5
01c8e5d4b85559a9e645fd486eb3cc89

SHA1
b4e8ae29dd742758f50fd0a33e385f0c53435793

SHA256
98431320096d69f1112418028b23972bf924149ef95043775fd6ee062c8ca9fa

SHA512
783282e4033bcaebaf1a6536e725e332faae198cf28b8fafa4f1af1c6429cb9f325357b4b534765d74ac0b544a27daa8e2ee7829d67093d0f36ba621fb57980d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7ec10a5-c912-45e4-a5f8-19a54012fcd8.vbs

Filesize
724B

MD5
401db17f0de95b2e1ede466ccfae3683

SHA1
ef3ae7e482fd491c73817f5fd9e38f19fee4ecdb

SHA256
0c74f96c3c09e3f92ae75a4bfea2cfafbd0be23fe2303aabfa537975421f10bc

SHA512
7da33229c463668203a486cd97a636a64cb5655f77b87ca738cb70503103c85cdb9125f420cae7f5052c7a853c13bea848770ba40916d6c76b9dece4c969f454

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe662d53-a071-4167-919d-3407ac706be7.vbs

Filesize
724B

MD5
d2a0e02f2febd588f99ae6eb889b9a55

SHA1
3db603e24c71a6aa7c7ae1c207d3601205025126

SHA256
6eea268409f2a3f071beb0893d93fad6c807c2d8b6d56fcdae32131080f2563c

SHA512
21ee6299dc0d24ec3d50e140ddca37b18bea1e4224d20a4dc69f4ce327c806edcca743d5db4b157dd6ea8f560979ef5dcc4692d68a87f346fef676fefe9e42da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38c1d4a93e1aca57ee2e0ecac256f030

SHA1
444803522fcec745c562cbe1912b890221d72537

SHA256
d4cc3f14591227009bd66a8e5b402176910c3f5e1a7fc466cdbc80ecfb512873

SHA512
09ca68717e3091a0d4119adc0d63056d15232fd62300a56af48e0b28389b16524d39a0ffbbb04fc035a9ee6a3630d10bba23bfe0da6aa50282a5cff6fc7652e3

Download Submit
C:\Windows\System32\KBDRU1\spoolsv.exe

Filesize
1.1MB

MD5
410897f36809104096c8b600eb3a0444

SHA1
18e8b8e65471f7f19b3612ba93a20bd6a702e7dc

SHA256
1cf0ed57e906c3779244c8b9c1f5482db0f92e67c2055dce9fa90dc8fbef65ed

SHA512
479e8b2a06d8861f8bb1ca9d5271149408853dcccb5c93a1e7a0d72e2a01af47131cd91d50e1edbd5bc2c0edcdfdf07f56c8f6c04fd3c12edc67389cd75664d0

Download Submit
C:\Windows\System32\drmmgrtn\sppsvc.exe

Filesize
1.1MB

MD5
6b4bcca86b5052c522f3dc034facca49

SHA1
d6443dad83df9b4cafd42f0d34efd25da67df056

SHA256
149cfc7ba71926c0afdf03fe088119d6d7ac719d5f98c4495e8b7f63ed417b9e

SHA512
256b88c1fdb95dd67779131bf5364a0fc4d5bce539654d990e0cf9b2a69739e654c7bb93744fa5110cfc38580f40e19c2eeb590d1fc40f08872b3413e46f7bd7

Download Submit
C:\Windows\System32\spwinsat\RCX9F7.tmp

Filesize
1.1MB

MD5
605ce8a18c3bb46319c671e4b48472af

SHA1
26a5331a8fd86fa4b7413e98ab0080b57bad0d2a

SHA256
c12da91c17d7868cc267a86d9e6fae1169af21ada2448a07413ac6e2678e580d

SHA512
6519301c05ec06d7d0265480877960c965bce7980fc9e0654293e0a9796f7b87652b6485a8fc73794ab10f7b5ebd0fd20ade641f9d6723d7572c98c3cc14ae8b

Download Submit
memory/112-104-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/112-111-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1644-240-0x00000000010C0000-0x00000000011D4000-memory.dmp

Filesize
1.1MB

Download
memory/1688-228-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1900-193-0x0000000000370000-0x0000000000484000-memory.dmp

Filesize
1.1MB

Download
memory/2044-170-0x0000000001020000-0x0000000001134000-memory.dmp

Filesize
1.1MB

Download
memory/2380-117-0x0000000000130000-0x0000000000244000-memory.dmp

Filesize
1.1MB

Download
memory/2768-11-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2768-8-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2768-12-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2768-14-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2768-24-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-123-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-21-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2768-13-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2768-15-0x00000000020E0000-0x00000000020EA000-memory.dmp

Filesize
40KB

Download
memory/2768-1-0x0000000000810000-0x0000000000924000-memory.dmp

Filesize
1.1MB

Download
memory/2768-10-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2768-20-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2768-9-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2768-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

Filesize
4KB

Download
memory/2768-18-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2768-7-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2768-2-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-6-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2768-5-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2768-17-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2768-4-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2768-16-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2768-3-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2840-158-0x0000000000DC0000-0x0000000000ED4000-memory.dmp

Filesize
1.1MB

Download
memory/2900-263-0x0000000001120000-0x0000000001234000-memory.dmp

Filesize
1.1MB

Download
memory/2900-264-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2952-205-0x0000000000B90000-0x0000000000CA4000-memory.dmp

Filesize
1.1MB

Download