dcrat | b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825b

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Size

4.9MB
MD5

ad1d7de87e070b7b23fa84a82f1d6750
SHA1

07d20b4e486d420e7f55d397bfb35ed3f3d29870
SHA256

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825b
SHA512

25bf7a13bba459a0b19d2445f99894745485eae060b4fc39f41c5dc62112b93ffc9b9f8679d0921fb1d7566153e0ac8c81d3082c7b63f5f2d141b820d1b8d4e4
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2464	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2464	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exeb3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2384-2-0x000000001B750000-0x000000001B87E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2928	powershell.exe
2152	powershell.exe
576	powershell.exe
2500	powershell.exe
2040	powershell.exe
1772	powershell.exe
2860	powershell.exe
680	powershell.exe
2424	powershell.exe
1940	powershell.exe
2020	powershell.exe
2936	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid process

2300 csrss.exe
1964 csrss.exe
1560 csrss.exe
2012 csrss.exe
2864 csrss.exe
2340 csrss.exe
1720 csrss.exe
2420 csrss.exe
2688 csrss.exe
3000 csrss.exe

pid	process
2300	csrss.exe
1964	csrss.exe
1560	csrss.exe
2012	csrss.exe
2864	csrss.exe
2340	csrss.exe
1720	csrss.exe
2420	csrss.exe
2688	csrss.exe
3000	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exeb3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 16 IoCs

Processes:

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXDCB0.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files\Google\Chrome\1610b97d3ab4a7	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files\Internet Explorer\images\explorer.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\RCXE839.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files\Google\Chrome\OSPPSVC.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\cc11b995f2a76d	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXDF21.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\explorer.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXF1A0.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\886983d96e3d3e	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Program Files\Google\Chrome\OSPPSVC.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Program Files\Internet Explorer\images\7a0fd90576e088	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe

Drops file in Windows directory 14 IoCs

Processes:

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe

description	ioc	process
File created	C:\Windows\system\services.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\system\c5b4cb5e9653cc	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7601.17514_none_0614df8fb9269bc6\dwm.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\es-ES\RCXEF2F.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\es-ES\System.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXF614.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\es-ES\27d1bcfc3c54e0	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\system\services.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\CSC\v2.0.6\lsass.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File opened for modification	C:\Windows\system\RCXD3C6.tmp	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\es-ES\System.exe	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\886983d96e3d3e	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1532	schtasks.exe
1752	schtasks.exe
2760	schtasks.exe
3024	schtasks.exe
2592	schtasks.exe
1560	schtasks.exe
596	schtasks.exe
2872	schtasks.exe
2556	schtasks.exe
2184	schtasks.exe
2936	schtasks.exe
1916	schtasks.exe
2548	schtasks.exe
2808	schtasks.exe
2816	schtasks.exe
1724	schtasks.exe
3016	schtasks.exe
296	schtasks.exe
828	schtasks.exe
1736	schtasks.exe
1536	schtasks.exe
3052	schtasks.exe
2652	schtasks.exe
2648	schtasks.exe
2764	schtasks.exe
1144	schtasks.exe
2008	schtasks.exe
1948	schtasks.exe
664	schtasks.exe
2112	schtasks.exe
1620	schtasks.exe
2440	schtasks.exe
1852	schtasks.exe
1944	schtasks.exe
1908	schtasks.exe
2436	schtasks.exe
2032	schtasks.exe
2128	schtasks.exe
3008	schtasks.exe
2264	schtasks.exe
492	schtasks.exe
2720	schtasks.exe
1324	schtasks.exe
2400	schtasks.exe
824	schtasks.exe
2136	schtasks.exe
1812	schtasks.exe
2920	schtasks.exe
2988	schtasks.exe
2316	schtasks.exe
304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	process
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
576	powershell.exe
2860	powershell.exe
1772	powershell.exe
2424	powershell.exe
2020	powershell.exe
1940	powershell.exe
2936	powershell.exe
680	powershell.exe
2500	powershell.exe
2040	powershell.exe
2928	powershell.exe
2152	powershell.exe
2300	csrss.exe
1964	csrss.exe
1560	csrss.exe
2012	csrss.exe
2864	csrss.exe
2340	csrss.exe
1720	csrss.exe
2420	csrss.exe
2688	csrss.exe
3000	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2300	csrss.exe
Token: SeDebugPrivilege	1964	csrss.exe
Token: SeDebugPrivilege	1560	csrss.exe
Token: SeDebugPrivilege	2012	csrss.exe
Token: SeDebugPrivilege	2864	csrss.exe
Token: SeDebugPrivilege	2340	csrss.exe
Token: SeDebugPrivilege	1720	csrss.exe
Token: SeDebugPrivilege	2420	csrss.exe
Token: SeDebugPrivilege	2688	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	process	target process
PID 2384 wrote to memory of 2152	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2152	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2152	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 576	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 576	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 576	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2020	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2020	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2020	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2500	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2500	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2500	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2040	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2040	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2040	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1772	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1772	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1772	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2860	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2860	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2860	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 680	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 680	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 680	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2928	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2928	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2928	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2936	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2936	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2936	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2424	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2424	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2424	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1940	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1940	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 1940	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	powershell.exe
PID 2384 wrote to memory of 2300	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	csrss.exe
PID 2384 wrote to memory of 2300	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	csrss.exe
PID 2384 wrote to memory of 2300	2384	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe	csrss.exe
PID 2300 wrote to memory of 3056	2300	csrss.exe	WScript.exe
PID 2300 wrote to memory of 3056	2300	csrss.exe	WScript.exe
PID 2300 wrote to memory of 3056	2300	csrss.exe	WScript.exe
PID 2300 wrote to memory of 2888	2300	csrss.exe	WScript.exe
PID 2300 wrote to memory of 2888	2300	csrss.exe	WScript.exe
PID 2300 wrote to memory of 2888	2300	csrss.exe	WScript.exe
PID 3056 wrote to memory of 1964	3056	WScript.exe	csrss.exe
PID 3056 wrote to memory of 1964	3056	WScript.exe	csrss.exe
PID 3056 wrote to memory of 1964	3056	WScript.exe	csrss.exe
PID 1964 wrote to memory of 1324	1964	csrss.exe	WScript.exe
PID 1964 wrote to memory of 1324	1964	csrss.exe	WScript.exe
PID 1964 wrote to memory of 1324	1964	csrss.exe	WScript.exe
PID 1964 wrote to memory of 1536	1964	csrss.exe	WScript.exe
PID 1964 wrote to memory of 1536	1964	csrss.exe	WScript.exe
PID 1964 wrote to memory of 1536	1964	csrss.exe	WScript.exe
PID 1324 wrote to memory of 1560	1324	WScript.exe	csrss.exe
PID 1324 wrote to memory of 1560	1324	WScript.exe	csrss.exe
PID 1324 wrote to memory of 1560	1324	WScript.exe	csrss.exe
PID 1560 wrote to memory of 828	1560	csrss.exe	WScript.exe
PID 1560 wrote to memory of 828	1560	csrss.exe	WScript.exe
PID 1560 wrote to memory of 828	1560	csrss.exe	WScript.exe
PID 1560 wrote to memory of 2596	1560	csrss.exe	WScript.exe
PID 1560 wrote to memory of 2596	1560	csrss.exe	WScript.exe
PID 1560 wrote to memory of 2596	1560	csrss.exe	WScript.exe
PID 828 wrote to memory of 2012	828	WScript.exe	csrss.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.exeb3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe
"C:\Users\Admin\AppData\Local\Temp\b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825bN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194d6e34-370a-4841-bdb7-f8a2b911f708.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f21baa7b-6c86-4f70-a6d9-f2d16c4bb5c3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e5637d-92b9-49e6-9316-4b2450d6f60b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e242144-f986-4d92-a2f9-5d2e61fd0b47.vbs"
        9⤵
        
        PID:3060
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6fea62a-b807-4d53-868d-182a3a4135db.vbs"
        11⤵
        
        PID:2236
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5c6666c-b3be-4aec-9d06-42f1b1ee2980.vbs"
        13⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a87d62-eef5-42ad-be5f-8eba6e31d949.vbs"
        15⤵
        
        PID:1700
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf43849-8d68-43de-a228-56e09405f5c3.vbs"
        17⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e946738d-cdca-41db-99be-57d6e54392ef.vbs"
        19⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0baa852e-83d7-4844-870b-83b73aeeac4e.vbs"
        19⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7357803-4280-4aa6-b388-129f3404074d.vbs"
        17⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca2f8173-a61e-4c0f-b728-fc88db0e86b1.vbs"
        15⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ddde27f-ceb1-41b6-b9e5-9a31903c433e.vbs"
        13⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25060867-c68a-47eb-a5e7-859d6c149fde.vbs"
        11⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22f413d9-4a38-431e-a366-6fe144d839b0.vbs"
        9⤵
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72f9dceb-e859-4fa9-ae62-bbe5ea13abd9.vbs"
        7⤵
        
        PID:2596
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\befa6802-4265-409e-bd1f-0053ffac04b9.vbs"
        5⤵
        
        PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2776427-7343-4609-8058-f1756204c379.vbs"
    3⤵
    PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\LocalLow\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\system\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe

Filesize
4.9MB

MD5
ad1d7de87e070b7b23fa84a82f1d6750

SHA1
07d20b4e486d420e7f55d397bfb35ed3f3d29870

SHA256
b3a90d9e8f8fdeb4c68b82b47172de746edf24e28075965509231abc7d6a825b

SHA512
25bf7a13bba459a0b19d2445f99894745485eae060b4fc39f41c5dc62112b93ffc9b9f8679d0921fb1d7566153e0ac8c81d3082c7b63f5f2d141b820d1b8d4e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\csrss.exe

Filesize
4.9MB

MD5
25a311461e8333a2b2d44f9664bb7fa8

SHA1
31379923356a745d42eec2c3899179880f92eaaf

SHA256
08156b15e7efe5aadc5a34a23da51fb8ea2568c995f527e081be83d211901c34

SHA512
2198c9bc4c958e01f6a0ad71beb7ca99db187160dc81a6211c2441447d03614ebf92fe4e5e097b6491961801fd2300ab2d9867ca905577ffc658747962e24263

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\RCXEAAA.tmp

Filesize
4.9MB

MD5
6ca604059443ad1c4a2cb607b75c3549

SHA1
a316fb5a0f07bbb4f1493edd13f964dda703f6c3

SHA256
bc7ad26e1ee57039ae74dbf583a2fe9442568c70bf6652d6bf8da9c217de92f6

SHA512
e3b6f4493b9a5b87d8de0566ab1556c1fcdc7b53274f4cc7c5a8f1755d3ebe70ae69e7fe227dc6faf776086fdc42c716cec34e12b474c36880d3170bbab21c0c

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe

Filesize
4.9MB

MD5
f4653750364a2000b34ae04acc9776eb

SHA1
97f235068c05a9d63cdf7942475d59b0b1509c3e

SHA256
2ead5be3eda4cdd2d97897227889d76217bbab202964cea3677da0991f7a3b01

SHA512
33ca8ce23974bcaad18af196fc234cd7bd0207ee4324cc1f0116bbdecafbd9c036e3aca4a2797a76c559cb6214370fee6c3aeb9ceef913bd07ee0f4c25196c02

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe

Filesize
4.9MB

MD5
c2b46879086d5c2839adc46aca386be7

SHA1
7e78a10381fc82b81f16a6567dc142294c31192f

SHA256
5a549d22ab88e23a9feaaa3c62d564409a5e8be701e5b301e293e2a1bdd2e554

SHA512
f0d5b0eb375cf5251a503047248cc35afff23eef80b67c263c91a78fff354ff704b08b2237863ec3d556b7b11e9ee06d316561ef4f6bd59a5489738686748356

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cf43849-8d68-43de-a228-56e09405f5c3.vbs

Filesize
740B

MD5
c76289775bdc4fb145076506a61e2b68

SHA1
bc888014d6dd030a6bf9951cfd9e3d7e2aad0bc1

SHA256
d28700a6c9dab58d6fc7a47ac76b5952d45724c9745973d7f240073a9c49a6e8

SHA512
1c5f42a805231f0a1757b49d77ad910b4949dafc56b0c6457e1f908ac56f04243de9ede791ad6f10545febe5686a2bfcb47e1e5ba51ffa3e2749d98e3846db7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\194d6e34-370a-4841-bdb7-f8a2b911f708.vbs

Filesize
740B

MD5
93cded103b2e840e32810c5763ab7e6b

SHA1
613a1c258e49804c82f8baf64524c751373f1ed6

SHA256
65225130e86d0bafe484ef43eac8e6e1b9fc5acf10c8d630286c68daec797ca9

SHA512
012ef9244c51b9043c9548d2e7c95c26ee68abe86d266ad5207a5b46e592086b164dc6d7a2028692c61826d74bc95a3e7d127b7ec4141dd817baf2d89b734a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\45e5637d-92b9-49e6-9316-4b2450d6f60b.vbs

Filesize
740B

MD5
3cf2ee1767f1decac7f7b61f6f3fd5b9

SHA1
cef2bf2e8e2b850aabcd96a1a86d1680e2de8347

SHA256
f8f923be8db998ec448395e0520a52e8cad472030efe41aced6b8c5999a0370a

SHA512
20038c603ade74716ad1d8cf9e5992b9e95cd5a4d2810d77a48065624c77da55fdc4d5d77695525ecdcb72923ce5089d551ddc04797b7d729a9630130e0111ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e242144-f986-4d92-a2f9-5d2e61fd0b47.vbs

Filesize
740B

MD5
ed6b09ba6172f289e25debadf729d201

SHA1
579f8759510e6be6f5d031927fd7beaa2c51d886

SHA256
2df2a3d4f20b025f7d7a0ff2ee611dec2201fd0580e0d9c1eec2bae9668faa1c

SHA512
ce57d8fa06792a273e6015b519394ef78e130e304e9b6ead7fd13bf78baa1f63135b59c56528f53ef018d019b0e0375b13fa848484a283e66b00c121ef096517

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a87d62-eef5-42ad-be5f-8eba6e31d949.vbs

Filesize
740B

MD5
7a7b3be4f67e5f7c430756da454bbe9a

SHA1
074cb650ec42cfca4f4b63b2b8b46bfd6d19f7aa

SHA256
b73f5251f34b3b888c4992bd45437e6a769a9ecf740abd34b3c37464ae2509c8

SHA512
c1cc1351a2be52ad46f91b288335ecf452090de5e79e85fd95fa3224185b4ab40213ab1ef3871d6f17a8e8659709b75e597d2d17403d03c2ad0e6980fab0a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5c6666c-b3be-4aec-9d06-42f1b1ee2980.vbs

Filesize
740B

MD5
6c3a86128a285815148c44a86485cea0

SHA1
16533e3ecfb147dc8179a04dd6d047bba3259300

SHA256
acd6907a235361a6a647c49e9f552ad544e9e1f1769441d57804d0b67b39c318

SHA512
6cbe961ff24117efb3b2084fc7276b49e9303327b0e9dba6b8bb623ddbd3578f16acab8a7e385c71c0f5452fad15a220a9423a163e3c2f7cf2a5c3be9cba462c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2776427-7343-4609-8058-f1756204c379.vbs

Filesize
516B

MD5
1d05362587228a0b0c3f549d0f144670

SHA1
5bd90115802da568726d66c80e7fee550c714b1d

SHA256
e72815e9063fcb51be1d1854ae96ee58bad2f190aafd13759f504c055bbba92f

SHA512
9cb638004bdeed95b50f25a69402d4431bfe6a1c9da58ee6d8632122ef719b9e92aefc39488dc12f415fc503af94619b32fbbc8fc0233ba9371c68dab8fe4042

Download Submit
C:\Users\Admin\AppData\Local\Temp\e946738d-cdca-41db-99be-57d6e54392ef.vbs

Filesize
740B

MD5
dbbc4cb770eaf89df8f5e2683b4a7b33

SHA1
a24a3db68c4039d86b2f88df3346def3d3140a55

SHA256
f545063d26d71f7a1bca6d7611713e919f8cd45a74c5d2aec05b293e2ecefdd0

SHA512
7d8221a02c38739a1a43c7e893aa33ea9a2798ca1be55a8b9d9d9a2c90cb3ac9145b79785e41b92bf84f44ba59235591887987dae536af26dedc3943e1849091

Download Submit
C:\Users\Admin\AppData\Local\Temp\f21baa7b-6c86-4f70-a6d9-f2d16c4bb5c3.vbs

Filesize
740B

MD5
83e4903ffd7a079bd79301de59d6eb2f

SHA1
7a290d1cbec7401f5e591f90d7ff66622d876c56

SHA256
deaf8cd91d21c991a80bb567d0cff6c279741cb25aaadeb4f31a1cb40ca0ccb7

SHA512
8a9460e9c00def5f78901be519dd2df594069ee35e514d0e73b0fe945e9ab5530306dc3221397efe7805babde569ed16393570eebe8b3a402c13accca5b6da86

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6fea62a-b807-4d53-868d-182a3a4135db.vbs

Filesize
740B

MD5
f0072ed5d798aefdd15d31e4ede26761

SHA1
2f640159838d8f8aad969968a2e90a27f01b0ff3

SHA256
44572d6a493da4bfa4e7681d64f9a2b701860fb7091557b4a5e971e03f7752f3

SHA512
5500f1945123c9dcaa5e58895b2dc7cb69a4773a71c2905cfaa0705d2ac0908e01d507bcb178324729ec57940975beffdbdec77cd19f15a4cf7b890db9493b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
befe6adcda54dd27e155075dd5ca9b9f

SHA1
1831fe7961a94cb6f3a4fa30b1874884698fa23b

SHA256
ae74f9e04c0785d25857bbf8406e551c59d8f104bb2a37c810079d5192e137fb

SHA512
7cc496caf7af063d91af817fec7a425ca2bce7ee0ea774d0de757322aaf9f6a4323408d9616972d28c7bebdd1dc33811a193b51deb84fe90fade728378191fa9

Download Submit
memory/576-190-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/576-191-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1560-264-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/1720-323-0x0000000000040000-0x0000000000534000-memory.dmp

Filesize
5.0MB

Download
memory/1964-249-0x0000000000BB0000-0x00000000010A4000-memory.dmp

Filesize
5.0MB

Download
memory/2012-279-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/2300-234-0x0000000000AC0000-0x0000000000FB4000-memory.dmp

Filesize
5.0MB

Download
memory/2340-308-0x00000000012E0000-0x00000000017D4000-memory.dmp

Filesize
5.0MB

Download
memory/2384-8-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2384-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2384-128-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-16-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2384-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2384-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2384-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2384-11-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2384-10-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2384-7-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2384-15-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2384-6-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2384-114-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

Filesize
4KB

Download
memory/2384-5-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2384-235-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-3-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-1-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download
memory/2384-2-0x000000001B750000-0x000000001B87E000-memory.dmp

Filesize
1.2MB

Download
memory/2420-338-0x0000000000C60000-0x0000000001154000-memory.dmp

Filesize
5.0MB

Download
memory/2688-353-0x00000000003A0000-0x0000000000894000-memory.dmp

Filesize
5.0MB

Download
memory/3000-368-0x0000000000F60000-0x0000000001454000-memory.dmp

Filesize
5.0MB

Download