dcrat | 00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fd

Analysis

max time kernel
119s
max time network
109s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Size

4.9MB
MD5

07745c15749e227743b3a3c33f615ec0
SHA1

b2c4d5a541e26725a9d04c0b538f253834b1770c
SHA256

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fd
SHA512

34d71d6919df3b932e44dd8bea60704973519982bb3f1b57d7edcbf2bf52824213e10b2b6238b9d40ea81295ef35dbb2050e908916c23fffb90852303dcc1c0f
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2708	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2708	schtasks.exe	29

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.exe00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2300-3-0x000000001B390000-0x000000001B4BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2336	powershell.exe
2500	powershell.exe
1444	powershell.exe
796	powershell.exe
2480	powershell.exe
820	powershell.exe
2316	powershell.exe
1580	powershell.exe
1688	powershell.exe
2504	powershell.exe
2120	powershell.exe
1608	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
1528	csrss.exe
2520	csrss.exe
2396	csrss.exe
1248	csrss.exe
1608	csrss.exe
948	csrss.exe
2212	csrss.exe
1500	csrss.exe
2960	csrss.exe
2620	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 17 IoCs

Processes:

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\csrss.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXC780.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Adobe\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files (x86)\Adobe\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Adobe\ada7c004357956	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Microsoft Office\886983d96e3d3e	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Google\CrashReports\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXBCE0.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXBADD.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Microsoft Office\csrss.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Google\CrashReports\ada7c004357956	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\csrss.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXB3F6.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe

Drops file in Windows directory 16 IoCs

Processes:

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe

description	ioc	Process
File created	C:\Windows\AppPatch\Idle.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\AppPatch\6ccacd8608530f	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\f3b6ecef712a24	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\AppPatch\Idle.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\Panther\RCXC0E8.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXC4FF.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXC9F1.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\Panther\Idle.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\Panther\6ccacd8608530f	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\Panther\Idle.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\spoolsv.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\spoolsv.exe	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
File opened for modification	C:\Windows\AppPatch\RCXB668.tmp	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2104	schtasks.exe
2876	schtasks.exe
1116	schtasks.exe
2844	schtasks.exe
2880	schtasks.exe
348	schtasks.exe
840	schtasks.exe
3056	schtasks.exe
2924	schtasks.exe
1212	schtasks.exe
2660	schtasks.exe
2156	schtasks.exe
2192	schtasks.exe
2820	schtasks.exe
1980	schtasks.exe
1076	schtasks.exe
3004	schtasks.exe
2164	schtasks.exe
2720	schtasks.exe
2584	schtasks.exe
1280	schtasks.exe
1928	schtasks.exe
2748	schtasks.exe
376	schtasks.exe
920	schtasks.exe
2868	schtasks.exe
1996	schtasks.exe
2788	schtasks.exe
2580	schtasks.exe
2888	schtasks.exe
2140	schtasks.exe
2032	schtasks.exe
2640	schtasks.exe
2804	schtasks.exe
3060	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
1608	powershell.exe
1688	powershell.exe
1580	powershell.exe
2480	powershell.exe
820	powershell.exe
2336	powershell.exe
2120	powershell.exe
2504	powershell.exe
2316	powershell.exe
2500	powershell.exe
796	powershell.exe
1444	powershell.exe
1528	csrss.exe
2520	csrss.exe
2396	csrss.exe
1248	csrss.exe
1608	csrss.exe
948	csrss.exe
2212	csrss.exe
1500	csrss.exe
2960	csrss.exe
2620	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1528	csrss.exe
Token: SeDebugPrivilege	2520	csrss.exe
Token: SeDebugPrivilege	2396	csrss.exe
Token: SeDebugPrivilege	1248	csrss.exe
Token: SeDebugPrivilege	1608	csrss.exe
Token: SeDebugPrivilege	948	csrss.exe
Token: SeDebugPrivilege	2212	csrss.exe
Token: SeDebugPrivilege	1500	csrss.exe
Token: SeDebugPrivilege	2960	csrss.exe
Token: SeDebugPrivilege	2620	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.execmd.execsrss.exeWScript.execsrss.exeWScript.execsrss.exe

description	pid	Process	procid_target
PID 2300 wrote to memory of 2120	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	66
PID 2300 wrote to memory of 2120	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	66
PID 2300 wrote to memory of 2120	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	66
PID 2300 wrote to memory of 2480	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	67
PID 2300 wrote to memory of 2480	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	67
PID 2300 wrote to memory of 2480	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	67
PID 2300 wrote to memory of 796	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	68
PID 2300 wrote to memory of 796	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	68
PID 2300 wrote to memory of 796	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	68
PID 2300 wrote to memory of 1444	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	69
PID 2300 wrote to memory of 1444	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	69
PID 2300 wrote to memory of 1444	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	69
PID 2300 wrote to memory of 2500	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	71
PID 2300 wrote to memory of 2500	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	71
PID 2300 wrote to memory of 2500	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	71
PID 2300 wrote to memory of 2504	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	72
PID 2300 wrote to memory of 2504	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	72
PID 2300 wrote to memory of 2504	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	72
PID 2300 wrote to memory of 2336	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	74
PID 2300 wrote to memory of 2336	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	74
PID 2300 wrote to memory of 2336	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	74
PID 2300 wrote to memory of 1608	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	75
PID 2300 wrote to memory of 1608	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	75
PID 2300 wrote to memory of 1608	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	75
PID 2300 wrote to memory of 2316	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	77
PID 2300 wrote to memory of 2316	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	77
PID 2300 wrote to memory of 2316	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	77
PID 2300 wrote to memory of 1580	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	78
PID 2300 wrote to memory of 1580	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	78
PID 2300 wrote to memory of 1580	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	78
PID 2300 wrote to memory of 1688	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	79
PID 2300 wrote to memory of 1688	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	79
PID 2300 wrote to memory of 1688	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	79
PID 2300 wrote to memory of 820	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	81
PID 2300 wrote to memory of 820	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	81
PID 2300 wrote to memory of 820	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	81
PID 2300 wrote to memory of 1648	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	90
PID 2300 wrote to memory of 1648	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	90
PID 2300 wrote to memory of 1648	2300	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe	90
PID 1648 wrote to memory of 2364	1648	cmd.exe	92
PID 1648 wrote to memory of 2364	1648	cmd.exe	92
PID 1648 wrote to memory of 2364	1648	cmd.exe	92
PID 1648 wrote to memory of 1528	1648	cmd.exe	93
PID 1648 wrote to memory of 1528	1648	cmd.exe	93
PID 1648 wrote to memory of 1528	1648	cmd.exe	93
PID 1528 wrote to memory of 2344	1528	csrss.exe	94
PID 1528 wrote to memory of 2344	1528	csrss.exe	94
PID 1528 wrote to memory of 2344	1528	csrss.exe	94
PID 1528 wrote to memory of 1060	1528	csrss.exe	95
PID 1528 wrote to memory of 1060	1528	csrss.exe	95
PID 1528 wrote to memory of 1060	1528	csrss.exe	95
PID 2344 wrote to memory of 2520	2344	WScript.exe	96
PID 2344 wrote to memory of 2520	2344	WScript.exe	96
PID 2344 wrote to memory of 2520	2344	WScript.exe	96
PID 2520 wrote to memory of 1684	2520	csrss.exe	97
PID 2520 wrote to memory of 1684	2520	csrss.exe	97
PID 2520 wrote to memory of 1684	2520	csrss.exe	97
PID 2520 wrote to memory of 1984	2520	csrss.exe	98
PID 2520 wrote to memory of 1984	2520	csrss.exe	98
PID 2520 wrote to memory of 1984	2520	csrss.exe	98
PID 1684 wrote to memory of 2396	1684	WScript.exe	99
PID 1684 wrote to memory of 2396	1684	WScript.exe	99
PID 1684 wrote to memory of 2396	1684	WScript.exe	99
PID 2396 wrote to memory of 1116	2396	csrss.exe	100

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe
"C:\Users\Admin\AppData\Local\Temp\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1O57cI28R.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2364
- - C:\Program Files (x86)\Microsoft Office\csrss.exe
    "C:\Program Files (x86)\Microsoft Office\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a38ec3a-2e0e-45b8-a131-db5056389f29.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2520
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267c93f9-1b91-49f6-a315-cf1ef47b4603.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c79fe1-ee59-483c-9500-359e9b8ef81a.vbs"
        8⤵
        
        PID:1116
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5364914-c224-4f94-8f71-956310fa4447.vbs"
        10⤵
        
        PID:3060
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6267f37f-1d2a-41c0-a2a2-dae572c7a538.vbs"
        12⤵
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c4966cc-8112-4ef7-9aae-b125eb7170f2.vbs"
        14⤵
        
        PID:2984
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e266c614-e241-40d0-b0e8-5e059f1c02a5.vbs"
        16⤵
        
        PID:2004
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49bdbd96-9f1c-4df6-b420-a253e4d91642.vbs"
        18⤵
        
        PID:3004
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cec885b-1ad3-4e20-a6a8-c80db6e84ac3.vbs"
        20⤵
        
        PID:3060
        
        C:\Program Files (x86)\Microsoft Office\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\csrss.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01051c52-15f2-434a-bf1c-c9145e9e2798.vbs"
        22⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353e0916-8282-481e-90b3-2651cf91335c.vbs"
        22⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1115642-4179-41f3-aad4-18db38a9642c.vbs"
        20⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8e11e66-e238-43ae-8d21-aeef9bef3f42.vbs"
        18⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdf3ff43-fd5a-4581-bcfc-f78999b0c2f1.vbs"
        16⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcbccd54-2f8a-4153-b085-e668b77a0fba.vbs"
        14⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4b2bf30-bbb2-44f9-8233-f6075c6fc3a9.vbs"
        12⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd26f910-26c7-41fe-b579-88715e67d558.vbs"
        10⤵
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2953e1fa-8b09-46a1-b571-ce8ccc51f769.vbs"
        8⤵
        
        PID:2876
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6582e92d-5e51-4fd6-9979-9f2cddbf6542.vbs"
        6⤵
        
        PID:1984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7de67e6-9155-4fb6-8e78-a1e2553a2a55.vbs"
      4⤵
      PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN0" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN0" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN0" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN0" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fdN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Panther\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\csrss.exe

Filesize
4.9MB

MD5
07745c15749e227743b3a3c33f615ec0

SHA1
b2c4d5a541e26725a9d04c0b538f253834b1770c

SHA256
00e3864ad7925c7c7e234e0e5e4ca8a7ab1cf9dd3ba2ca88d8d86c225bd376fd

SHA512
34d71d6919df3b932e44dd8bea60704973519982bb3f1b57d7edcbf2bf52824213e10b2b6238b9d40ea81295ef35dbb2050e908916c23fffb90852303dcc1c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\01051c52-15f2-434a-bf1c-c9145e9e2798.vbs

Filesize
725B

MD5
37b087c0ce4d902528486074efd2d895

SHA1
1f977f8d311302deab439f7de6875f4c417a9604

SHA256
7be0a9f86a63631c5a16fe1f2e0c7c55fd6f4fd8540e5ee13b3593a16d319e67

SHA512
fe7d27659582f2b377d799426a45a40e73e75f03b1956aba0bf11e47c348823a3a8373d81ecf68fb93823a816b535012082261098b680370ef85e8bd30092685

Download Submit
C:\Users\Admin\AppData\Local\Temp\267c93f9-1b91-49f6-a315-cf1ef47b4603.vbs

Filesize
725B

MD5
c6f6b8b1c9bb6916245247cc39acd5f9

SHA1
da38e09b063f25c535ae4410bc14d5495714f370

SHA256
8446e99f5690aacb8d1a930815c870337f43cda06c6d136a904f2e1aca1807ee

SHA512
795c2ded68a34dc2ff9f16fa55bebaaf8d7cea66fc0053b74301e8248ae50257791de1d9e618193b9d62bdff60c9f45aec1f7791483ccd286cfe7f940e819f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49bdbd96-9f1c-4df6-b420-a253e4d91642.vbs

Filesize
725B

MD5
552bf6995b9e16ecf9cc55e98849f956

SHA1
8101163096da9ecc14e1f56697d6f7cec9d590c6

SHA256
40a7ef373f22a5c386036312cbbeaed8bf4e06d4c6a18f38498e4ad000a89b87

SHA512
1ec956110b3f9846e1a7313f943276b34289f23ba62975009d9b4e555739601dd3d82b3c8a643c3f2cb341bba44cbc1ba09ce158f96cdc11ab79d754be04474b

Download Submit
C:\Users\Admin\AppData\Local\Temp\51c79fe1-ee59-483c-9500-359e9b8ef81a.vbs

Filesize
725B

MD5
0d2ba2f2753ebddf16e2df0c1c712ff9

SHA1
ba4d18ce5f092f5750cedf65061091aabb344a6d

SHA256
2553e22678653c89d719ac258ce61f71c38daa6230bd907bbc1a8a598d1f8701

SHA512
d26cbf5e82ed91909fe7a50302a2d582f8cfd0ddbfcd4ca18ac97f646d340ea5f794165b62e744314b13eb3fbfd1a0b28f55a3fb888f8d0fb87e05cece8188be

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c4966cc-8112-4ef7-9aae-b125eb7170f2.vbs

Filesize
724B

MD5
f6e2ee1538808ad906cf8fed73e4c089

SHA1
fc504c092aff1326b45414af6226c5ee7f8434c7

SHA256
a670a52188a136265e61b2334d6bad8826cc6fecca018f26c1a84800a323e3db

SHA512
13c1ae150d203ccb5e9bf99de5d064ff2638625ac0a038dd6b3c3ad8c08b1812a85c67255e196f6a6677add8aad106bd325a7b58a71e39b906e2d1320365379b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6267f37f-1d2a-41c0-a2a2-dae572c7a538.vbs

Filesize
725B

MD5
ee1820a61d40dd6a28f62ffdc6254e2e

SHA1
89fc683914987d4c206f69381024dd9255a1bfc8

SHA256
f529f6e6893f0c9070323ce6c13ade4066bec303b164f95521f9bf292014d1d4

SHA512
b88e2247dd73dbe6dc3c629d3762e1ecec89b223931452c1863b7516e254a61bacd84c3cdef4df7a8325e1089aa8a56d82716426cf48d4011b3b2414184ff594

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cec885b-1ad3-4e20-a6a8-c80db6e84ac3.vbs

Filesize
725B

MD5
4eb60712515e56d856b8c8d74c1bb74c

SHA1
eeb8306e2fc06c8c3f45f8c860ff57529c004ae7

SHA256
dd51ad300896b2cd192b91670bd624c94a1f7c8445153f35a171391fbfc39281

SHA512
67fbc50c99252ce38bfe17383990dfbfda0214eeea4f950d5c6febf44dc3daf2b43c4d6f741585d022d0b6b4bddedaa644861dd062f9ec6350b6198e3871b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a38ec3a-2e0e-45b8-a131-db5056389f29.vbs

Filesize
725B

MD5
950df6f8c6184c382acd1863871a5426

SHA1
4af6aef1a4c129ea28536f9a2def09be261c9843

SHA256
ec340cdfd0dc6c7d99f0ebc0931749749274fce7a2e4d52d21c619a97aaae8e5

SHA512
7af993375fbcc2ec7d160904f59746ed7389e137c074481878c505d7bbe6297d8ae5b5b7b4db531f972d9d2f1cb5fb564fddd7229d3958b193f1a4b27c9d28e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5364914-c224-4f94-8f71-956310fa4447.vbs

Filesize
725B

MD5
daf7ee1e18a560cee56d28f9d2095e6e

SHA1
066bb9f1643d0d91559e2a2eb528891221ec898e

SHA256
298541cedaa84c38f5bda654ebd06c5eac6575f90a8d262a0c2bc2d1d4e4ff1f

SHA512
bf57cc78cc1e8a5996a609d12eaeaea557b63419a08bb93eda7416439e6e9340eeb5b35d652f0b171ccf2ce069ba1067d75d438549fd6b9bdaa607ab23221499

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7de67e6-9155-4fb6-8e78-a1e2553a2a55.vbs

Filesize
501B

MD5
e3a3365dacc81bfdf863905e1c091421

SHA1
54d998ce92b297a0556d79088c9c4b48dcd19838

SHA256
5432d89be693b0404f28527b8b923c571d880fb5bea07fa87274babf345877ea

SHA512
6031e3250847fc9aafdb7e1a01bf1df408f3b3f659f824386812f74f5829046c171b8b1e5a6f4fd21641eecb46c1eb004c60c8c0cc83978a989776885784e783

Download Submit
C:\Users\Admin\AppData\Local\Temp\e266c614-e241-40d0-b0e8-5e059f1c02a5.vbs

Filesize
725B

MD5
57a9e6e6fb516b33886f13ff54bac9f1

SHA1
17bfb440568182c3f14ac935d527c03c311b4e42

SHA256
7211cc580559a6bfac1bcfaff43e843753642912342ffd35dc6f3258ec93d55d

SHA512
58618486902e202f5b77a0f26f8593990e419e39833c442e464ed3efbba87d6fba2d13bdc98f22d87cf434a736709b844efa27a7666eca55b77f13bf5310bd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF029.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1O57cI28R.bat

Filesize
214B

MD5
371b762e9cbbf582843cfbbcdfa0ffee

SHA1
67b9f986805f1667974396f2fd9cb5ececbd2c69

SHA256
d473cbe38ee642e5198adc69eab7b7e5568b89c9060af4da9c8789c0279db6d2

SHA512
e082a1d124332dda93878be3a65b8302e80a02c649be3b9fa3cc2d1d720ed2cee6c18683625e75e68b24c60119660c9a368f4baccf442126f4961aa03904bf8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ba4f117eeb9a4da81c78b21cf0a2267

SHA1
38011e5c08313d60586258c63006c6d9ac3da040

SHA256
0b4a814c88d4ab0bdd2efa447d92387c28163cb6da741a355f83933042a7cf5d

SHA512
dd7907d4f6b6219fad2d573590f3b5c688ed1b41a218c8d78fef6d7afe1266ba25fce75832505a395e8c965a09fae6e3c9dc717d47f02f86c859cfe85a3d9df8

Download Submit
C:\Windows\Panther\RCXC0E8.tmp

Filesize
4.9MB

MD5
1f2d0864d97df8cee8fa8219ef6aa235

SHA1
0b3b6e407a3021f6c2c802f9613beabfe73f0a6a

SHA256
18c705fb930a02bf5c7d2ca11d8ed4b59a21d2bf4f060b2e94c034ffd30c32f2

SHA512
21d850d5ed9e42d81887f4f15c571cafc46c2b09b600a93b17dadd1bceb49c442b93eea6ed217b7db1fa5314fd17729111da5f6da334c488746a396cd61049f6

Download Submit
memory/1500-295-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/1528-195-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/1528-194-0x00000000008D0000-0x0000000000DC4000-memory.dmp

Filesize
5.0MB

Download
memory/1608-148-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/1688-146-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2212-280-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/2300-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2300-6-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2300-0-0x000007FEF63B3000-0x000007FEF63B4000-memory.dmp

Filesize
4KB

Download
memory/2300-131-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-12-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/2300-11-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2300-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/2300-1-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download
memory/2300-9-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/2300-8-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/2300-7-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2300-13-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/2300-5-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2300-14-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2300-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2300-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2300-3-0x000000001B390000-0x000000001B4BE000-memory.dmp

Filesize
1.2MB

Download
memory/2300-2-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-209-0x0000000000D70000-0x0000000001264000-memory.dmp

Filesize
5.0MB

Download
memory/2620-325-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/2960-310-0x00000000008A0000-0x0000000000D94000-memory.dmp

Filesize
5.0MB

Download