dcrat | f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Size

4.9MB
MD5

d23ffc0a1e7c61633ee5553fe28c8af0
SHA1

a9e6e784905bfc569f1ea5fe2f8fb15f8adad833
SHA256

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23
SHA512

47725fb3cb5dc467e2a215582565be359e1bba1b9a07278d16544fef4388c91ea958ae3139bea74e41041148dd45d528f89d94f4a5c57b9ee69169ac07324b0b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2096	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2096	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.exef4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2132-2-0x000000001B780000-0x000000001B8AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2512	powershell.exe
1252	powershell.exe
484	powershell.exe
1724	powershell.exe
1684	powershell.exe
2272	powershell.exe
1628	powershell.exe
1632	powershell.exe
2528	powershell.exe
2340	powershell.exe
1464	powershell.exe
532	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2056	csrss.exe
2288	csrss.exe
2396	csrss.exe
2476	csrss.exe
2352	csrss.exe
1508	csrss.exe
556	csrss.exe
2516	csrss.exe
2376	csrss.exe
1664	csrss.exe
1716	csrss.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.exef4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 16 IoCs

Processes:

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\6cb0b6c459d5d3	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXB512.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Common Files\System\ado\smss.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Common Files\System\ado\69ddcba757bf72	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Windows Mail\csrss.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Windows Mail\csrss.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Common Files\System\ado\RCXC222.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXD54D.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Google\Chrome\Application\dwm.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Common Files\System\ado\smss.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\taskhost.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXBDAD.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

Drops file in Windows directory 4 IoCs

Processes:

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

description	ioc	Process
File created	C:\Windows\Tasks\explorer.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File created	C:\Windows\Tasks\7a0fd90576e088	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Windows\Tasks\RCXD099.tmp	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
File opened for modification	C:\Windows\Tasks\explorer.exe	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2920	schtasks.exe
2708	schtasks.exe
872	schtasks.exe
2752	schtasks.exe
940	schtasks.exe
2204	schtasks.exe
900	schtasks.exe
2704	schtasks.exe
2316	schtasks.exe
2396	schtasks.exe
1668	schtasks.exe
1760	schtasks.exe
2796	schtasks.exe
1148	schtasks.exe
2640	schtasks.exe
1940	schtasks.exe
1720	schtasks.exe
2812	schtasks.exe
764	schtasks.exe
2100	schtasks.exe
1268	schtasks.exe
1744	schtasks.exe
2844	schtasks.exe
1060	schtasks.exe
2476	schtasks.exe
2180	schtasks.exe
2248	schtasks.exe
2288	schtasks.exe
3048	schtasks.exe
2280	schtasks.exe
2312	schtasks.exe
2332	schtasks.exe
2116	schtasks.exe
1520	schtasks.exe
1124	schtasks.exe
2428	schtasks.exe
944	schtasks.exe
2848	schtasks.exe
2808	schtasks.exe
1336	schtasks.exe
2744	schtasks.exe
2564	schtasks.exe
524	schtasks.exe
2076	schtasks.exe
1648	schtasks.exe
1816	schtasks.exe
1168	schtasks.exe
1192	schtasks.exe
2176	schtasks.exe
2440	schtasks.exe
588	schtasks.exe
2448	schtasks.exe
2784	schtasks.exe
2368	schtasks.exe
1504	schtasks.exe
3036	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
1628	powershell.exe
2528	powershell.exe
2272	powershell.exe
1684	powershell.exe
1464	powershell.exe
1252	powershell.exe
484	powershell.exe
1724	powershell.exe
2340	powershell.exe
1632	powershell.exe
2512	powershell.exe
532	powershell.exe
2056	csrss.exe
2288	csrss.exe
2396	csrss.exe
2476	csrss.exe
2352	csrss.exe
1508	csrss.exe
2516	csrss.exe
2376	csrss.exe
1664	csrss.exe
1716	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2056	csrss.exe
Token: SeDebugPrivilege	2288	csrss.exe
Token: SeDebugPrivilege	2396	csrss.exe
Token: SeDebugPrivilege	2476	csrss.exe
Token: SeDebugPrivilege	2352	csrss.exe
Token: SeDebugPrivilege	1508	csrss.exe
Token: SeDebugPrivilege	2516	csrss.exe
Token: SeDebugPrivilege	2376	csrss.exe
Token: SeDebugPrivilege	1664	csrss.exe
Token: SeDebugPrivilege	1716	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	Process	procid_target
PID 2132 wrote to memory of 1252	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	88
PID 2132 wrote to memory of 1252	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	88
PID 2132 wrote to memory of 1252	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	88
PID 2132 wrote to memory of 2528	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	89
PID 2132 wrote to memory of 2528	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	89
PID 2132 wrote to memory of 2528	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	89
PID 2132 wrote to memory of 2340	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	90
PID 2132 wrote to memory of 2340	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	90
PID 2132 wrote to memory of 2340	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	90
PID 2132 wrote to memory of 1464	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	91
PID 2132 wrote to memory of 1464	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	91
PID 2132 wrote to memory of 1464	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	91
PID 2132 wrote to memory of 484	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	92
PID 2132 wrote to memory of 484	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	92
PID 2132 wrote to memory of 484	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	92
PID 2132 wrote to memory of 2272	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	93
PID 2132 wrote to memory of 2272	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	93
PID 2132 wrote to memory of 2272	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	93
PID 2132 wrote to memory of 532	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	94
PID 2132 wrote to memory of 532	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	94
PID 2132 wrote to memory of 532	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	94
PID 2132 wrote to memory of 1724	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	98
PID 2132 wrote to memory of 1724	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	98
PID 2132 wrote to memory of 1724	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	98
PID 2132 wrote to memory of 1684	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	99
PID 2132 wrote to memory of 1684	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	99
PID 2132 wrote to memory of 1684	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	99
PID 2132 wrote to memory of 2512	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	100
PID 2132 wrote to memory of 2512	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	100
PID 2132 wrote to memory of 2512	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	100
PID 2132 wrote to memory of 1628	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	101
PID 2132 wrote to memory of 1628	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	101
PID 2132 wrote to memory of 1628	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	101
PID 2132 wrote to memory of 1632	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	102
PID 2132 wrote to memory of 1632	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	102
PID 2132 wrote to memory of 1632	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	102
PID 2132 wrote to memory of 2056	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	112
PID 2132 wrote to memory of 2056	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	112
PID 2132 wrote to memory of 2056	2132	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe	112
PID 2056 wrote to memory of 2508	2056	csrss.exe	113
PID 2056 wrote to memory of 2508	2056	csrss.exe	113
PID 2056 wrote to memory of 2508	2056	csrss.exe	113
PID 2056 wrote to memory of 1192	2056	csrss.exe	114
PID 2056 wrote to memory of 1192	2056	csrss.exe	114
PID 2056 wrote to memory of 1192	2056	csrss.exe	114
PID 2508 wrote to memory of 2288	2508	WScript.exe	115
PID 2508 wrote to memory of 2288	2508	WScript.exe	115
PID 2508 wrote to memory of 2288	2508	WScript.exe	115
PID 2288 wrote to memory of 2348	2288	csrss.exe	116
PID 2288 wrote to memory of 2348	2288	csrss.exe	116
PID 2288 wrote to memory of 2348	2288	csrss.exe	116
PID 2288 wrote to memory of 3060	2288	csrss.exe	117
PID 2288 wrote to memory of 3060	2288	csrss.exe	117
PID 2288 wrote to memory of 3060	2288	csrss.exe	117
PID 2348 wrote to memory of 2396	2348	WScript.exe	118
PID 2348 wrote to memory of 2396	2348	WScript.exe	118
PID 2348 wrote to memory of 2396	2348	WScript.exe	118
PID 2396 wrote to memory of 2428	2396	csrss.exe	119
PID 2396 wrote to memory of 2428	2396	csrss.exe	119
PID 2396 wrote to memory of 2428	2396	csrss.exe	119
PID 2396 wrote to memory of 2992	2396	csrss.exe	120
PID 2396 wrote to memory of 2992	2396	csrss.exe	120
PID 2396 wrote to memory of 2992	2396	csrss.exe	120
PID 2428 wrote to memory of 2476	2428	WScript.exe	121

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe
"C:\Users\Admin\AppData\Local\Temp\f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Users\All Users\Templates\csrss.exe
  "C:\Users\All Users\Templates\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\611cf9a7-c572-43e8-ab05-1118fab11334.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\All Users\Templates\csrss.exe
      "C:\Users\All Users\Templates\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2288
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb5e02cd-4df4-4fd5-981a-d249d9439aec.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5334eb12-4504-4750-a223-aa212fcd3c73.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4de387d-f3a7-49f7-99e6-ffc4163e798f.vbs"
        9⤵
        
        PID:1112
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f3a8f16-1041-4042-84cd-1ad2f903ccf2.vbs"
        11⤵
        
        PID:1220
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9e93a0-497f-4be2-9f88-2e06ee0dcf6d.vbs"
        13⤵
        
        PID:1708
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05d3b672-cb11-4c40-b9c8-3049755d3923.vbs"
        15⤵
        
        PID:2588
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9144e231-b451-4606-a263-4a62b3895273.vbs"
        17⤵
        
        PID:1988
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c34daf-cae2-4c04-8c96-008d8bd7c41f.vbs"
        19⤵
        
        PID:2328
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d83bc356-487b-4d17-8f42-e2c41f7b27ea.vbs"
        21⤵
        
        PID:2636
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f193adb-4ecc-4c3b-a29c-4dc3a352ae08.vbs"
        23⤵
        
        PID:764
        
        C:\Users\All Users\Templates\csrss.exe
        
        "C:\Users\All Users\Templates\csrss.exe"
        24⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42351bb-1129-45d5-9efa-5303816e4701.vbs"
        23⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e482762e-1c0c-47eb-b0fa-e7d806ad24a3.vbs"
        21⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a68f7714-74f0-4fe7-ae39-1c2e0b02456d.vbs"
        19⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94f6f54d-31b1-4757-bcf6-5eaef74f327e.vbs"
        17⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e820bb01-d893-46d3-a699-ce67b18a1ff0.vbs"
        15⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb5eed12-e224-4677-b543-5aebc42679d2.vbs"
        13⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54690531-1c0f-4527-8028-21109a65e25b.vbs"
        11⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b840ca34-1bc2-43d2-8c04-ccfccf6ea1c6.vbs"
        9⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52e5138c-85c6-4022-befc-ca53473c1596.vbs"
        7⤵
        
        PID:2992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67e99136-1de8-4623-a80f-c52c5efe0d3f.vbs"
        5⤵
        
        PID:3060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e317d47-2a2e-49cd-8c0f-9520355bc5d1.vbs"
    3⤵
    PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ado\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ado\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\ado\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\csrss.exe

Filesize
4.9MB

MD5
c5dcd6f0dd9fa22e9b33442ea8687c95

SHA1
ad4eb982a955b6de8866a533aa0bbea672016daa

SHA256
5ebab5172731d7e58fa84d56f91e37cc41e5a852c0f37d895cc591eee6f6d57c

SHA512
f7dc746ccc53c0cfb89dd2c7862eeb4882d8b389fd75736e5c5df783f2dd09aff93b9db0f98d87d4a43ab464c192dbd0e248b582dad54a9fbb4cff7ea1e7c941

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\csrss.exe

Filesize
1.1MB

MD5
7cd1b0399da56843ffb5d361717227ee

SHA1
a2ae75c176b20b97f7c396b59c4c8494558bc0fb

SHA256
408c7e03cf7c3c85258981155f91a9d68553783646271901e3d0d9305ef12cca

SHA512
162fe6c3243d95fdf2950b554f24533b89b4703e12029a6357abefb6943d3fc4da4acf7bac80f13dad868cff4d08819fe7abe95ea7e381729e90f718326c491a

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe

Filesize
4.9MB

MD5
d23ffc0a1e7c61633ee5553fe28c8af0

SHA1
a9e6e784905bfc569f1ea5fe2f8fb15f8adad833

SHA256
f4535e8f37688004a0e9b6f775da0641d361cb558b391027b94e63237e5f5d23

SHA512
47725fb3cb5dc467e2a215582565be359e1bba1b9a07278d16544fef4388c91ea958ae3139bea74e41041148dd45d528f89d94f4a5c57b9ee69169ac07324b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e317d47-2a2e-49cd-8c0f-9520355bc5d1.vbs

Filesize
490B

MD5
886f14f81f93537c7333848aa943c93e

SHA1
bee26019dd8e29ca5903e32e12fe55bce0e9c1bc

SHA256
e0369b027356afc7b408d61b2d0cbc42ef8c0fdddb041bd5645a87265718cada

SHA512
0c15d5852e9d941eb0eea6b3816c7dd23389380897dbd8b7a1e531b48b52d4287c67e628dbee2380199a1276a15f867f51203d82b89a773044e1c46302f7aa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f3a8f16-1041-4042-84cd-1ad2f903ccf2.vbs

Filesize
714B

MD5
7cab26c211626895d4b6ec2e22126cf5

SHA1
6a547b9ce35a53963c2d9ea097ee3c746756c1f2

SHA256
dfcfc4b3857409d45a347976fe849f588044f4061a0d2e6fb324674ea0586af8

SHA512
6a8ae8bca1e4693c59c3d29ccef9b365e084a1f33d5ea2ca19e4859cc7ba08f1760073eb863f50789a8cae689431079dfa2fcfe20d879df5a488d453e78557f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\495ed7a571ccf08ae8b9f094a66930378fbbab46.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c34daf-cae2-4c04-8c96-008d8bd7c41f.vbs

Filesize
714B

MD5
7670321e9718aaea841907161bea61da

SHA1
18f2885f8e42a5752697da60f6a819e78053406e

SHA256
a984af9e466cbc0f07ce5328465d5a8e70183949a3ee33d29b92fd29f4138854

SHA512
1bfb79906952585fa8792758b9d113455ba43e6af2d3756ae7bdf77512fddc58cef21611a8c6b5822ca9353756d3bd828978df00de5573dbfb2f6981d20f49db

Download Submit
C:\Users\Admin\AppData\Local\Temp\5334eb12-4504-4750-a223-aa212fcd3c73.vbs

Filesize
714B

MD5
eb1bae72c943bd00fc7665a524a851b9

SHA1
e5b74028bb77ff0068cb94f37b0525c6af202004

SHA256
8d9579408ab0a7534df9cdc29432dc2df0aca34eba42bf791670354411770972

SHA512
b07425a67bdf1adec1b43c27ddda3cb3a4acd18faac162660ff2abd1174731d49bd790bb471c7a2acb74b4d25a086a3b6bd21e82419affda2487f60091513592

Download Submit
C:\Users\Admin\AppData\Local\Temp\611cf9a7-c572-43e8-ab05-1118fab11334.vbs

Filesize
714B

MD5
1bfae4c064b64d8b96ec69004d07582e

SHA1
99f3069e75030c1ee48533e296654b4ce1ec305d

SHA256
a25e0fb69cbe51cdd757ff9353ecec24fe9c12f8a52835270992e78bf96836d4

SHA512
5b954e90f12ab104e44d2d3dffa3db28d60fe78c214afe9642e3eb58c97f263a782467777d1af44625f3bb77815e624ae3c5752b98972e4d2a3a49b8911d4fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f193adb-4ecc-4c3b-a29c-4dc3a352ae08.vbs

Filesize
714B

MD5
93eef554943eb428d3c0f50b29ad3170

SHA1
f5d2f4d90f30aef749e0e125388b52e341736ba5

SHA256
8b8137db9bd5a8b08749bde802ee420d55913c7efe1c895375207e767d628122

SHA512
3797059873ae95888755ceb733e4e84be23dfda91ea9f3e6a1b005c8bd5b279884e48bba22bf0ce5b15075bf116c45e7a63d6f2178478c9c60376b1f9fde8567

Download Submit
C:\Users\Admin\AppData\Local\Temp\9144e231-b451-4606-a263-4a62b3895273.vbs

Filesize
714B

MD5
8eb43d461d7dc4c68cb625887bfee843

SHA1
c069403f5e44867790ae0fc9ce55a877b9ce7e8b

SHA256
492ec423098f8abdee1930f1a2f657632284afbdc30e3da45779fe279df74124

SHA512
67a00d032b901baef8e92ab57909774755f48cff5139137bf8d2f6f4c06bd5c188d2559c464fb0917ffd3dfd99e9e8257b4a2154249ffb03e538ff67da2c1a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\d83bc356-487b-4d17-8f42-e2c41f7b27ea.vbs

Filesize
714B

MD5
13bed220bcb998fdf9d211fde591cca2

SHA1
a0a5b35c6f5d66752e4ac11891777d3149fe759c

SHA256
ba371857e467d7963dfcb38ec5d2d56d2efd40ca5df4663f71adab1e10795068

SHA512
b93b3cadeecbaac82cb7e94ee0826fbda4fdf98abf92e18202b73495d3143d1a6a0e40fe6c5209a4d0be9ad640afa0a410d01a9b6fff7de6a1efe07ba347b19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4de387d-f3a7-49f7-99e6-ffc4163e798f.vbs

Filesize
714B

MD5
158799de10a50b9a33c14fecd38b30f3

SHA1
b895ad5e05d7026209535a0c756b2de27fb14338

SHA256
fedc9e0babb721de5a6d9eba2a30c55663377066d003f64510ea96b6a8b6f168

SHA512
31e5a92b39fdf4b82e1666bb6c63104a680f5fb8a92982794a5ef7939ce6f0c3d48159141abb5ea9609b958dce5a8dacd4d3e835fb7ded5c12fb501bb41f7a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb5e02cd-4df4-4fd5-981a-d249d9439aec.vbs

Filesize
714B

MD5
3b1118a86655f8fc8309534a24dfd0e1

SHA1
77dbe918389b57775077d9d60ac4a876c65bb00e

SHA256
93fe3d166239ae5e2aa08ad929ad407c80b43a83395722feed4d2d0bd2aba453

SHA512
d09298c0140c3336eb24585e867a5a1176e61fbb2a31704499b82e253d3bb6d1a7ba21ce4e52e98a5209828b02a82358b970f0bb4cae594499ee205c7c641ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9e93a0-497f-4be2-9f88-2e06ee0dcf6d.vbs

Filesize
714B

MD5
8477c4d9dd9c428ca990011ce1425c5f

SHA1
6d3d23152ae726347d0abafc362cb409f0b5c6a7

SHA256
87b68e3ba76ab3c27684447299cc6cf54c0390f0123d8cc3c9a3f8ffdc7c2d0a

SHA512
1880549ac22897604b7328c34e27fa9a0f9422208e6faa165a84ed81c0bd5fbc9df759f2fbc592e3e5e5112c877f2f96d967ed7456434e623f29c8a755457160

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF670.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
023d553dbb81f828f2b085d73dea4e93

SHA1
41527876e63267d9602d6568ec00020ddf7f1a38

SHA256
8980aa8911fe703076b23902354509ce3c353a9e757b9c3882364af05b368de1

SHA512
58920ec35da4e072318d68d50a1080aadcad38dca0a4e20ae40cbb52664414cbe66bbb57feb3f3aa623ea34de8e86190c0fe84bc97b7ab41335f283de1cfaea5

Download Submit
C:\Windows\Tasks\RCXD099.tmp

Filesize
4.9MB

MD5
c3eb454e95baf1c507df5898087d0fb6

SHA1
b14f55a0e999e3d48f2a05c6c83bb746535ba914

SHA256
220f10bf7e5b8e277047311fd8702b805d5aaceea2f814ccca74ccda1f87b22c

SHA512
f3aa6425dd5e69da79f268e6a5dc9d1b76024c21b8fdb71d82cc1936909593297c8f65916539b9d7cb4ab8f30d1f28bfd5ae013a176979258ff0c4da7dba6f13

Download Submit
memory/1508-334-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1664-379-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1684-255-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1716-394-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2056-261-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/2056-259-0x0000000000A60000-0x0000000000F54000-memory.dmp

Filesize
5.0MB

Download
memory/2132-12-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2132-5-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2132-260-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-124-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-109-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2132-16-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2132-15-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2132-1-0x0000000001050000-0x0000000001544000-memory.dmp

Filesize
5.0MB

Download
memory/2132-2-0x000000001B780000-0x000000001B8AE000-memory.dmp

Filesize
1.2MB

Download
memory/2132-14-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2132-3-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-13-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2132-4-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2132-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2132-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2132-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2132-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2132-8-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2132-7-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2132-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2288-276-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2288-275-0x0000000000EB0000-0x00000000013A4000-memory.dmp

Filesize
5.0MB

Download
memory/2396-291-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2476-306-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2528-256-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download