dcrat | 47efd687dcfd8b5db64bfa28f8d5479bca12c000d2a50d054698055bb4497028

Processes:

Hypercrt.exeHypercrt.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

DCRat payload 28 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x002800000004514e-13.dat	dcrat
behavioral1/memory/4352-16-0x00000000004E0000-0x00000000007C0000-memory.dmp	dcrat
behavioral1/files/0x002a0000000451dd-74.dat	dcrat
behavioral1/files/0x002a00000004516d-82.dat	dcrat
behavioral1/files/0x002d00000004518f-98.dat	dcrat
behavioral1/files/0x00290000000451ef-106.dat	dcrat
behavioral1/files/0x00280000000451f2-114.dat	dcrat
behavioral1/files/0x002b0000000451a6-122.dat	dcrat
behavioral1/files/0x002a0000000451b3-130.dat	dcrat
behavioral1/files/0x002b0000000451b6-145.dat	dcrat
behavioral1/files/0x002a0000000451be-154.dat	dcrat
behavioral1/files/0x002a0000000451c7-170.dat	dcrat
behavioral1/files/0x002a0000000451cb-178.dat	dcrat
behavioral1/files/0x00290000000451d2-185.dat	dcrat
behavioral1/files/0x00290000000451d5-192.dat	dcrat
behavioral1/files/0x00290000000451d9-198.dat	dcrat
behavioral1/memory/3956-1679-0x00000000001B0000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/5216-1688-0x0000000000CB0000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/312-1697-0x00000000006F0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/6708-1705-0x0000000000FD0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/4476-1706-0x0000000000530000-0x0000000000810000-memory.dmp	dcrat
behavioral1/memory/2320-1715-0x0000000000620000-0x0000000000900000-memory.dmp	dcrat
behavioral1/memory/3152-1729-0x0000000000570000-0x0000000000850000-memory.dmp	dcrat
behavioral1/memory/3372-1738-0x0000000000900000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/5252-1746-0x0000000000810000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/6260-1747-0x0000000000480000-0x0000000000760000-memory.dmp	dcrat
behavioral1/memory/2820-1757-0x0000000000780000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/4532-1758-0x0000000000A20000-0x0000000000D00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4084	powershell.exe
2680	powershell.exe
6992	powershell.exe
6976	powershell.exe
6968	powershell.exe
2936	powershell.exe
1676	powershell.exe
2068	powershell.exe
4504	powershell.exe
1412	powershell.exe
480	powershell.exe
552	powershell.exe
1744	powershell.exe
2220	powershell.exe
4980	powershell.exe
4016	powershell.exe
3492	powershell.exe
780	powershell.exe
2080	powershell.exe
6960	powershell.exe
7000	powershell.exe
7008	powershell.exe
4968	powershell.exe
4824	powershell.exe
2192	powershell.exe
6952	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

Processes:

Hypercrt.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Hypercrt.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

DCRatBuild.exeWScript.exeHypercrt.exeHypercrt.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Hypercrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Hypercrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 61 IoCs

Processes:

Hypercrt.exeHypercrt.execsrss.execsrss.exesysmon.exeWmiPrvSE.exeSIHClient.exeHypercrt.exeStartMenuExperienceHost.exeTrustedInstaller.exeupfc.exedwm.execsrss.exesysmon.exelsass.exeMoUsoCoreWorker.exeWmiPrvSE.exeSIHClient.exeHypercrt.exesmss.exeOfficeClickToRun.exeRegistry.exebackgroundTaskHost.exeStartMenuExperienceHost.exeservices.exeRuntimeBroker.execmd.execsrss.exesysmon.exeTrustedInstaller.exeupfc.exeWmiPrvSE.exeSIHClient.exeHypercrt.exedwm.execsrss.exesysmon.exeStartMenuExperienceHost.exelsass.exeMoUsoCoreWorker.exesmss.exeTrustedInstaller.exeWmiPrvSE.exeupfc.exeSIHClient.exeHypercrt.execsrss.exesysmon.exeOfficeClickToRun.exeRegistry.exebackgroundTaskHost.exedwm.exeservices.exeRuntimeBroker.execmd.exeStartMenuExperienceHost.exeWmiPrvSE.exeSIHClient.execsrss.exeHypercrt.exesysmon.exe

pid	Process
4352	Hypercrt.exe
6484	Hypercrt.exe
3296	csrss.exe
5356	csrss.exe
3956	sysmon.exe
1992	WmiPrvSE.exe
5508	SIHClient.exe
5216	Hypercrt.exe
312	StartMenuExperienceHost.exe
6708	TrustedInstaller.exe
4476	upfc.exe
2320	dwm.exe
1816	csrss.exe
6988	sysmon.exe
3152	lsass.exe
6096	MoUsoCoreWorker.exe
6556	WmiPrvSE.exe
6780	SIHClient.exe
3404	Hypercrt.exe
3372	smss.exe
5252	OfficeClickToRun.exe
6548	Registry.exe
6260	backgroundTaskHost.exe
6044	StartMenuExperienceHost.exe
2820	services.exe
4580	RuntimeBroker.exe
4532	cmd.exe
6348	csrss.exe
6212	sysmon.exe
2324	TrustedInstaller.exe
2052	upfc.exe
3128	WmiPrvSE.exe
6504	SIHClient.exe
3876	Hypercrt.exe
188	dwm.exe
3660	csrss.exe
116	sysmon.exe
6112	StartMenuExperienceHost.exe
4556	lsass.exe
1028	MoUsoCoreWorker.exe
4764	smss.exe
5368	TrustedInstaller.exe
532	WmiPrvSE.exe
1776	upfc.exe
5664	SIHClient.exe
6176	Hypercrt.exe
6696	csrss.exe
7124	sysmon.exe
4584	OfficeClickToRun.exe
7004	Registry.exe
5728	backgroundTaskHost.exe
6568	dwm.exe
4824	services.exe
2080	RuntimeBroker.exe
6860	cmd.exe
1672	StartMenuExperienceHost.exe
5064	WmiPrvSE.exe
2828	SIHClient.exe
4580	csrss.exe
5672	Hypercrt.exe
1116	sysmon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

Hypercrt.execsrss.exeHypercrt.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe

Drops file in Program Files directory 38 IoCs

Processes:

Hypercrt.exeHypercrt.exesetup.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe	Hypercrt.exe
File created	C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe	Hypercrt.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\6203df4a6bafc7	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXE1AB.tmp	Hypercrt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXF0DA.tmp	Hypercrt.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX422.tmp	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe	Hypercrt.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE44D.tmp	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE4CB.tmp	Hypercrt.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX9D3.tmp	Hypercrt.exe
File created	C:\Program Files\Windows Portable Devices\TrustedInstaller.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXF168.tmp	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\Registry.exe	Hypercrt.exe
File created	C:\Program Files (x86)\Google\Update\9e8d7a4ca61bd9	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe	Hypercrt.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8193814b-ff4a-43c2-ada8-51920061a078.tmp	setup.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXA42.tmp	Hypercrt.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	Hypercrt.exe
File created	C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe	Hypercrt.exe
File created	C:\Program Files\Windows Portable Devices\04c1e7795967e4	Hypercrt.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX722.tmp	Hypercrt.exe
File created	C:\Program Files (x86)\Internet Explorer\24dbde2999530e	Hypercrt.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ee2ad38f3d4382	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241103001615.pma	setup.exe
File created	C:\Program Files\Mozilla Firefox\55b276f4edf653	Hypercrt.exe
File created	C:\Program Files\Microsoft Office\Office16\04c1e7795967e4	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXE249.tmp	Hypercrt.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX7CF.tmp	Hypercrt.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Registry.exe	Hypercrt.exe
File created	C:\Program Files (x86)\Google\Update\RuntimeBroker.exe	Hypercrt.exe
File created	C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe	Hypercrt.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX4A0.tmp	Hypercrt.exe
File opened for modification	C:\Program Files\Windows Portable Devices\TrustedInstaller.exe	Hypercrt.exe

Drops file in Windows directory 26 IoCs

Processes:

Hypercrt.exechrome.exe

description	ioc	Process
File created	C:\Windows\SKB\services.exe	Hypercrt.exe
File created	C:\Windows\Panther\UnattendGC\smss.exe	Hypercrt.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe	Hypercrt.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXFEE0.tmp	Hypercrt.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\e6c9b481da804f	Hypercrt.exe
File opened for modification	C:\Windows\SKB\services.exe	Hypercrt.exe
File opened for modification	C:\Windows\ShellComponents\dwm.exe	Hypercrt.exe
File created	C:\Windows\ShellComponents\dwm.exe	Hypercrt.exe
File created	C:\Windows\ShellComponents\6cb0b6c459d5d3	Hypercrt.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe	Hypercrt.exe
File created	C:\Windows\Panther\UnattendGC\69ddcba757bf72	Hypercrt.exe
File opened for modification	C:\Windows\SKB\RCXDC39.tmp	Hypercrt.exe
File created	C:\Windows\SKB\c5b4cb5e9653cc	Hypercrt.exe
File created	C:\Windows\twain_32\csrss.exe	Hypercrt.exe
File created	C:\Windows\twain_32\886983d96e3d3e	Hypercrt.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXFE13.tmp	Hypercrt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\smss.exe	Hypercrt.exe
File opened for modification	C:\Windows\twain_32\RCXDEBB.tmp	Hypercrt.exe
File opened for modification	C:\Windows\twain_32\csrss.exe	Hypercrt.exe
File opened for modification	C:\Windows\ShellComponents\RCXFB91.tmp	Hypercrt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXF4.tmp	Hypercrt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX1A1.tmp	Hypercrt.exe
File opened for modification	C:\Windows\SKB\RCXDCB7.tmp	Hypercrt.exe
File opened for modification	C:\Windows\twain_32\RCXDF49.tmp	Hypercrt.exe
File opened for modification	C:\Windows\ShellComponents\RCXFC0F.tmp	Hypercrt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DCRatBuild.exeWScript.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

Processes:

msedge.exechrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133750665976647758"	chrome.exe

Modifies registry class 5 IoCs

Processes:

Hypercrt.exeHypercrt.execsrss.exechrome.exeDCRatBuild.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	Hypercrt.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	Hypercrt.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{00B6CB2D-095C-4B44-B63B-443257583FA8}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	DCRatBuild.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

Processes:

reg.exe

pid	Process
5200	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

pid	Process
6692	schtasks.exe
6724	schtasks.exe
6812	schtasks.exe
6864	schtasks.exe
2532	schtasks.exe
4980	schtasks.exe
1152	schtasks.exe
6776	schtasks.exe
6848	schtasks.exe
3144	schtasks.exe
1312	schtasks.exe
6704	schtasks.exe
1668	schtasks.exe
2072	schtasks.exe
6656	schtasks.exe
3296	schtasks.exe
2168	schtasks.exe
2264	schtasks.exe
3428	schtasks.exe
3436	schtasks.exe
4592	schtasks.exe
2184	schtasks.exe
4876	schtasks.exe
4868	schtasks.exe
6876	schtasks.exe
4728	schtasks.exe
4716	schtasks.exe
4896	schtasks.exe
1204	schtasks.exe
4840	schtasks.exe
6796	schtasks.exe
6916	schtasks.exe
6928	schtasks.exe
2376	schtasks.exe
5032	schtasks.exe
1224	schtasks.exe
1936	schtasks.exe
4420	schtasks.exe
3556	schtasks.exe
2420	schtasks.exe
1664	schtasks.exe
1980	schtasks.exe
1896	schtasks.exe
2824	schtasks.exe
2828	schtasks.exe
6760	schtasks.exe
772	schtasks.exe
2016	schtasks.exe
4888	schtasks.exe
2120	schtasks.exe
2192	schtasks.exe
348	schtasks.exe
860	schtasks.exe
3372	schtasks.exe
6744	schtasks.exe
3760	schtasks.exe
1352	schtasks.exe
4684	schtasks.exe
3044	schtasks.exe
6640	schtasks.exe
6828	schtasks.exe
3592	schtasks.exe
1284	schtasks.exe
1864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Hypercrt.exe

pid	Process
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe
4352	Hypercrt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
3296	csrss.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exechrome.exe

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Hypercrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4352	Hypercrt.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeIncreaseQuotaPrivilege	2192	powershell.exe
Token: SeSecurityPrivilege	2192	powershell.exe
Token: SeTakeOwnershipPrivilege	2192	powershell.exe
Token: SeLoadDriverPrivilege	2192	powershell.exe
Token: SeSystemProfilePrivilege	2192	powershell.exe
Token: SeSystemtimePrivilege	2192	powershell.exe
Token: SeProfSingleProcessPrivilege	2192	powershell.exe
Token: SeIncBasePriorityPrivilege	2192	powershell.exe
Token: SeCreatePagefilePrivilege	2192	powershell.exe
Token: SeBackupPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeSystemEnvironmentPrivilege	2192	powershell.exe
Token: SeRemoteShutdownPrivilege	2192	powershell.exe
Token: SeUndockPrivilege	2192	powershell.exe
Token: SeManageVolumePrivilege	2192	powershell.exe
Token: 33	2192	powershell.exe
Token: 34	2192	powershell.exe
Token: 35	2192	powershell.exe
Token: 36	2192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1412	powershell.exe
Token: SeSecurityPrivilege	1412	powershell.exe
Token: SeTakeOwnershipPrivilege	1412	powershell.exe
Token: SeLoadDriverPrivilege	1412	powershell.exe
Token: SeSystemProfilePrivilege	1412	powershell.exe
Token: SeSystemtimePrivilege	1412	powershell.exe
Token: SeProfSingleProcessPrivilege	1412	powershell.exe
Token: SeIncBasePriorityPrivilege	1412	powershell.exe
Token: SeCreatePagefilePrivilege	1412	powershell.exe
Token: SeBackupPrivilege	1412	powershell.exe
Token: SeRestorePrivilege	1412	powershell.exe
Token: SeShutdownPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeSystemEnvironmentPrivilege	1412	powershell.exe
Token: SeRemoteShutdownPrivilege	1412	powershell.exe
Token: SeUndockPrivilege	1412	powershell.exe
Token: SeManageVolumePrivilege	1412	powershell.exe
Token: 33	1412	powershell.exe
Token: 34	1412	powershell.exe
Token: 35	1412	powershell.exe
Token: 36	1412	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	powershell.exe
Token: SeSecurityPrivilege	2220	powershell.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

msedge.exechrome.exe

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid	Process
3296	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DCRatBuild.exeWScript.execmd.exeHypercrt.execmd.exeHypercrt.exe

description	pid	Process	procid_target
PID 3988 wrote to memory of 3700	3988	DCRatBuild.exe	82
PID 3988 wrote to memory of 3700	3988	DCRatBuild.exe	82
PID 3988 wrote to memory of 3700	3988	DCRatBuild.exe	82
PID 3700 wrote to memory of 3248	3700	WScript.exe	89
PID 3700 wrote to memory of 3248	3700	WScript.exe	89
PID 3700 wrote to memory of 3248	3700	WScript.exe	89
PID 3248 wrote to memory of 4352	3248	cmd.exe	91
PID 3248 wrote to memory of 4352	3248	cmd.exe	91
PID 4352 wrote to memory of 2220	4352	Hypercrt.exe	148
PID 4352 wrote to memory of 2220	4352	Hypercrt.exe	148
PID 4352 wrote to memory of 4980	4352	Hypercrt.exe	149
PID 4352 wrote to memory of 4980	4352	Hypercrt.exe	149
PID 4352 wrote to memory of 2936	4352	Hypercrt.exe	150
PID 4352 wrote to memory of 2936	4352	Hypercrt.exe	150
PID 4352 wrote to memory of 1676	4352	Hypercrt.exe	151
PID 4352 wrote to memory of 1676	4352	Hypercrt.exe	151
PID 4352 wrote to memory of 4968	4352	Hypercrt.exe	152
PID 4352 wrote to memory of 4968	4352	Hypercrt.exe	152
PID 4352 wrote to memory of 2680	4352	Hypercrt.exe	153
PID 4352 wrote to memory of 2680	4352	Hypercrt.exe	153
PID 4352 wrote to memory of 2192	4352	Hypercrt.exe	154
PID 4352 wrote to memory of 2192	4352	Hypercrt.exe	154
PID 4352 wrote to memory of 2080	4352	Hypercrt.exe	155
PID 4352 wrote to memory of 2080	4352	Hypercrt.exe	155
PID 4352 wrote to memory of 780	4352	Hypercrt.exe	156
PID 4352 wrote to memory of 780	4352	Hypercrt.exe	156
PID 4352 wrote to memory of 1744	4352	Hypercrt.exe	157
PID 4352 wrote to memory of 1744	4352	Hypercrt.exe	157
PID 4352 wrote to memory of 552	4352	Hypercrt.exe	159
PID 4352 wrote to memory of 552	4352	Hypercrt.exe	159
PID 4352 wrote to memory of 480	4352	Hypercrt.exe	160
PID 4352 wrote to memory of 480	4352	Hypercrt.exe	160
PID 4352 wrote to memory of 4504	4352	Hypercrt.exe	161
PID 4352 wrote to memory of 4504	4352	Hypercrt.exe	161
PID 4352 wrote to memory of 1412	4352	Hypercrt.exe	162
PID 4352 wrote to memory of 1412	4352	Hypercrt.exe	162
PID 4352 wrote to memory of 2068	4352	Hypercrt.exe	164
PID 4352 wrote to memory of 2068	4352	Hypercrt.exe	164
PID 4352 wrote to memory of 3492	4352	Hypercrt.exe	165
PID 4352 wrote to memory of 3492	4352	Hypercrt.exe	165
PID 4352 wrote to memory of 4016	4352	Hypercrt.exe	166
PID 4352 wrote to memory of 4016	4352	Hypercrt.exe	166
PID 4352 wrote to memory of 4084	4352	Hypercrt.exe	168
PID 4352 wrote to memory of 4084	4352	Hypercrt.exe	168
PID 4352 wrote to memory of 4824	4352	Hypercrt.exe	170
PID 4352 wrote to memory of 4824	4352	Hypercrt.exe	170
PID 4352 wrote to memory of 3780	4352	Hypercrt.exe	186
PID 4352 wrote to memory of 3780	4352	Hypercrt.exe	186
PID 3248 wrote to memory of 5200	3248	cmd.exe	188
PID 3248 wrote to memory of 5200	3248	cmd.exe	188
PID 3248 wrote to memory of 5200	3248	cmd.exe	188
PID 3780 wrote to memory of 3372	3780	cmd.exe	189
PID 3780 wrote to memory of 3372	3780	cmd.exe	189
PID 3780 wrote to memory of 6484	3780	cmd.exe	192
PID 3780 wrote to memory of 6484	3780	cmd.exe	192
PID 6484 wrote to memory of 6952	6484	Hypercrt.exe	211
PID 6484 wrote to memory of 6952	6484	Hypercrt.exe	211
PID 6484 wrote to memory of 6960	6484	Hypercrt.exe	212
PID 6484 wrote to memory of 6960	6484	Hypercrt.exe	212
PID 6484 wrote to memory of 6968	6484	Hypercrt.exe	213
PID 6484 wrote to memory of 6968	6484	Hypercrt.exe	213
PID 6484 wrote to memory of 6976	6484	Hypercrt.exe	214
PID 6484 wrote to memory of 6976	6484	Hypercrt.exe	214
PID 6484 wrote to memory of 6992	6484	Hypercrt.exe	216

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

Processes:

Hypercrt.execsrss.exeHypercrt.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hypercrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hypercrt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\fTW5Cfa.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\LkL7XpzTkTxOpTXQEbFconA3K.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe
      "C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe"
      4⤵
      UAC bypass
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Hypercrt.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GYd6S0swS9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3372
      - C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe
        
        "C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chainfontbrokerperf\Hypercrt.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\MoUsoCoreWorker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\SIHClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BKPOrigTy.bat"
        7⤵
        
        PID:6260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5492
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9195c050-9b0e-4cd8-ad60-aa9d5bc017f2.vbs"
        9⤵
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17564583-8c2b-4aae-9196-17a10ed15c78.vbs"
        9⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13957/
        9⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x104,0x130,0x7ffbf98746f8,0x7ffbf9874708,0x7ffbf9874718
        10⤵
        
        PID:5140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        10⤵
        
        PID:6252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        10⤵
        
        PID:5668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
        10⤵
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        10⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        10⤵
        
        PID:3904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
        10⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
        10⤵
        
        PID:3504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
        10⤵
        
        PID:3592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        10⤵
        Drops file in Program Files directory
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7f64e5460,0x7ff7f64e5470,0x7ff7f64e5480
        11⤵
        
        PID:6040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
        10⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
        10⤵
        
        PID:6180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
        10⤵
        
        PID:6444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        10⤵
        
        PID:6816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
        10⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
        10⤵
        
        PID:6944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10655418769286267988,17405766324686804099,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
        10⤵
        
        PID:6920
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SKB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HypercrtH" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Hypercrt.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hypercrt" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Hypercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HypercrtH" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Hypercrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ShellComponents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellComponents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\UnattendGC\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 14 /tr "'C:\Recovery\OEM\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\OEM\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 6 /tr "'C:\Recovery\OEM\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /f
1⤵
PID:6900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc00c3cc40,0x7ffc00c3cc4c,0x7ffc00c3cc58
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2352,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2348 /prefetch:2
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1828,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:6724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:6772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:6176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:6508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4564,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:6752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4752,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5392,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5332,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5012,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5764,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3544,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5268,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3248,i,2619474882821009204,9347660636572022161,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:5276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x3d8
1⤵
PID:2640

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:5356

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:3956

C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe
"C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:1992

C:\Recovery\OEM\SIHClient.exe
"C:\Recovery\OEM\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:5508

C:\Users\Public\Pictures\Hypercrt.exe
"C:\Users\Public\Pictures\Hypercrt.exe"
1⤵
- Executes dropped EXE
PID:5216

C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe
"C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:312

C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe
"C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe"
1⤵
- Executes dropped EXE
PID:6708

C:\Users\Default User\upfc.exe
"C:\Users\Default User\upfc.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\ShellComponents\dwm.exe
"C:\Windows\ShellComponents\dwm.exe"
1⤵
- Executes dropped EXE
PID:2320

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:6988

C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe
"C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe"
1⤵
- Executes dropped EXE
PID:3152

C:\Users\Default User\MoUsoCoreWorker.exe
"C:\Users\Default User\MoUsoCoreWorker.exe"
1⤵
- Executes dropped EXE
PID:6096

C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe
"C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:6556

C:\Recovery\OEM\SIHClient.exe
"C:\Recovery\OEM\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:6780

C:\Users\Public\Pictures\Hypercrt.exe
"C:\Users\Public\Pictures\Hypercrt.exe"
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\Panther\UnattendGC\smss.exe
"C:\Windows\Panther\UnattendGC\smss.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
PID:5252

C:\Program Files (x86)\Windows Photo Viewer\Registry.exe
"C:\Program Files (x86)\Windows Photo Viewer\Registry.exe"
1⤵
- Executes dropped EXE
PID:6548

C:\Recovery\WindowsRE\backgroundTaskHost.exe
"C:\Recovery\WindowsRE\backgroundTaskHost.exe"
1⤵
- Executes dropped EXE
PID:6260

C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe
"C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:6044

C:\Windows\SKB\services.exe
"C:\Windows\SKB\services.exe"
1⤵
- Executes dropped EXE
PID:2820

C:\Users\Public\RuntimeBroker.exe
"C:\Users\Public\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Users\Default\Videos\cmd.exe
"C:\Users\Default\Videos\cmd.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:6348

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:6212

C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe
"C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe"
1⤵
- Executes dropped EXE
PID:2324

C:\Users\Default User\upfc.exe
"C:\Users\Default User\upfc.exe"
1⤵
- Executes dropped EXE
PID:2052

C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe
"C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:3128

C:\Recovery\OEM\SIHClient.exe
"C:\Recovery\OEM\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:6504

C:\Users\Public\Pictures\Hypercrt.exe
"C:\Users\Public\Pictures\Hypercrt.exe"
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\ShellComponents\dwm.exe
"C:\Windows\ShellComponents\dwm.exe"
1⤵
- Executes dropped EXE
PID:188

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:3660

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:116

C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe
"C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:6112

C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe
"C:\Program Files\Windows Photo Viewer\ja-JP\lsass.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Users\Default User\MoUsoCoreWorker.exe
"C:\Users\Default User\MoUsoCoreWorker.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\Panther\UnattendGC\smss.exe
"C:\Windows\Panther\UnattendGC\smss.exe"
1⤵
- Executes dropped EXE
PID:4764

C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe
"C:\Program Files\Microsoft Office\Office16\TrustedInstaller.exe"
1⤵
- Executes dropped EXE
PID:5368

C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe
"C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Users\Default User\upfc.exe
"C:\Users\Default User\upfc.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Recovery\OEM\SIHClient.exe
"C:\Recovery\OEM\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:5664

C:\Users\Public\Pictures\Hypercrt.exe
"C:\Users\Public\Pictures\Hypercrt.exe"
1⤵
- Executes dropped EXE
PID:6176

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:6696

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:7124

C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Windows Photo Viewer\Registry.exe
"C:\Program Files (x86)\Windows Photo Viewer\Registry.exe"
1⤵
- Executes dropped EXE
PID:7004

C:\Recovery\WindowsRE\backgroundTaskHost.exe
"C:\Recovery\WindowsRE\backgroundTaskHost.exe"
1⤵
- Executes dropped EXE
PID:5728

C:\Windows\ShellComponents\dwm.exe
"C:\Windows\ShellComponents\dwm.exe"
1⤵
- Executes dropped EXE
PID:6568

C:\Windows\SKB\services.exe
"C:\Windows\SKB\services.exe"
1⤵
- Executes dropped EXE
PID:4824

C:\Users\Public\RuntimeBroker.exe
"C:\Users\Public\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
PID:2080

C:\Users\Default\Videos\cmd.exe
"C:\Users\Default\Videos\cmd.exe"
1⤵
- Executes dropped EXE
PID:6860

C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe
"C:\Program Files\Mozilla Firefox\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe
"C:\Program Files (x86)\Internet Explorer\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Recovery\OEM\SIHClient.exe
"C:\Recovery\OEM\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Recovery\WindowsRE\csrss.exe
"C:\Recovery\WindowsRE\csrss.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Users\Public\Pictures\Hypercrt.exe
"C:\Users\Public\Pictures\Hypercrt.exe"
1⤵
- Executes dropped EXE
PID:5672

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
1⤵
- Executes dropped EXE
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery