dcrat | 31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2

Analysis

max time kernel
117s
max time network
115s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Size

4.9MB
MD5

4f2a2b2ffa4db5771f5e9f6927ee7390
SHA1

dbcc615437c6925f3e18010854607e66c3e5bce3
SHA256

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2
SHA512

51493c4ef3de3a62f6b630f24daf609d509a23cc1f663311496794a49e932fab57c0196f88688ddcd939028eead0bf46b2979bf5042c1ab5de3a0605a67c2f8e
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2836	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2824-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
756	powershell.exe
1052	powershell.exe
2256	powershell.exe
2416	powershell.exe
2180	powershell.exe
2276	powershell.exe
1272	powershell.exe
1428	powershell.exe
2492	powershell.exe
1244	powershell.exe
1920	powershell.exe
3040	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid process

2872 lsass.exe
2488 lsass.exe
2288 lsass.exe
2400 lsass.exe
808 lsass.exe
2504 lsass.exe
1212 lsass.exe
2964 lsass.exe

pid	process
2872	lsass.exe
2488	lsass.exe
2288	lsass.exe
2400	lsass.exe
808	lsass.exe
2504	lsass.exe
1212	lsass.exe
2964	lsass.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exelsass.exelsass.exelsass.exelsass.exe31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Drops file in System32 directory 4 IoCs

Processes:

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

description	ioc	process
File created	C:\Windows\System32\bg-BG\services.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\System32\bg-BG\c5b4cb5e9653cc	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\System32\bg-BG\RCX7D10.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\System32\bg-BG\services.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

Drops file in Program Files directory 20 IoCs

Processes:

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\886983d96e3d3e	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Google\CrashReports\2df7d9e56efdae	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX7A9E.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX8127.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX8A11.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\7a0fd90576e088	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX908A.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX7F24.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

Drops file in Windows directory 18 IoCs

Processes:

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

description	ioc	process
File created	C:\Windows\IME\IMETC10\HELP\dwm.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\Vss\Writers\System\f3b6ecef712a24	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\servicing\de-DE\csrss.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\cc11b995f2a76d	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\RCX787B.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\winlogon.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX880D.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\winsxs\spoolsv.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX832B.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX8E86.tmp	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\Vss\Writers\System\spoolsv.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\IME\IMETC10\HELP\6cb0b6c459d5d3	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\RemotePackages\RemoteApps\winlogon.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File created	C:\Windows\RemotePackages\RemoteApps\cc11b995f2a76d	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\Vss\Writers\System\spoolsv.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\dwm.exe	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1384	schtasks.exe
2000	schtasks.exe
1816	schtasks.exe
2456	schtasks.exe
468	schtasks.exe
372	schtasks.exe
1688	schtasks.exe
480	schtasks.exe
2548	schtasks.exe
1488	schtasks.exe
2248	schtasks.exe
2160	schtasks.exe
1648	schtasks.exe
1244	schtasks.exe
620	schtasks.exe
1836	schtasks.exe
2508	schtasks.exe
1956	schtasks.exe
744	schtasks.exe
2904	schtasks.exe
2568	schtasks.exe
1856	schtasks.exe
2556	schtasks.exe
2296	schtasks.exe
2440	schtasks.exe
812	schtasks.exe
3048	schtasks.exe
2684	schtasks.exe
2124	schtasks.exe
2656	schtasks.exe
1260	schtasks.exe
2036	schtasks.exe
2608	schtasks.exe
300	schtasks.exe
1952	schtasks.exe
2172	schtasks.exe
1440	schtasks.exe
2612	schtasks.exe
2196	schtasks.exe
1556	schtasks.exe
2396	schtasks.exe
836	schtasks.exe
1480	schtasks.exe
2448	schtasks.exe
2764	schtasks.exe
2356	schtasks.exe
1828	schtasks.exe
2640	schtasks.exe
1644	schtasks.exe
2732	schtasks.exe
1512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
1272	powershell.exe
2492	powershell.exe
756	powershell.exe
2416	powershell.exe
1428	powershell.exe
2276	powershell.exe
1244	powershell.exe
2256	powershell.exe
2180	powershell.exe
1052	powershell.exe
1920	powershell.exe
3040	powershell.exe
2872	lsass.exe
2488	lsass.exe
2288	lsass.exe
2400	lsass.exe
808	lsass.exe
2504	lsass.exe
1212	lsass.exe
2964	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2872	lsass.exe
Token: SeDebugPrivilege	2488	lsass.exe
Token: SeDebugPrivilege	2288	lsass.exe
Token: SeDebugPrivilege	2400	lsass.exe
Token: SeDebugPrivilege	808	lsass.exe
Token: SeDebugPrivilege	2504	lsass.exe
Token: SeDebugPrivilege	1212	lsass.exe
Token: SeDebugPrivilege	2964	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.execmd.exelsass.exeWScript.exelsass.exeWScript.exelsass.exe

description	pid	process	target process
PID 2824 wrote to memory of 1272	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1272	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1272	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1428	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1428	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1428	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 756	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 756	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 756	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2180	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2180	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2180	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2276	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2276	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2276	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 3040	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 3040	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 3040	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2416	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2416	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2416	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1920	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1920	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1920	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1244	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1244	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1244	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2256	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2256	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2256	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2492	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2492	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2492	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1052	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1052	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 1052	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	powershell.exe
PID 2824 wrote to memory of 2768	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	cmd.exe
PID 2824 wrote to memory of 2768	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	cmd.exe
PID 2824 wrote to memory of 2768	2824	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe	cmd.exe
PID 2768 wrote to memory of 1760	2768	cmd.exe	w32tm.exe
PID 2768 wrote to memory of 1760	2768	cmd.exe	w32tm.exe
PID 2768 wrote to memory of 1760	2768	cmd.exe	w32tm.exe
PID 2768 wrote to memory of 2872	2768	cmd.exe	lsass.exe
PID 2768 wrote to memory of 2872	2768	cmd.exe	lsass.exe
PID 2768 wrote to memory of 2872	2768	cmd.exe	lsass.exe
PID 2872 wrote to memory of 1304	2872	lsass.exe	WScript.exe
PID 2872 wrote to memory of 1304	2872	lsass.exe	WScript.exe
PID 2872 wrote to memory of 1304	2872	lsass.exe	WScript.exe
PID 2872 wrote to memory of 1748	2872	lsass.exe	WScript.exe
PID 2872 wrote to memory of 1748	2872	lsass.exe	WScript.exe
PID 2872 wrote to memory of 1748	2872	lsass.exe	WScript.exe
PID 1304 wrote to memory of 2488	1304	WScript.exe	lsass.exe
PID 1304 wrote to memory of 2488	1304	WScript.exe	lsass.exe
PID 1304 wrote to memory of 2488	1304	WScript.exe	lsass.exe
PID 2488 wrote to memory of 1732	2488	lsass.exe	WScript.exe
PID 2488 wrote to memory of 1732	2488	lsass.exe	WScript.exe
PID 2488 wrote to memory of 1732	2488	lsass.exe	WScript.exe
PID 2488 wrote to memory of 2124	2488	lsass.exe	WScript.exe
PID 2488 wrote to memory of 2124	2488	lsass.exe	WScript.exe
PID 2488 wrote to memory of 2124	2488	lsass.exe	WScript.exe
PID 1732 wrote to memory of 2288	1732	WScript.exe	lsass.exe
PID 1732 wrote to memory of 2288	1732	WScript.exe	lsass.exe
PID 1732 wrote to memory of 2288	1732	WScript.exe	lsass.exe
PID 2288 wrote to memory of 2340	2288	lsass.exe	WScript.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exelsass.exelsass.exelsass.exe31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe
"C:\Users\Admin\AppData\Local\Temp\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKezoIFTG2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1760
- - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
    "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2872
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dd63b14-ddc3-4bb3-b6f9-2fa1eaf10e9e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2488
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89fb5234-3d23-4c49-a6b7-c0837a6d5e02.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54da542d-0b70-48f8-ad85-05508b5e50d0.vbs"
        8⤵
        
        PID:2340
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e77c1db-a7da-4547-9390-ee2d9acaf075.vbs"
        10⤵
        
        PID:2688
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ffda991-78ee-4d91-85b2-385947df9ed6.vbs"
        12⤵
        
        PID:2024
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5559ca-ae03-46dc-a37f-78b54a08c611.vbs"
        14⤵
        
        PID:1096
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cee2e5-13bd-4188-86af-b6ac54164a23.vbs"
        16⤵
        
        PID:2000
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a945e8-121d-4b6d-af62-a915ca985284.vbs"
        18⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\999312e5-7f98-4ece-a3b7-18840e9fd683.vbs"
        18⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a59544-fd63-4c9d-97fc-41930a8f7c09.vbs"
        16⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\745df3e5-924f-4511-85c8-9f7ff2cd34ce.vbs"
        14⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8e4ff4b-b0f2-49f8-ada0-6def49a78892.vbs"
        12⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca815826-ca60-4be1-959f-89f769d9bdd5.vbs"
        10⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\092a8382-fe90-4f63-964f-67241c56ae37.vbs"
        8⤵
        
        PID:2548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ceeaef7-acdb-4db2-8133-b5a6f3dad8b6.vbs"
        6⤵
        
        PID:2124
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7eee2d7-f897-4ba0-843c-4d47b0a4068e.vbs"
      4⤵
      PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC10\HELP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\bg-BG\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\bg-BG\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N3" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX859C.tmp

Filesize
4.9MB

MD5
172280c3096ae734642701bd2a4fdf3b

SHA1
fe777c8f7afab4c95316bbc44c58f2d52e70b7be

SHA256
bc9f004ee7a56e7015b9bb01259ba30f521839668e5c20c3c747edad56a281d9

SHA512
d1220efa02ba6931cdc337df967fd6dc97ec3f8078ed1f995465f9b99c03a9d0c668c2181ad57528f6ce4ef85f0b59267b4f642fd6b575efa87fe789d35ec255

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\smss.exe

Filesize
4.9MB

MD5
4f2a2b2ffa4db5771f5e9f6927ee7390

SHA1
dbcc615437c6925f3e18010854607e66c3e5bce3

SHA256
31b10a4ebf0f0a98a283f4fd5cd09f18be036846d59d9528b5e28112debf98e2

SHA512
51493c4ef3de3a62f6b630f24daf609d509a23cc1f663311496794a49e932fab57c0196f88688ddcd939028eead0bf46b2979bf5042c1ab5de3a0605a67c2f8e

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe

Filesize
4.9MB

MD5
520872ea2146d2de1da75e6b5ba6e910

SHA1
0c90b3aa89f1994c61b1ab589171819eb65d3e51

SHA256
ab48b87e9ac0594687fc0dbaff4c2d21cd32fd65b24a26ca9fc7675626997f33

SHA512
4c25930cfe6e957e009ab2d928aae120d2375d774a3822de0bc0086046272f78db5f5f81bee2a423d040e31c25f0e3f810e822fbe40f7aee7418d293c98a507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dd63b14-ddc3-4bb3-b6f9-2fa1eaf10e9e.vbs

Filesize
734B

MD5
bc1a38fd4fea61281b96250cbbecf71f

SHA1
ec8ae5f37ba0abb78187809fd2f48abbc8f086de

SHA256
7005fc75dbb49f6dc47c898cc617b588cc779078bda2e68a6fd9951a2f05b5d2

SHA512
3c6d0559cc6226baf909d250631068b4fbe7674c16575dd79d5dbe9b5fbb7a2913275ebdaac7c6d5733b0af3f2801a222cdc68cda517f6a0f83b4a10aebd151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\54da542d-0b70-48f8-ad85-05508b5e50d0.vbs

Filesize
734B

MD5
cbf1abb128b1eeb9a3910606356c580d

SHA1
0de780651f6b64befd0717238d187137c6b8ed79

SHA256
ffc067627c137ef66e9c273a9b5a58c538c46b9afee25aafa3d65998c0f7e10f

SHA512
fbaec0bb12a14fd1254fa17311283b2eaed8aa2ab0b5f6c0b83835ebe3cf86948c2728b88aafcb702d0e5c74b84f39b11120f764be127a891fe3499840907b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e77c1db-a7da-4547-9390-ee2d9acaf075.vbs

Filesize
734B

MD5
5ecfd80387156763e27defbf3f453419

SHA1
d5332778aa31a9db78d5855506086a44e51645db

SHA256
592118b147928adc4bf3e2c047c5f1bb52e92aa8cf097c880dbd6be774fed371

SHA512
eb2b703a82dc5f29c5d9ca25f311760869cf88243541f8a053d5699866c6dd96500ed3c7e10b49de1a106704b24700aeefb038e7650c6047d56be3228cc149a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\89fb5234-3d23-4c49-a6b7-c0837a6d5e02.vbs

Filesize
734B

MD5
61d043d12ae2615a20a718c67e7c54f4

SHA1
19a71624d069c891f5bcdbc2a1607070d66fdee0

SHA256
6b9f06e2ca0242b38c1f2a135a9d731167c483e8c96133ed38fe28e019fc3846

SHA512
f5804bb20ff5f2c3de475d4a7a310bf892162a40b62b6ef65f9e18eb33613401997ce47122888575a976a1739b46cdd078daa87dbc16282699433045c6661c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ffda991-78ee-4d91-85b2-385947df9ed6.vbs

Filesize
733B

MD5
ea8721f653357fc225a590dcc9ffbd04

SHA1
14720e7a804b94e1771af4b6a9d82339d9862d11

SHA256
a0e50f1861a9d85a6225dbe2dd05b92c713f76e48a06d1778ca79b05b481b6e8

SHA512
cd9c083365e2ae6f71dedee1dfa37a4d8972185869cf39b91ac8ee404993a9e76bff43117835610bb698469bcf309bb275e396a537c878760082f20310811aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKezoIFTG2.bat

Filesize
223B

MD5
16543735f1aad73a528f84aee1f79022

SHA1
68e2e214f5f6392deb88a82d2b71976d670685cf

SHA256
a1b021629f7cec1419d5cc1f2888fc826f597a463779a6ffae60a38b83f56fda

SHA512
35c414b0d7d0246b672164444210dd2ef5e4408366e99453ff0c159e5dd47eb0becacf8d12288a6b6bbb8d935b9f93815d017e9e16bfcb60c227e65e0e03eb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9a945e8-121d-4b6d-af62-a915ca985284.vbs

Filesize
734B

MD5
b2c45c4fa767d5e9c2ad8668599e237d

SHA1
641375e69baa3987e547791b0746aed20a7a7554

SHA256
fc806d8db270279193b331429b78194267651fab4efb44f43f1bdfb7bbc7d587

SHA512
503433977b3350bf866e7cb71649dbfd1a3e3be55730a0d32fcfa622c9bc485b596ebf9f3998f524503c65d4b8fecf14e88a0fe97fec908f5a28561ae12a0c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd5559ca-ae03-46dc-a37f-78b54a08c611.vbs

Filesize
734B

MD5
2448f598c6a0077571c1b4e355502967

SHA1
75f1e00e9cf135aea3b97efaa144b2e73ee0231c

SHA256
5a8b34e868f71398602c9c2dc5eb1bb1e420ee5ef794be54b1ec62389dfee5d0

SHA512
75505be8d8ff568d62863fc3a2bbc367d7ceb228edb4b08429638b35da4e4a5e77910fecbcfda4680616b8cfc46daecd4d59e99773226b8caa408a342ef2cd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0cee2e5-13bd-4188-86af-b6ac54164a23.vbs

Filesize
734B

MD5
af62624514d026e1cafa048b494a8ff6

SHA1
e50dcd339779c64ab386171851e0cbba04cb48c9

SHA256
d775f3f72118c6b8de88e28c2f5d9c6539537297684b61e768d6747c7fb3479d

SHA512
d364d466e7221e2ac365535edf3a8d5eddf0f5954ed7c35bafef2db334245506f0421a33d78ba22be44452f06dda0132e3f8d6fc871f77185b6f8eea74a1946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7eee2d7-f897-4ba0-843c-4d47b0a4068e.vbs

Filesize
510B

MD5
c4dded5ae764c3184ab02c5bde0698f2

SHA1
c6d447ceca9d3a86c49f70ce7f59e5bca0fdf74a

SHA256
01e6753e245376e2d7a7344c7a729ac24726fc7082f45923c22320d284056b6f

SHA512
20c613eb5d01ebfd8b17c6ecfb7d35d491701216b7cbd75081e0f5691d9ccdb6ce86f018e67fb708d7d11280d8ce43facc5a647901bb6ed2eba2f0916e50ef6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1OTF67RNVZQEXDE1D8X6.temp

Filesize
7KB

MD5
8b0528328445a4e62b5dffd2b29ba0b1

SHA1
38d538f69cbc222ff98594b598000d47bd5ebc2b

SHA256
6ab5955af19fad7d7e7dccfbf0cd87fe55908b56e80ee883e60fbc4ab46ab552

SHA512
23cb7668c55c7a78733f9da88651d0136f0efad835b64cef9f2d0880ceaac3256216a929a1f994d29ef3c98c1d61a9513f717ba44cd85d19d3e286d9d98813ab

Download Submit
memory/808-299-0x0000000001200000-0x00000000016F4000-memory.dmp

Filesize
5.0MB

Download
memory/1212-328-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/1272-202-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-268-0x0000000000C60000-0x0000000001154000-memory.dmp

Filesize
5.0MB

Download
memory/2288-269-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2400-284-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/2488-253-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/2492-203-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/2824-11-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/2824-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2824-152-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-137-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x0000000000870000-0x0000000000D64000-memory.dmp

Filesize
5.0MB

Download
memory/2824-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-16-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/2824-15-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2824-14-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2824-13-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/2824-12-0x00000000024E0000-0x00000000024EE000-memory.dmp

Filesize
56KB

Download
memory/2824-174-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-10-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/2824-9-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/2824-8-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/2824-7-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/2824-6-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2824-5-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2824-4-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2824-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp

Filesize
1.2MB

Download
memory/2872-239-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2872-238-0x0000000000E80000-0x0000000001374000-memory.dmp

Filesize
5.0MB

Download
memory/2964-343-0x0000000000FF0000-0x00000000014E4000-memory.dmp

Filesize
5.0MB

Download