dcrat | e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9

Analysis

max time kernel
117s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Size

1.8MB
MD5

7129b24ba5b05e8a48304a861d744780
SHA1

556ddf9ca97c6bd773351eb8ec0ab7797a27bb18
SHA256

e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9
SHA512

06c038e7241f0a49b4700bb5c7012b123df27bba1eff1723dae5722216edaa3b468d290431db33c75d37517d6a3b229f66149a7ec2e1e10a271e5d2f433a4496
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1840	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1840	schtasks.exe	85

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1416-1-0x0000000000320000-0x00000000004EE000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b93-26.dat	dcrat
behavioral2/files/0x000f000000023bae-111.dat	dcrat
behavioral2/files/0x0009000000023c1e-152.dat	dcrat
behavioral2/memory/5872-373-0x0000000000E60000-0x000000000102E000-memory.dmp	dcrat
behavioral2/files/0x0009000000023bfb-371.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
224	powershell.exe
1140	powershell.exe
4776	powershell.exe
3016	powershell.exe
4680	powershell.exe
3740	powershell.exe
944	powershell.exe
2352	powershell.exe
4300	powershell.exe
632	powershell.exe
3396	powershell.exe
4500	powershell.exe
5016	powershell.exe
4108	powershell.exe
760	powershell.exe
212	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 7 IoCs

pid	Process
5872	services.exe
5840	services.exe
1576	services.exe
5988	services.exe
4948	services.exe
1588	services.exe
2392	services.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\9e8d7a4ca61bd9	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files (x86)\Windows NT\5b884080fd4f94	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXBA1C.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXBEB2.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RCXD35D.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\Crashpad\attachments\e6c9b481da804f	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\TextInputHost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\Branding\services.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\LiveKernelReports\TextInputHost.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\en-US\SearchApp.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\diagnostics\system\Keyboard\en-US\spoolsv.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\Branding\c5b4cb5e9653cc	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\en-US\SearchApp.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\Branding\services.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\en-US\RCXD5DE.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\Offline Web Pages\System.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\en-US\38384e6a620884	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\Offline Web Pages\System.exe	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\Branding\RCXCA50.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File created	C:\Windows\LiveKernelReports\22eafd247d37c3	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXBC9E.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXC319.tmp	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
428	schtasks.exe
4916	schtasks.exe
3868	schtasks.exe
3552	schtasks.exe
4844	schtasks.exe
1964	schtasks.exe
452	schtasks.exe
4060	schtasks.exe
720	schtasks.exe
3840	schtasks.exe
2456	schtasks.exe
3820	schtasks.exe
2756	schtasks.exe
1124	schtasks.exe
5104	schtasks.exe
3500	schtasks.exe
3896	schtasks.exe
900	schtasks.exe
5008	schtasks.exe
4468	schtasks.exe
5056	schtasks.exe
3468	schtasks.exe
1756	schtasks.exe
408	schtasks.exe
4724	schtasks.exe
3676	schtasks.exe
212	schtasks.exe
3196	schtasks.exe
2744	schtasks.exe
1572	schtasks.exe
3888	schtasks.exe
4880	schtasks.exe
2860	schtasks.exe
4328	schtasks.exe
4388	schtasks.exe
4856	schtasks.exe
4688	schtasks.exe
3612	schtasks.exe
4680	schtasks.exe
2344	schtasks.exe
2748	schtasks.exe
2132	schtasks.exe
3596	schtasks.exe
4872	schtasks.exe
3396	schtasks.exe
4956	schtasks.exe
1464	schtasks.exe
440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
2992	powershell.exe
2992	powershell.exe
632	powershell.exe
632	powershell.exe
4680	powershell.exe
4680	powershell.exe
944	powershell.exe
944	powershell.exe
212	powershell.exe
212	powershell.exe
1140	powershell.exe
1140	powershell.exe
224	powershell.exe
224	powershell.exe
5016	powershell.exe
5016	powershell.exe
4500	powershell.exe
4500	powershell.exe
4300	powershell.exe
4300	powershell.exe
3396	powershell.exe
3396	powershell.exe
2352	powershell.exe
2352	powershell.exe
4776	powershell.exe
4776	powershell.exe
3396	powershell.exe
224	powershell.exe
3740	powershell.exe
3740	powershell.exe
3016	powershell.exe
3016	powershell.exe
4108	powershell.exe
4108	powershell.exe
2992	powershell.exe
2992	powershell.exe
4300	powershell.exe
760	powershell.exe
760	powershell.exe
4108	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	5872	services.exe
Token: SeDebugPrivilege	5840	services.exe
Token: SeDebugPrivilege	1576	services.exe
Token: SeDebugPrivilege	5988	services.exe
Token: SeDebugPrivilege	4948	services.exe
Token: SeDebugPrivilege	1588	services.exe
Token: SeDebugPrivilege	2392	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 760	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	141
PID 1416 wrote to memory of 760	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	141
PID 1416 wrote to memory of 212	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	142
PID 1416 wrote to memory of 212	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	142
PID 1416 wrote to memory of 2992	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	143
PID 1416 wrote to memory of 2992	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	143
PID 1416 wrote to memory of 4680	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	144
PID 1416 wrote to memory of 4680	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	144
PID 1416 wrote to memory of 632	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	145
PID 1416 wrote to memory of 632	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	145
PID 1416 wrote to memory of 3396	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	146
PID 1416 wrote to memory of 3396	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	146
PID 1416 wrote to memory of 4500	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	147
PID 1416 wrote to memory of 4500	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	147
PID 1416 wrote to memory of 5016	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	148
PID 1416 wrote to memory of 5016	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	148
PID 1416 wrote to memory of 3016	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	149
PID 1416 wrote to memory of 3016	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	149
PID 1416 wrote to memory of 4776	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	150
PID 1416 wrote to memory of 4776	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	150
PID 1416 wrote to memory of 944	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	152
PID 1416 wrote to memory of 944	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	152
PID 1416 wrote to memory of 4300	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	153
PID 1416 wrote to memory of 4300	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	153
PID 1416 wrote to memory of 2352	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	154
PID 1416 wrote to memory of 2352	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	154
PID 1416 wrote to memory of 4108	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	155
PID 1416 wrote to memory of 4108	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	155
PID 1416 wrote to memory of 1140	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	156
PID 1416 wrote to memory of 1140	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	156
PID 1416 wrote to memory of 3740	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	157
PID 1416 wrote to memory of 3740	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	157
PID 1416 wrote to memory of 224	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	158
PID 1416 wrote to memory of 224	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	158
PID 1416 wrote to memory of 5872	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	175
PID 1416 wrote to memory of 5872	1416	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe	175
PID 5872 wrote to memory of 5584	5872	services.exe	176
PID 5872 wrote to memory of 5584	5872	services.exe	176
PID 5872 wrote to memory of 5312	5872	services.exe	177
PID 5872 wrote to memory of 5312	5872	services.exe	177
PID 5584 wrote to memory of 5840	5584	WScript.exe	178
PID 5584 wrote to memory of 5840	5584	WScript.exe	178
PID 5840 wrote to memory of 5868	5840	services.exe	179
PID 5840 wrote to memory of 5868	5840	services.exe	179
PID 5840 wrote to memory of 5416	5840	services.exe	180
PID 5840 wrote to memory of 5416	5840	services.exe	180
PID 5868 wrote to memory of 1576	5868	WScript.exe	183
PID 5868 wrote to memory of 1576	5868	WScript.exe	183
PID 1576 wrote to memory of 1596	1576	services.exe	184
PID 1576 wrote to memory of 1596	1576	services.exe	184
PID 1576 wrote to memory of 1116	1576	services.exe	185
PID 1576 wrote to memory of 1116	1576	services.exe	185
PID 1596 wrote to memory of 5988	1596	WScript.exe	186
PID 1596 wrote to memory of 5988	1596	WScript.exe	186
PID 5988 wrote to memory of 3676	5988	services.exe	187
PID 5988 wrote to memory of 3676	5988	services.exe	187
PID 5988 wrote to memory of 6136	5988	services.exe	188
PID 5988 wrote to memory of 6136	5988	services.exe	188
PID 3676 wrote to memory of 4948	3676	WScript.exe	189
PID 3676 wrote to memory of 4948	3676	WScript.exe	189
PID 4948 wrote to memory of 552	4948	services.exe	190
PID 4948 wrote to memory of 552	4948	services.exe	190
PID 4948 wrote to memory of 3060	4948	services.exe	191
PID 4948 wrote to memory of 3060	4948	services.exe	191

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe
"C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\Branding\services.exe
  "C:\Windows\Branding\services.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2600f65-643b-4330-a942-a260ec9e52ae.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5584
  - - C:\Windows\Branding\services.exe
      C:\Windows\Branding\services.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3728367d-b306-447c-90fc-a296cde4d979.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5868
      - C:\Windows\Branding\services.exe
        
        C:\Windows\Branding\services.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e17b3d4c-d1dd-4821-8caf-15b32d8520a7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\Branding\services.exe
        
        C:\Windows\Branding\services.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a4f1854-8eb1-4158-9611-d4d9f2a57982.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\Branding\services.exe
        
        C:\Windows\Branding\services.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92cb0905-c6f2-485a-9434-9f63e21e449d.vbs"
        11⤵
        
        PID:552
        
        C:\Windows\Branding\services.exe
        
        C:\Windows\Branding\services.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb90e4f9-e4b3-40f1-bee4-9b21c46cd699.vbs"
        13⤵
        
        PID:3932
        
        C:\Windows\Branding\services.exe
        
        C:\Windows\Branding\services.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f887b5b3-49cc-4d56-984a-493d7a48408b.vbs"
        15⤵
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aa35a8d-8114-4ab8-b6d5-ca0c7d6b49bd.vbs"
        15⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4433406-2564-4952-857c-f9f94fbbbcbf.vbs"
        13⤵
        
        PID:4724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec998fd-0f28-4fea-963e-bd87b618894f.vbs"
        11⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26daf1e4-f06d-44d5-ba1f-d2c027b7c266.vbs"
        9⤵
        
        PID:6136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7b013af-45ff-41da-89f5-b84060e65a89.vbs"
        7⤵
        
        PID:1116
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66574ae5-5377-4cfa-8a03-52d756c4d327.vbs"
        5⤵
        
        PID:5416
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0ee9299-96a6-443b-b6e8-00a1019a18b3.vbs"
    3⤵
    PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9Ne" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N" /sc ONLOGON /tr "'C:\Users\Default\Links\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9Ne" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\RuntimeBroker.exe

Filesize
1.8MB

MD5
3e85256421ec2008737ccff4097cb7ef

SHA1
c495f6d413643bb98ee8431f47ca6b0cf69996a4

SHA256
e8c7c5a0127c2149f5fe49686b38b68f40e92fb5c5a0d014f491e951c4cff6b5

SHA512
e6fd974cc2d3b80ec0bf16e220b7aa9c2e237e049ee2beeb6530f6bc58923fdde252f936e66ee1c555e7e58acdea918493f276796eb06ff640f9e41b7c8c3624

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.8MB

MD5
7320dc1f4c4cfe1861f861e66479912d

SHA1
f60d8df365abf5b95b957d4881d727b433d31c38

SHA256
9f8e60d4556a5aaffb545fabc38c3f0e2523b456800daa76c49c880785302df4

SHA512
4bb007b2f4045c405154057502c818debe91e2adfefde20b06d3f57d4053b031df82401d50bf6a22fca677f608600c76afd3467f35bf206b3364ea7058be2689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3728367d-b306-447c-90fc-a296cde4d979.vbs

Filesize
708B

MD5
77fc9fae4b920e95305c944c15733131

SHA1
1a8d80f5c4e871fd2419b0988db7ecf8ced5da6f

SHA256
0ed1ae8bcf90cf40f5f3960172d03bb30eecc3034d91e3ee790e1daeae3a500f

SHA512
f3be3438df99efd49122c40e4592d9ada2195ae429b4da70863c7518a613f98ea61e0286ee7cb65b8201c47e5e2c20251cebcfc058c2aa3c06a6f5f7d21bb7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a4f1854-8eb1-4158-9611-d4d9f2a57982.vbs

Filesize
708B

MD5
aeb43e4cc5667ec51376fa4b1b6f1ddb

SHA1
9b08f65b8385da6c19414eb1e1bdff6ece97d02b

SHA256
d11d61801daead4f4c69a22fc52aa5ad1c15b9ac60d66fa7e9a9c9eec12a57f1

SHA512
97c68538652f01fc6a8206af2445080949c568da235f46143de26e85b6056837b7e03174168e2dbe0233a1e91b84685ce5993e52c9145875084223389f121b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\92cb0905-c6f2-485a-9434-9f63e21e449d.vbs

Filesize
708B

MD5
22fdb733d5f108e1b210f26d7547953e

SHA1
3728c5d3e8b4a8e8083ee6b0bc3cd0bafdd79227

SHA256
c74901b6c5d9a3b7e209a69d1a739ae353d4caf827255067404bd57b540788a5

SHA512
4ec67b867f1e6e26276bd315a291dec07530115227fc736824c07a2e3645eb935ae7eefbae44373cb912db3cb315b5076cd616c6352bba5f84284701642cbfb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snzndsxe.u5o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ee9299-96a6-443b-b6e8-00a1019a18b3.vbs

Filesize
484B

MD5
0abce26fe5254737cb9c2e1cbd52cf1e

SHA1
425de3fe54bb821931170a622413f4f06e42f60a

SHA256
d6cb86831f861cac564db206a0db57b4acae3ddebcfd58a3bfdb2dc572638e9a

SHA512
f0f2b4ff1791c54720aa273d74f376f56763ed2d45a5fef82c1557242c80363cfec7361f2382a7e4d2487e2942e8897624acd2372d7353e19547cd7eaa1ec478

Download Submit
C:\Users\Admin\AppData\Local\Temp\e17b3d4c-d1dd-4821-8caf-15b32d8520a7.vbs

Filesize
708B

MD5
98ddf794fa8d0300402ade3582b1228c

SHA1
9b9d050427af3486a0db79143aa381856efa5294

SHA256
f3f6f2f97b18428f86a39e935211eacaa65fa994b6d96cc9395f1e08d54a7f59

SHA512
a3bf2893510eb97c7b9ed94e091d1d2670c86f225174da80d872c0ba627b93fb143faadc63bd73414758014b7d8903b57c385771723b63a07472d06a427cfc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2600f65-643b-4330-a942-a260ec9e52ae.vbs

Filesize
708B

MD5
d0c8eb8431f5f12f543437a21551485e

SHA1
eebb5509ef647fcfad4fb3932813be47b87c02e3

SHA256
2c13e724084576295ca8b0c68cc6db79697d2b5e101a01f2f3076845ff0f53e4

SHA512
2b3309490e54bca615983b273f124a620ba2cd1e9b0a3e1808cdd0ba081299ff0b619d6ad90ac3e4062de65bee803b986be61a87cd7acfa32e10a5563e16f304

Download Submit
C:\Users\Admin\AppData\Local\Temp\f887b5b3-49cc-4d56-984a-493d7a48408b.vbs

Filesize
708B

MD5
508b35975f314ce41c6523482de95462

SHA1
e031760fed53666f445e5add1d50c11cde1ab58f

SHA256
aa513d3a6966c3d7eaea214fc1e37c28d9a0e986b0b17338e5119c4e527d7adc

SHA512
8cdb07243d5e4ace7c1aa3569d053fb4651251e6c37f161c06eda8966b16402a1902579c7d45165159c09316718d55eda29ac8ff3937c97b702d324406aec458

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb90e4f9-e4b3-40f1-bee4-9b21c46cd699.vbs

Filesize
708B

MD5
01c952164f24f26ca1a96fca813cc1cf

SHA1
c7008270b8999b89b70c71660764a5c94a7cce74

SHA256
533cfd21abc9441b9fbe8c567041b9a790cc002b31c82145843665eb44586eb3

SHA512
2d9524867ca83faa6248ed20f930f27c2d3e88520663632be9048dcdf40404d6d4f8e3191737ec82dae75e940d5c3207b793df76a062e2c200b224697a331fc2

Download Submit
C:\Windows\Branding\services.exe

Filesize
1.8MB

MD5
c5faea4b9286a498ab05c4deba3b8963

SHA1
aff362467e3237d67fb6bb11b3a52b03f02cb738

SHA256
2f3c755479cc310ce0052938be01df568f9e23f35e1338f3f255cf8cddee7ca3

SHA512
21c559623f14f15fb56f31ab60fb81eac651e2a4f4d0129525e0cc6ef041a7af64d13b851eb869f9e67890380c254d8279abca1c86977331ddfb999a2240a254

Download Submit
C:\Windows\Offline Web Pages\System.exe

Filesize
1.8MB

MD5
7129b24ba5b05e8a48304a861d744780

SHA1
556ddf9ca97c6bd773351eb8ec0ab7797a27bb18

SHA256
e16d3ed4d3d49826dc5b1a9f6e95297c4dad1be5d8c404957ee40dc04cfcf7b9

SHA512
06c038e7241f0a49b4700bb5c7012b123df27bba1eff1723dae5722216edaa3b468d290431db33c75d37517d6a3b229f66149a7ec2e1e10a271e5d2f433a4496

Download Submit
memory/1416-12-0x000000001BE40000-0x000000001C368000-memory.dmp

Filesize
5.2MB

Download
memory/1416-11-0x000000001B8D0000-0x000000001B8E2000-memory.dmp

Filesize
72KB

Download
memory/1416-1-0x0000000000320000-0x00000000004EE000-memory.dmp

Filesize
1.8MB

Download
memory/1416-2-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-138-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/1416-374-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-3-0x000000001B100000-0x000000001B11C000-memory.dmp

Filesize
112KB

Download
memory/1416-17-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/1416-16-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/1416-14-0x000000001B920000-0x000000001B92E000-memory.dmp

Filesize
56KB

Download
memory/1416-15-0x000000001B930000-0x000000001B93E000-memory.dmp

Filesize
56KB

Download
memory/1416-13-0x000000001B910000-0x000000001B91A000-memory.dmp

Filesize
40KB

Download
memory/1416-0-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/1416-151-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1416-10-0x000000001B160000-0x000000001B16A000-memory.dmp

Filesize
40KB

Download
memory/1416-9-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/1416-7-0x000000001B130000-0x000000001B146000-memory.dmp

Filesize
88KB

Download
memory/1416-8-0x000000001B150000-0x000000001B162000-memory.dmp

Filesize
72KB

Download
memory/1416-6-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/1416-4-0x000000001B170000-0x000000001B1C0000-memory.dmp

Filesize
320KB

Download
memory/1416-5-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/1588-469-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2392-481-0x000000001D3F0000-0x000000001D402000-memory.dmp

Filesize
72KB

Download
memory/2992-217-0x0000021EB2F10000-0x0000021EB2F32000-memory.dmp

Filesize
136KB

Download
memory/4948-457-0x000000001D5F0000-0x000000001D602000-memory.dmp

Filesize
72KB

Download
memory/5840-423-0x000000001D340000-0x000000001D352000-memory.dmp

Filesize
72KB

Download
memory/5872-375-0x000000001D8D0000-0x000000001D8E2000-memory.dmp

Filesize
72KB

Download
memory/5872-373-0x0000000000E60000-0x000000000102E000-memory.dmp

Filesize
1.8MB

Download