dcrat | a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Size

4.9MB
MD5

9ccdd0840333a8d430bc300546d8aa87
SHA1

1150679348b39ee6d63d875084e6d2dc36eff56f
SHA256

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36
SHA512

c95f27d3fea0afba3424ac4d56754891d294fa3b86ec01d5aee0075f8b8078b5274b21b30b90a8a9ab8de48b2574b45d14b86d59077fbbcc366a8c775a004221
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 18 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e		a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
		2756	schtasks.exe
File created	C:\Program Files\DVD Maker\en-US\6ccacd8608530f		a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
		1596	schtasks.exe
		2680	schtasks.exe
		2928	schtasks.exe
		2840	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
		2644	schtasks.exe
		2748	schtasks.exe
		2560	schtasks.exe
		2828	schtasks.exe
		2744	schtasks.exe
		2664	schtasks.exe
		2696	schtasks.exe
		2692	schtasks.exe
		2824	schtasks.exe
		2828	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2360	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execsrss.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2972-3-0x000000001B250000-0x000000001B37E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1980	powershell.exe
1136	powershell.exe
2016	powershell.exe
2624	powershell.exe
1744	powershell.exe
1536	powershell.exe
2564	powershell.exe
1144	powershell.exe
1732	powershell.exe
1988	powershell.exe
1256	powershell.exe
1644	powershell.exe
2092	powershell.exe
1260	powershell.exe
1984	powershell.exe
1820	powershell.exe
688	powershell.exe
3012	powershell.exe
2600	powershell.exe
2112	powershell.exe
2396	powershell.exe
1656	powershell.exe
2584	powershell.exe
2672	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
1396	csrss.exe
1056	csrss.exe
852	csrss.exe
2648	csrss.exe
1124	csrss.exe
2552	csrss.exe
3000	csrss.exe
1220	csrss.exe
2748	csrss.exe
856	csrss.exe
1512	csrss.exe
296	csrss.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Drops file in Program Files directory 11 IoCs

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\DVD Maker\en-US\Idle.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files\DVD Maker\en-US\6ccacd8608530f	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCXC3FC.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Idle.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXC803.tmp	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\886983d96e3d3e	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2828	schtasks.exe
1596	schtasks.exe
2828	schtasks.exe
2664	schtasks.exe
2928	schtasks.exe
2644	schtasks.exe
2756	schtasks.exe
2840	schtasks.exe
2680	schtasks.exe
2692	schtasks.exe
2696	schtasks.exe
2560	schtasks.exe
2824	schtasks.exe
2748	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
1656	powershell.exe
1980	powershell.exe
2016	powershell.exe
1536	powershell.exe
1644	powershell.exe
2112	powershell.exe
1136	powershell.exe
2092	powershell.exe
1260	powershell.exe
2396	powershell.exe
1984	powershell.exe
2600	powershell.exe
1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
1732	powershell.exe
2584	powershell.exe
2624	powershell.exe
688	powershell.exe
2564	powershell.exe
3012	powershell.exe
1988	powershell.exe
1820	powershell.exe
1256	powershell.exe
2672	powershell.exe
1144	powershell.exe
1744	powershell.exe
1396	csrss.exe
1056	csrss.exe
852	csrss.exe
2648	csrss.exe
1124	csrss.exe
2552	csrss.exe
3000	csrss.exe
1220	csrss.exe
2748	csrss.exe
856	csrss.exe
1512	csrss.exe
296	csrss.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1396	csrss.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1056	csrss.exe
Token: SeDebugPrivilege	852	csrss.exe
Token: SeDebugPrivilege	2648	csrss.exe
Token: SeDebugPrivilege	1124	csrss.exe
Token: SeDebugPrivilege	2552	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe
Token: SeDebugPrivilege	1220	csrss.exe
Token: SeDebugPrivilege	2748	csrss.exe
Token: SeDebugPrivilege	856	csrss.exe
Token: SeDebugPrivilege	1512	csrss.exe
Token: SeDebugPrivilege	296	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe

description	pid	Process	procid_target
PID 2972 wrote to memory of 1980	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	41
PID 2972 wrote to memory of 1980	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	41
PID 2972 wrote to memory of 1980	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	41
PID 2972 wrote to memory of 1656	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	42
PID 2972 wrote to memory of 1656	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	42
PID 2972 wrote to memory of 1656	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	42
PID 2972 wrote to memory of 1136	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	44
PID 2972 wrote to memory of 1136	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	44
PID 2972 wrote to memory of 1136	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	44
PID 2972 wrote to memory of 2016	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	45
PID 2972 wrote to memory of 2016	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	45
PID 2972 wrote to memory of 2016	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	45
PID 2972 wrote to memory of 2600	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	47
PID 2972 wrote to memory of 2600	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	47
PID 2972 wrote to memory of 2600	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	47
PID 2972 wrote to memory of 1984	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	49
PID 2972 wrote to memory of 1984	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	49
PID 2972 wrote to memory of 1984	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	49
PID 2972 wrote to memory of 2112	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	50
PID 2972 wrote to memory of 2112	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	50
PID 2972 wrote to memory of 2112	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	50
PID 2972 wrote to memory of 2396	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	51
PID 2972 wrote to memory of 2396	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	51
PID 2972 wrote to memory of 2396	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	51
PID 2972 wrote to memory of 1644	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	52
PID 2972 wrote to memory of 1644	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	52
PID 2972 wrote to memory of 1644	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	52
PID 2972 wrote to memory of 1536	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	53
PID 2972 wrote to memory of 1536	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	53
PID 2972 wrote to memory of 1536	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	53
PID 2972 wrote to memory of 2092	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	54
PID 2972 wrote to memory of 2092	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	54
PID 2972 wrote to memory of 2092	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	54
PID 2972 wrote to memory of 1260	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	55
PID 2972 wrote to memory of 1260	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	55
PID 2972 wrote to memory of 1260	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	55
PID 2972 wrote to memory of 1288	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	59
PID 2972 wrote to memory of 1288	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	59
PID 2972 wrote to memory of 1288	2972	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	59
PID 1288 wrote to memory of 2564	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	72
PID 1288 wrote to memory of 2564	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	72
PID 1288 wrote to memory of 2564	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	72
PID 1288 wrote to memory of 2584	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	73
PID 1288 wrote to memory of 2584	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	73
PID 1288 wrote to memory of 2584	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	73
PID 1288 wrote to memory of 2624	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	75
PID 1288 wrote to memory of 2624	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	75
PID 1288 wrote to memory of 2624	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	75
PID 1288 wrote to memory of 2672	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	76
PID 1288 wrote to memory of 2672	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	76
PID 1288 wrote to memory of 2672	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	76
PID 1288 wrote to memory of 1744	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	77
PID 1288 wrote to memory of 1744	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	77
PID 1288 wrote to memory of 1744	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	77
PID 1288 wrote to memory of 3012	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	78
PID 1288 wrote to memory of 3012	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	78
PID 1288 wrote to memory of 3012	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	78
PID 1288 wrote to memory of 1256	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	79
PID 1288 wrote to memory of 1256	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	79
PID 1288 wrote to memory of 1256	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	79
PID 1288 wrote to memory of 1988	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	80
PID 1288 wrote to memory of 1988	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	80
PID 1288 wrote to memory of 1988	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	80
PID 1288 wrote to memory of 688	1288	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe	81

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

Processes:

a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.execsrss.exea23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
"C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe"
1⤵
- DcRat
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe
  "C:\Users\Admin\AppData\Local\Temp\a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f5cd060-cbcd-43ad-b9f9-0f66860c77c9.vbs"
      4⤵
      PID:2148
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1056
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fb73fa-25e2-4694-b7c2-aaf6e3ddaa29.vbs"
        6⤵
        
        PID:2460
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0211b4df-726e-4908-a1df-3b85f37db219.vbs"
        8⤵
        
        PID:1760
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fce070-8e8a-4ca7-9ca5-b05cfb57a630.vbs"
        10⤵
        
        PID:2568
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20b94f29-d476-4143-a209-f7defeebf00c.vbs"
        12⤵
        
        PID:1828
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8df8003-af1f-463a-bfbc-f82aae712470.vbs"
        14⤵
        
        PID:3008
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e9a4f1-ce08-41bb-a6db-928c7441b14c.vbs"
        16⤵
        
        PID:2432
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae321f46-de39-4f67-b2d0-e994f4f3209a.vbs"
        18⤵
        
        PID:2492
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb575661-602b-4343-b7ff-962057c10ec5.vbs"
        20⤵
        
        PID:1988
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5bba40c-4f79-48b5-abfe-c92f6c832ad9.vbs"
        22⤵
        
        PID:1324
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14753884-149e-47cf-b31d-9bdf7a698c31.vbs"
        24⤵
        
        PID:1484
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5e13e7f-3c5d-497d-b07b-85f615bba23f.vbs"
        26⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e66b7aa-e71e-4022-9be2-bf7593a6e349.vbs"
        26⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6654baa4-3bc3-495b-916b-cbe95f1fbd02.vbs"
        24⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\080e012c-b6ef-48e3-9418-070bcd69fef1.vbs"
        22⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ab4c4a3-9cfe-44b9-9d75-854932e9cd26.vbs"
        20⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697e4aa1-4b82-4b26-ad72-ca9d49454616.vbs"
        18⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f28daf-7925-42d4-8682-75b1ffb6fc73.vbs"
        16⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2bb1939-cca8-47c2-a050-6df9cf6e3bda.vbs"
        14⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977887dc-c45a-4c3e-9760-bc191cc1a670.vbs"
        12⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c8c4772-bcb3-4399-a7b6-5d4d589747a6.vbs"
        10⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c411a83c-8af8-4966-b16d-28f7eb152266.vbs"
        8⤵
        
        PID:2312
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\058eeccf-f454-4192-bb39-bd424071388d.vbs"
        6⤵
        
        PID:2848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7957468-3168-4fa7-bce3-3a97dbc9bbca.vbs"
      4⤵
      PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\en-US\Idle.exe

Filesize
4.9MB

MD5
9ccdd0840333a8d430bc300546d8aa87

SHA1
1150679348b39ee6d63d875084e6d2dc36eff56f

SHA256
a23d7327af924bf409a6116994ea68e7660549cc470d9c93b3750226574b9d36

SHA512
c95f27d3fea0afba3424ac4d56754891d294fa3b86ec01d5aee0075f8b8078b5274b21b30b90a8a9ab8de48b2574b45d14b86d59077fbbcc366a8c775a004221

Download Submit
C:\Users\Admin\AppData\Local\Temp\0211b4df-726e-4908-a1df-3b85f37db219.vbs

Filesize
753B

MD5
8eecfa790aca3c8d6422953e0b785403

SHA1
a8fa4eb29e9c93113b663510d60d986dc940f1f1

SHA256
f286e5c449ae2eb8b3c6ce79bd44eb3628a2e491b67722f0701f39b67ad44e20

SHA512
f91de7c27d1a16d84f995a8901b6671b6cb1cf1e2e59af595d43b3d1853654da6a122a8f5ffabf5ba92929dcc52fe036ac62591a24d7d16b5ec6432e493edded

Download Submit
C:\Users\Admin\AppData\Local\Temp\20b94f29-d476-4143-a209-f7defeebf00c.vbs

Filesize
754B

MD5
a5af0c7aa8ea6b935e6ad0d321ec4b2e

SHA1
eb684b2748a4e7c2ab9baf8668fb04ac486fe16c

SHA256
7737e7d7decb9e318991c2f2ab7d26951a0a02c9e205ac2eb63808a2c735607f

SHA512
654bbebeaed3b94318fc87960f77d990952f094b51bf1827466e80c12996f28741597ae0ffa7658263bacfb42d96108c6b6076ea53f4d6f503970d9dd12705b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f5cd060-cbcd-43ad-b9f9-0f66860c77c9.vbs

Filesize
754B

MD5
e56b8ff7914edd3378f3b916f0926a31

SHA1
391786df6303d06f58166cf472f5fefcb171c484

SHA256
63606acd6490ed48390e2e9a13a4236537142e112447ff9a3a8579afab283032

SHA512
7632d35d76ee03eb8a809a93b293edb0ba3cec242fb68785cd149c7d4a9d849f697c144bc1559fcb99b8f229ef11c5ce87eea288c9c84190b7a06add07b5abb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae321f46-de39-4f67-b2d0-e994f4f3209a.vbs

Filesize
754B

MD5
745d8ae177fcd0e5268cb98283f1d1cd

SHA1
f9cfc7f40d988ea759a6126c24358ada3103b3c4

SHA256
9f696ca06ccc489556f37e5cbe010caba714002c7bca150273219b60b277ed82

SHA512
e0d909ca7756593a38204791b39473cc8749f74ddb5a61712a6e73797cb3ca88d9018d7d0f2900ad9c98532321f90627b1b585d1462566100618819de4f43a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5bba40c-4f79-48b5-abfe-c92f6c832ad9.vbs

Filesize
753B

MD5
5ce0a5a2d0a39cfd25379a372cc04832

SHA1
dae6648b40e859ebb10a60d54d378ba0579b508b

SHA256
3943706c9aca76094668b6655e232ca72d136e604276fdaf26c44559779295f6

SHA512
8e390a7d162b7dd7d6cc9a16b7533eabba56e24621f24361bef1a75b653aaf4d24531d8b42969cbe78cd71992a28c15d139ac51b138f07834e17dcbc061e9f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8df8003-af1f-463a-bfbc-f82aae712470.vbs

Filesize
754B

MD5
172f63a0a83331693bf67f11e4beb0db

SHA1
198a0032eeec87321b6d7b6b2c93dbe7b78c785c

SHA256
1b24094523045d2e565b36b83ea32e9a20530b62e09fade8eb8c6351b9793b8d

SHA512
b012aec84a9966272eb378f014dcc7cd326cee73aea0a4bf1ae7564801d73df18facb8439c98bb724c9d16a11ceb071fb8a14dfcc9fac6f46d86e443bd494513

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0fce070-8e8a-4ca7-9ca5-b05cfb57a630.vbs

Filesize
754B

MD5
a4a30f6bdf8a9fe91ea06335e4db1d08

SHA1
6036e4dbdd8892e03c836113eac1433095ed489a

SHA256
d4fbf0f2420b8782673becf7702fef6d1e57bc795403045d68f2a49bef367492

SHA512
afa6eb095c4495f2d065e1a8f90a76175cded7a0da22f5726cc0343eb91c5f2b9b47305664eab16f3f44bd7aea9b3bc925edcde3ff3c65d1932577dfd2d38335

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7957468-3168-4fa7-bce3-3a97dbc9bbca.vbs

Filesize
530B

MD5
c43c64e7ab7cf0d02edb1226d1b78ba8

SHA1
4d8df7f439eb88b50c4d04bd1d71b614143e66e8

SHA256
c266ab2b8f8d8bafd1f96d721c8a20ae74b6e4103504d4237f573eda242961b4

SHA512
0895c59e830846c636baa3b7eec3de602febc77fbf3850531e58d75a056de3b9dfa6903d2c0723e9358f572268f23614ac26d6e9b1b6b5e98535ffcf40df6f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9fb73fa-25e2-4694-b7c2-aaf6e3ddaa29.vbs

Filesize
754B

MD5
02a28e64312b44bd64321dfa690c586b

SHA1
37438bfe775c6092dedd50db2b20207868683725

SHA256
a483bc7c2c980b40247939609087e571a57f5a0b81bece49c30b98f85f248b97

SHA512
efe0dfb4e08a795fa1469dc8eefdef7fc583299784f29f3bed80dcbded1df89f36681bd242cba8735e3f91134e19271c7a1141272684c1380e69a7fbddc2237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb575661-602b-4343-b7ff-962057c10ec5.vbs

Filesize
754B

MD5
f75440e92bc9cee41553d7ddaa3a16ac

SHA1
7fdb8655feecb795e077eddbb283070421dc38ca

SHA256
dfdcd5b3ecad634c5e6b9eb409fd65561da1d4c29b717cc3947c4a0d31ab990a

SHA512
06c334c5b77b6c0d82b602a9820a3f7c6510de2a16c8b893900d66f46c678243c6edc7043d659031facd4c079decf260fffa5704998f98b0f5a369519726966b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD97D.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4cff732914093b4a9b61db2ac41a93ab

SHA1
f19abb6f0c10024acf27c2298c6e4b0177545ee1

SHA256
6583a9408273069c42222c7412101092508ae1403265e703e267241ce2d0dae0

SHA512
318c90303bcff02036f3d8857041b0f4647d61a6152ffb0f332b4442e3c9864abbc01206d8441ef34b6c12fb1492cddc9eb46df154963ab68bd35925c6861fab

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/296-350-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/296-351-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/852-221-0x0000000000130000-0x0000000000624000-memory.dmp

Filesize
5.0MB

Download
memory/856-325-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/1056-206-0x0000000000260000-0x0000000000754000-memory.dmp

Filesize
5.0MB

Download
memory/1124-251-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/1220-294-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1396-172-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/1512-339-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1656-64-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1656-55-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-144-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-148-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2552-266-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2648-236-0x0000000000C80000-0x0000000001174000-memory.dmp

Filesize
5.0MB

Download
memory/2748-310-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/2748-309-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/2972-14-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/2972-7-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2972-15-0x000000001AF50000-0x000000001AF58000-memory.dmp

Filesize
32KB

Download
memory/2972-12-0x000000001AF20000-0x000000001AF2E000-memory.dmp

Filesize
56KB

Download
memory/2972-11-0x000000001AF10000-0x000000001AF1A000-memory.dmp

Filesize
40KB

Download
memory/2972-10-0x000000001AF00000-0x000000001AF12000-memory.dmp

Filesize
72KB

Download
memory/2972-16-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/2972-9-0x000000001AEF0000-0x000000001AEFA000-memory.dmp

Filesize
40KB

Download
memory/2972-8-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/2972-13-0x000000001AF30000-0x000000001AF3E000-memory.dmp

Filesize
56KB

Download
memory/2972-56-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2972-6-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2972-5-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2972-4-0x0000000000530000-0x000000000054C000-memory.dmp

Filesize
112KB

Download
memory/2972-3-0x000000001B250000-0x000000001B37E000-memory.dmp

Filesize
1.2MB

Download
memory/2972-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-1-0x0000000000D50000-0x0000000001244000-memory.dmp

Filesize
5.0MB

Download