dcrat | 1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488ea

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Size

4.9MB
MD5

9c9a433ffb088d490ec324f3d76d9520
SHA1

60f30b59520078f280e4ff966d727c1fbea7058a
SHA256

1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488ea
SHA512

fe78c7cec8d6e752712912dc54ae71c53bfbadc59577031590c1d4e9756bb3a06a9421cbc94ec71672667db80c97a570df288089904b01f8d26bb79466baaead
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2648	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2648	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2484-3-0x000000001B5D0000-0x000000001B6FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
3068	powershell.exe
1336	powershell.exe
2256	powershell.exe
2512	powershell.exe
2596	powershell.exe
1684	powershell.exe
1152	powershell.exe
2368	powershell.exe
1908	powershell.exe
2056	powershell.exe
1952	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
1672	csrss.exe
3000	csrss.exe
2112	csrss.exe
296	csrss.exe
1552	csrss.exe
1032	csrss.exe
1344	csrss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Idle.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Common Files\Services\101b941d020240	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\69ddcba757bf72	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Media Player\en-US\taskhost.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\1610b97d3ab4a7	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Reference Assemblies\Idle.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\886983d96e3d3e	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\smss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\b75386f1303e64	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Common Files\Services\lsm.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Common Files\Services\6cb0b6c459d5d3	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\lsm.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX715D.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\dwm.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\OSPPSVC.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\taskhost.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCX8570.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Media Player\en-US\b75386f1303e64	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6D07.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\OSPPSVC.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX8801.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX9511.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Reference Assemblies\6ccacd8608530f	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCX7E4D.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files\Windows Defender\ja-JP\24dbde2999530e	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX6F3A.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX73DE.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX7BCD.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX8CB4.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\smss.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Program Files (x86)\Common Files\Services\dwm.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Idle.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File created	C:\Windows\Tasks\6ccacd8608530f	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Windows\Tasks\RCX834D.tmp	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
File opened for modification	C:\Windows\Tasks\Idle.exe	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1668	schtasks.exe
1328	schtasks.exe
796	schtasks.exe
296	schtasks.exe
580	schtasks.exe
2760	schtasks.exe
2684	schtasks.exe
2544	schtasks.exe
1056	schtasks.exe
1984	schtasks.exe
2368	schtasks.exe
1796	schtasks.exe
1808	schtasks.exe
2604	schtasks.exe
1648	schtasks.exe
520	schtasks.exe
1816	schtasks.exe
2136	schtasks.exe
2092	schtasks.exe
3016	schtasks.exe
2508	schtasks.exe
1600	schtasks.exe
2888	schtasks.exe
2348	schtasks.exe
1788	schtasks.exe
2276	schtasks.exe
2132	schtasks.exe
2184	schtasks.exe
2584	schtasks.exe
3008	schtasks.exe
112	schtasks.exe
604	schtasks.exe
2964	schtasks.exe
1940	schtasks.exe
1588	schtasks.exe
2216	schtasks.exe
552	schtasks.exe
1476	schtasks.exe
2256	schtasks.exe
768	schtasks.exe
2080	schtasks.exe
1104	schtasks.exe
892	schtasks.exe
1728	schtasks.exe
2308	schtasks.exe
2588	schtasks.exe
2288	schtasks.exe
1032	schtasks.exe
1224	schtasks.exe
2732	schtasks.exe
2416	schtasks.exe
1160	schtasks.exe
2296	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
2056	powershell.exe
2596	powershell.exe
1152	powershell.exe
1336	powershell.exe
1952	powershell.exe
3068	powershell.exe
1684	powershell.exe
2512	powershell.exe
2256	powershell.exe
2368	powershell.exe
1908	powershell.exe
1736	powershell.exe
1672	csrss.exe
3000	csrss.exe
2112	csrss.exe
296	csrss.exe
1552	csrss.exe
1032	csrss.exe
1344	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1672	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe
Token: SeDebugPrivilege	2112	csrss.exe
Token: SeDebugPrivilege	296	csrss.exe
Token: SeDebugPrivilege	1552	csrss.exe
Token: SeDebugPrivilege	1032	csrss.exe
Token: SeDebugPrivilege	1344	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2056	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	85
PID 2484 wrote to memory of 2056	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	85
PID 2484 wrote to memory of 2056	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	85
PID 2484 wrote to memory of 1952	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	86
PID 2484 wrote to memory of 1952	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	86
PID 2484 wrote to memory of 1952	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	86
PID 2484 wrote to memory of 1336	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	87
PID 2484 wrote to memory of 1336	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	87
PID 2484 wrote to memory of 1336	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	87
PID 2484 wrote to memory of 1908	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	90
PID 2484 wrote to memory of 1908	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	90
PID 2484 wrote to memory of 1908	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	90
PID 2484 wrote to memory of 2368	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	91
PID 2484 wrote to memory of 2368	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	91
PID 2484 wrote to memory of 2368	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	91
PID 2484 wrote to memory of 3068	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	92
PID 2484 wrote to memory of 3068	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	92
PID 2484 wrote to memory of 3068	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	92
PID 2484 wrote to memory of 1152	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	93
PID 2484 wrote to memory of 1152	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	93
PID 2484 wrote to memory of 1152	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	93
PID 2484 wrote to memory of 1736	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	94
PID 2484 wrote to memory of 1736	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	94
PID 2484 wrote to memory of 1736	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	94
PID 2484 wrote to memory of 1684	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	95
PID 2484 wrote to memory of 1684	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	95
PID 2484 wrote to memory of 1684	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	95
PID 2484 wrote to memory of 2596	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	96
PID 2484 wrote to memory of 2596	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	96
PID 2484 wrote to memory of 2596	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	96
PID 2484 wrote to memory of 2512	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	97
PID 2484 wrote to memory of 2512	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	97
PID 2484 wrote to memory of 2512	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	97
PID 2484 wrote to memory of 2256	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	98
PID 2484 wrote to memory of 2256	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	98
PID 2484 wrote to memory of 2256	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	98
PID 2484 wrote to memory of 1672	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	109
PID 2484 wrote to memory of 1672	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	109
PID 2484 wrote to memory of 1672	2484	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe	109
PID 1672 wrote to memory of 2000	1672	csrss.exe	110
PID 1672 wrote to memory of 2000	1672	csrss.exe	110
PID 1672 wrote to memory of 2000	1672	csrss.exe	110
PID 1672 wrote to memory of 580	1672	csrss.exe	111
PID 1672 wrote to memory of 580	1672	csrss.exe	111
PID 1672 wrote to memory of 580	1672	csrss.exe	111
PID 2000 wrote to memory of 3000	2000	WScript.exe	112
PID 2000 wrote to memory of 3000	2000	WScript.exe	112
PID 2000 wrote to memory of 3000	2000	WScript.exe	112
PID 3000 wrote to memory of 2948	3000	csrss.exe	113
PID 3000 wrote to memory of 2948	3000	csrss.exe	113
PID 3000 wrote to memory of 2948	3000	csrss.exe	113
PID 3000 wrote to memory of 2724	3000	csrss.exe	114
PID 3000 wrote to memory of 2724	3000	csrss.exe	114
PID 3000 wrote to memory of 2724	3000	csrss.exe	114
PID 2948 wrote to memory of 2112	2948	WScript.exe	115
PID 2948 wrote to memory of 2112	2948	WScript.exe	115
PID 2948 wrote to memory of 2112	2948	WScript.exe	115
PID 2112 wrote to memory of 2424	2112	csrss.exe	116
PID 2112 wrote to memory of 2424	2112	csrss.exe	116
PID 2112 wrote to memory of 2424	2112	csrss.exe	116
PID 2112 wrote to memory of 852	2112	csrss.exe	117
PID 2112 wrote to memory of 852	2112	csrss.exe	117
PID 2112 wrote to memory of 852	2112	csrss.exe	117
PID 2424 wrote to memory of 296	2424	WScript.exe	119

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe
"C:\Users\Admin\AppData\Local\Temp\1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488eaN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
  "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325a87e4-6c3b-4047-aff1-3707b47e4227.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
      "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3000
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bf34c8-e46c-42e0-abc5-844e6339df8d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dbe7948-bbb3-4a73-ab93-5c4a1e89e3cd.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff7edc90-bac2-48c1-8b21-b5e8a4b2513c.vbs"
        9⤵
        
        PID:2260
        
        C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12171dc7-5b3d-4191-ad4d-e9fac55e9f6e.vbs"
        11⤵
        
        PID:2340
        
        C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d798006f-fcf1-4a8e-baca-109c1217f5b6.vbs"
        13⤵
        
        PID:2284
        
        C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2afd9279-378f-4ca5-8184-4c60792044df.vbs"
        15⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4542046c-b147-45cf-ad03-86337ee5b222.vbs"
        15⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e987144a-3899-4d30-b902-af89846f9a04.vbs"
        13⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc2f70f-6fdb-4980-8bba-e9cc374453aa.vbs"
        11⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dd5f270-d198-41cd-8e4d-f74b12ed8b52.vbs"
        9⤵
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd00ae6-2f9f-4122-b62d-b848b758efd6.vbs"
        7⤵
        
        PID:852
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967fb143-e289-4596-9817-3d71c96d9d79.vbs"
        5⤵
        
        PID:2724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e088543-ab90-4063-917b-681b0444493d.vbs"
    3⤵
    PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Acrobat\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe

Filesize
4.9MB

MD5
9c9a433ffb088d490ec324f3d76d9520

SHA1
60f30b59520078f280e4ff966d727c1fbea7058a

SHA256
1982e9b7f36a5bddaac372b2e6fea5cdacbd238bcfb1c548d1184044437488ea

SHA512
fe78c7cec8d6e752712912dc54ae71c53bfbadc59577031590c1d4e9756bb3a06a9421cbc94ec71672667db80c97a570df288089904b01f8d26bb79466baaead

Download Submit
C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe

Filesize
4.9MB

MD5
1d0130b0e95c7f3ad65cd0a40abbb5b6

SHA1
d04dd622f13f44e1a0bd4ac160c0f56a8dad92dd

SHA256
660f151482c47c20ae5ef88acb7266e46e2209221f76d762073e3ea722b08d4e

SHA512
669bd4ec4b79ea75572f2c88d899316f8e8e02d9a72a6605df62e1233449b596beba91d9510483670d1631a78d87f9bc7452d31b5035846af2608d02314b76e2

Download Submit
C:\ProgramData\Adobe\Acrobat\csrss.exe

Filesize
4.9MB

MD5
f7f3b04392e143a502442f24f39a2513

SHA1
77afd0753718f5010317dc5f70a409addb6c81f1

SHA256
6d113e1676589f610c1b1a84af1490e8509cdc4ed34ffa5bf9f503a242dfc187

SHA512
2bc3409286ef720f48c6bb0d12a1788b0f1e4bd680bc5ca7a7353031338b10e9e8ace776cad10fe4ead1c0e94578f4dc0388e516f782722cb2985f17b5e6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\12171dc7-5b3d-4191-ad4d-e9fac55e9f6e.vbs

Filesize
729B

MD5
3623b77ca2788f99453c173772e770b4

SHA1
6f047ede5922485dc5c999e681cc035759d9abe2

SHA256
c4ff9f43523c11529681d8a8219861010b626314ac5a3bff8da339f79514e11c

SHA512
7e212bc03442536c11485b8f2528f52802dba1d3e4ef5247126ad19aed18e01904b31f5b5f08f7837d04519e7ead1a7ca9180f908dac6d0d4358264698c6201f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2afd9279-378f-4ca5-8184-4c60792044df.vbs

Filesize
729B

MD5
7323c66a24bcf76884ac48900bd1651e

SHA1
3db51038949ec6357fb48c6dc92837378ba79b47

SHA256
931f4c6fd5fd12c08df8995e7ac6aa57600e81e245231e241183b2cb559a15dd

SHA512
31d92d3f80b8395408fea0fd816538492dddc2b49e8b1336481de23c867404fc7c1f721587db53c04c5a9ac8ea6a986ff5df0bbc3814bde976ef0cf8b2184b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e088543-ab90-4063-917b-681b0444493d.vbs

Filesize
505B

MD5
2a42b0d135958f841e9b6fe8b9645bf0

SHA1
044e285678fe5b38a17b050aa11bd6e907254eef

SHA256
d866d7993eb43ac9bd91ee8a46cd5330a7fd2a31b5a3e7e3763bb679ce58fdf1

SHA512
5bd55c2912787ee522d135c4e01e0d4eb48c2a88ac52ab1c15e2c46c34cb7f02d117d88383b3102699d7df5e25a0d1db854d7dae887563620d4250de27dcdcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\325a87e4-6c3b-4047-aff1-3707b47e4227.vbs

Filesize
729B

MD5
0fcfb1d57a785486c5e12e6a9fef0581

SHA1
a257e1b3a00f4570575a11c7987ab4ffc26def2b

SHA256
3e10a139844c96db752c3be50c9246f83d46d111afa4b2c71d45df292803e89a

SHA512
48e08c2ed791c11a145aa2b5328025930d3f756e58cd85d9d35d229b542b515ed4554756af8c196fd076304f91b7f8bcb9a6eb2ed70a68a5f95139a789dc3c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dbe7948-bbb3-4a73-ab93-5c4a1e89e3cd.vbs

Filesize
729B

MD5
975827ad095f7b929f5eb7fdae664d5a

SHA1
cdb196421ee469557efc5c281c4ef739352491cd

SHA256
90ba5acc18b3dd944eafdf79c4556d38cba6e6ab62e7c00672ea014fbf5b4826

SHA512
af0f8684502ea4d7072859a58c0e40981d90a96783fe93b7f2ba0160a7349371ec882f246ab3798c1ee9ce14888f6d9e0e2dfc1dbea2d0b6d794a0eed5a622db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d798006f-fcf1-4a8e-baca-109c1217f5b6.vbs

Filesize
729B

MD5
d03841fd61bc8fae854fb6f18e6fba18

SHA1
5527571c10ade76942944af31135f26faa23c72a

SHA256
ae9eda11f36a77e387e0e461150cdaf3da26097bda2ca0834814d4e3b8ae4231

SHA512
18545cf21213996256bca61b6d7bed8cde63337cd1c4e87b950dc33ae8f81a49235566d7c33e54181fbd0ca6434a0e4bc3aeb8d964d57aaaa5000c88f1a8601e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7bf34c8-e46c-42e0-abc5-844e6339df8d.vbs

Filesize
729B

MD5
49c4b77499c5037304db0a9a290e0ab1

SHA1
abb5ea10f8314851a6e5e65d9502ba55bee0fdd4

SHA256
b2889aaa4e792e5de4e46554297d5c3bb7e8ecba2a18d5e857d4ea0fdacc27e4

SHA512
9292b8442457588681d5bb0c7d671f473a0f4a2db029abb7ef820e17657a61d0bd4da2ff60617779213520669c2bd2c4a9a89f4ec11d1ffd833cb294e9885d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff7edc90-bac2-48c1-8b21-b5e8a4b2513c.vbs

Filesize
728B

MD5
cf99d88bbdc0a6e17c1d7aa95d420d26

SHA1
94bbcac476df9c6ca837ad707b46e1023db883cd

SHA256
9e038b3e884e2cb25e15969abafac57bbb63f0624c0cba59181d58b863981462

SHA512
bc9058d0d4dafc3992609b2334a97cf254ec2f8cd7e58dc116348f63af5f424d72b16ce278a19298db466b633ca1683c55f6a83115e0f7ca0a114d5429a7e16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB56A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
60c7656e267df461cc71c6de265d5e23

SHA1
e62c6e9b3400cf997aeca11142143eac25595e30

SHA256
c09566689244ce3235e701d731ecc1332b8c0e988cc27eb24a43adc5763a3a68

SHA512
3a377fb937384fd8c565609ecd3a0eebd4bca73b60eeab2360756ff4389ba4171b471069687fc92080077acfd180313439ad14204aae87f9b2bf05efe8706015

Download Submit
memory/296-290-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/1672-245-0x0000000000C60000-0x0000000001154000-memory.dmp

Filesize
5.0MB

Download
memory/2112-275-0x0000000000820000-0x0000000000D14000-memory.dmp

Filesize
5.0MB

Download
memory/2484-9-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/2484-11-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2484-92-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-15-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2484-106-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-14-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2484-13-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2484-1-0x00000000003C0000-0x00000000008B4000-memory.dmp

Filesize
5.0MB

Download
memory/2484-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-12-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/2484-246-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2484-10-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2484-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-3-0x000000001B5D0000-0x000000001B6FE000-memory.dmp

Filesize
1.2MB

Download
memory/2484-8-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2484-7-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/2484-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2484-5-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2484-4-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2596-242-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/3000-260-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/3068-241-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download