dcrat | 19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Size

4.9MB
MD5

1487016c15b347c8975ccf3fab67a56b
SHA1

7b7135f7ad70842ae1649f7896c1248575a5d421
SHA256

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39
SHA512

cd021c8329cd45bc769da1b0505db2752c6e0eb2c7af8c62bcedd0e8307e6e7963e7301769cc04729e9634ac81eeb6f598e50d5890da4076022bd90dbc4f04c2
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2528	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2728-3-0x000000001B390000-0x000000001B4BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
880	powershell.exe
1856	powershell.exe
2984	powershell.exe
1868	powershell.exe
2228	powershell.exe
2376	powershell.exe
2292	powershell.exe
2076	powershell.exe
1872	powershell.exe
2632	powershell.exe
2864	powershell.exe
684	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
2144	spoolsv.exe
2452	spoolsv.exe
2768	spoolsv.exe
2552	spoolsv.exe
1192	spoolsv.exe
932	spoolsv.exe
2212	spoolsv.exe
1588	spoolsv.exe
1556	spoolsv.exe
1808	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 12 IoCs

Processes:

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe

description	ioc	Process
File created	C:\Program Files\Windows Journal\Templates\lsm.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Idle.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX7314.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCX7E00.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Program Files\Windows Journal\Templates\101b941d020240	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX7110.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\lsm.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe

Drops file in Windows directory 17 IoCs

Processes:

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe

description	ioc	Process
File created	C:\Windows\Media\Raga\cc11b995f2a76d	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX6A96.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Media\Raga\RCX6C9A.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Cursors\sppsvc.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Media\Raga\winlogon.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\security\audit\RCX861F.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Cursors\RCX8CB6.tmp	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\Web\Wallpaper\Scenes\dwm.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\security\audit\f3b6ecef712a24	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\Cursors\sppsvc.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\security\audit\spoolsv.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\Cursors\0a1fd5f707cd16	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\security\audit\spoolsv.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\dwm.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\Web\Wallpaper\Scenes\6cb0b6c459d5d3	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\Media\Raga\winlogon.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
File created	C:\Windows\CSC\v2.0.6\csrss.exe	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1928	schtasks.exe
2004	schtasks.exe
1976	schtasks.exe
608	schtasks.exe
1296	schtasks.exe
2184	schtasks.exe
1756	schtasks.exe
2936	schtasks.exe
1748	schtasks.exe
2992	schtasks.exe
1112	schtasks.exe
1944	schtasks.exe
628	schtasks.exe
2468	schtasks.exe
1996	schtasks.exe
908	schtasks.exe
576	schtasks.exe
2908	schtasks.exe
2252	schtasks.exe
1424	schtasks.exe
2108	schtasks.exe
2940	schtasks.exe
2424	schtasks.exe
1800	schtasks.exe
1652	schtasks.exe
2608	schtasks.exe
604	schtasks.exe
2076	schtasks.exe
1728	schtasks.exe
2892	schtasks.exe
2996	schtasks.exe
676	schtasks.exe
808	schtasks.exe
2928	schtasks.exe
1156	schtasks.exe
1384	schtasks.exe
2032	schtasks.exe
1164	schtasks.exe
1460	schtasks.exe
912	schtasks.exe
1456	schtasks.exe
1160	schtasks.exe
2308	schtasks.exe
2176	schtasks.exe
2216	schtasks.exe
1220	schtasks.exe
1904	schtasks.exe
2824	schtasks.exe
1864	schtasks.exe
3040	schtasks.exe
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	Process
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
1868	powershell.exe
2228	powershell.exe
2632	powershell.exe
1856	powershell.exe
684	powershell.exe
2864	powershell.exe
2376	powershell.exe
2076	powershell.exe
2292	powershell.exe
1872	powershell.exe
2984	powershell.exe
880	powershell.exe
2144	spoolsv.exe
2452	spoolsv.exe
2768	spoolsv.exe
2552	spoolsv.exe
1192	spoolsv.exe
932	spoolsv.exe
2212	spoolsv.exe
1588	spoolsv.exe
1556	spoolsv.exe
1808	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2144	spoolsv.exe
Token: SeDebugPrivilege	2452	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	2552	spoolsv.exe
Token: SeDebugPrivilege	1192	spoolsv.exe
Token: SeDebugPrivilege	932	spoolsv.exe
Token: SeDebugPrivilege	2212	spoolsv.exe
Token: SeDebugPrivilege	1588	spoolsv.exe
Token: SeDebugPrivilege	1556	spoolsv.exe
Token: SeDebugPrivilege	1808	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.execmd.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exe

description	pid	Process	procid_target
PID 2728 wrote to memory of 880	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	82
PID 2728 wrote to memory of 880	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	82
PID 2728 wrote to memory of 880	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	82
PID 2728 wrote to memory of 2292	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	83
PID 2728 wrote to memory of 2292	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	83
PID 2728 wrote to memory of 2292	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	83
PID 2728 wrote to memory of 1856	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	84
PID 2728 wrote to memory of 1856	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	84
PID 2728 wrote to memory of 1856	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	84
PID 2728 wrote to memory of 2984	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	85
PID 2728 wrote to memory of 2984	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	85
PID 2728 wrote to memory of 2984	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	85
PID 2728 wrote to memory of 1868	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	86
PID 2728 wrote to memory of 1868	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	86
PID 2728 wrote to memory of 1868	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	86
PID 2728 wrote to memory of 2076	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	87
PID 2728 wrote to memory of 2076	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	87
PID 2728 wrote to memory of 2076	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	87
PID 2728 wrote to memory of 2228	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	88
PID 2728 wrote to memory of 2228	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	88
PID 2728 wrote to memory of 2228	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	88
PID 2728 wrote to memory of 2376	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	89
PID 2728 wrote to memory of 2376	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	89
PID 2728 wrote to memory of 2376	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	89
PID 2728 wrote to memory of 1872	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	90
PID 2728 wrote to memory of 1872	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	90
PID 2728 wrote to memory of 1872	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	90
PID 2728 wrote to memory of 2632	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	91
PID 2728 wrote to memory of 2632	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	91
PID 2728 wrote to memory of 2632	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	91
PID 2728 wrote to memory of 2864	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	92
PID 2728 wrote to memory of 2864	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	92
PID 2728 wrote to memory of 2864	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	92
PID 2728 wrote to memory of 684	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	93
PID 2728 wrote to memory of 684	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	93
PID 2728 wrote to memory of 684	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	93
PID 2728 wrote to memory of 1192	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	106
PID 2728 wrote to memory of 1192	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	106
PID 2728 wrote to memory of 1192	2728	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe	106
PID 1192 wrote to memory of 1960	1192	cmd.exe	108
PID 1192 wrote to memory of 1960	1192	cmd.exe	108
PID 1192 wrote to memory of 1960	1192	cmd.exe	108
PID 1192 wrote to memory of 2144	1192	cmd.exe	109
PID 1192 wrote to memory of 2144	1192	cmd.exe	109
PID 1192 wrote to memory of 2144	1192	cmd.exe	109
PID 2144 wrote to memory of 556	2144	spoolsv.exe	110
PID 2144 wrote to memory of 556	2144	spoolsv.exe	110
PID 2144 wrote to memory of 556	2144	spoolsv.exe	110
PID 2144 wrote to memory of 1232	2144	spoolsv.exe	111
PID 2144 wrote to memory of 1232	2144	spoolsv.exe	111
PID 2144 wrote to memory of 1232	2144	spoolsv.exe	111
PID 556 wrote to memory of 2452	556	WScript.exe	113
PID 556 wrote to memory of 2452	556	WScript.exe	113
PID 556 wrote to memory of 2452	556	WScript.exe	113
PID 2452 wrote to memory of 468	2452	spoolsv.exe	114
PID 2452 wrote to memory of 468	2452	spoolsv.exe	114
PID 2452 wrote to memory of 468	2452	spoolsv.exe	114
PID 2452 wrote to memory of 972	2452	spoolsv.exe	115
PID 2452 wrote to memory of 972	2452	spoolsv.exe	115
PID 2452 wrote to memory of 972	2452	spoolsv.exe	115
PID 468 wrote to memory of 2768	468	WScript.exe	116
PID 468 wrote to memory of 2768	468	WScript.exe	116
PID 468 wrote to memory of 2768	468	WScript.exe	116
PID 2768 wrote to memory of 1920	2768	spoolsv.exe	117

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exespoolsv.exespoolsv.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe
"C:\Users\Admin\AppData\Local\Temp\19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BZTuE4IZIU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1960
- - C:\Windows\security\audit\spoolsv.exe
    "C:\Windows\security\audit\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ecdac95-7f44-4c6e-9b8f-d9d7a078ff97.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d25d119-eb3d-4c07-a601-1a625eda671b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6f84d6f-6540-49d5-a212-1aaabaeb2150.vbs"
        8⤵
        
        PID:1920
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7df536-cf61-4dc7-a988-973b61b0facf.vbs"
        10⤵
        
        PID:1900
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5f5bc3-25a1-41dc-ae1f-6b9d1e71fe22.vbs"
        12⤵
        
        PID:1748
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c6ba5e5-7fbc-4b53-bd08-04b119601f3f.vbs"
        14⤵
        
        PID:1284
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cabc5449-ea3b-4ce3-9307-639e0044d379.vbs"
        16⤵
        
        PID:2696
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a02cb99-eb5b-46f3-863c-ff1595a33732.vbs"
        18⤵
        
        PID:2372
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f34856-832c-4368-911a-a44373037f19.vbs"
        20⤵
        
        PID:1500
        
        C:\Windows\security\audit\spoolsv.exe
        
        C:\Windows\security\audit\spoolsv.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0205992-828a-4f1d-8635-ab62232e7877.vbs"
        22⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f05bf3f1-5d59-49f9-b09d-c2b89e7663ad.vbs"
        22⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c0c096-4c9b-4cf3-8551-b705621c26fe.vbs"
        20⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9388949e-7d84-4b1f-856d-675726faf831.vbs"
        18⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3289b46c-190e-4722-82f7-bd2cb7fe0a08.vbs"
        16⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a76e4448-e6af-4b7f-abb0-c6ee1fcb0e14.vbs"
        14⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f19988b-52ea-430f-b8c3-4e8be7bf4d08.vbs"
        12⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11de8de-6518-4cb5-8039-a3184bd49f9a.vbs"
        10⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7e9fbb1-7b13-44e2-8acd-6645986f5580.vbs"
        8⤵
        
        PID:2988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a5e6e5-4761-4ef5-bda8-1fdffb9bbceb.vbs"
        6⤵
        
        PID:972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c6c2944-6b64-4e1b-9633-d5560efe7388.vbs"
      4⤵
      PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Scenes\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Scenes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Raga\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Raga\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Raga\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f391" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f391" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\security\audit\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\security\audit\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\security\audit\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\RCX8208.tmp

Filesize
4.9MB

MD5
05fcf7b9207f261bdd53b57cdb0533c2

SHA1
cf5e9583ba18462880f7dc8da219d6cd0be35d62

SHA256
e2aef3035ebeee1e732a325b81ca574f3df750a19c970dee4a09546e1e780af4

SHA512
b741b865822deed8e8e2199885b6078e4a062d19f72318891d28fb915cf345208d32cc74542de64ebc309d51c6068ee993412086d1a92603f2f20b3ad6e39602

Download Submit
C:\Program Files\Windows Portable Devices\csrss.exe

Filesize
4.9MB

MD5
1487016c15b347c8975ccf3fab67a56b

SHA1
7b7135f7ad70842ae1649f7896c1248575a5d421

SHA256
19f67bb78038966f9f1efb51ced0819105088a530a32bed8fb0df7b5d47e3f39

SHA512
cd021c8329cd45bc769da1b0505db2752c6e0eb2c7af8c62bcedd0e8307e6e7963e7301769cc04729e9634ac81eeb6f598e50d5890da4076022bd90dbc4f04c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c6ba5e5-7fbc-4b53-bd08-04b119601f3f.vbs

Filesize
712B

MD5
b75886d5321def03966a58108280cba4

SHA1
0383c27cdb9ae81f8af726ce44a7f8ee1b524824

SHA256
b6d870f77b58f6a8438167a4cfbab2687c86074f79335baf2ed35b0796c8f79a

SHA512
3332ac2c4d6102c0b01ca5423658281ba5132e83781d5b65f12d203f9574f33cdbb9d233f88c34162bfc51808bd8b1d595b8a329a3689d964e287ea7d4c5d8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f7df536-cf61-4dc7-a988-973b61b0facf.vbs

Filesize
713B

MD5
9d3882d4526bf02c7168eca922e05f62

SHA1
9e710f7d60832538d2d3be953f8b858314ca3507

SHA256
2f1ac15e4c06d9af3e5b2d11368d0bec7b75c1538d26edc811a7d1003f927ebf

SHA512
29c24a0df1c38c2f32a514d81c1d385e7978c1247a12d1933fce90d7aa262eabe451ddc144b2298e6c2626e5e941e2521bb50b2caf1970551ff95b7008da35c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a02cb99-eb5b-46f3-863c-ff1595a33732.vbs

Filesize
713B

MD5
a473e2371c662c5e4a4f3cbd701bcca7

SHA1
16a17664f535673a027c95271d627a8e87192b32

SHA256
988a917344264963278028b085414865883859ebc9897d8749930d001887b347

SHA512
0099cfeb2113f79723ba18d66c622a9948a37e42a177f53cc8305496b76964282845472f565fe2443404427118b0cbb82704a3063152ac1e0c3e7fcce403e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c5f5bc3-25a1-41dc-ae1f-6b9d1e71fe22.vbs

Filesize
713B

MD5
aa327abdba969dddfc6fb5d9101dd632

SHA1
69a487cad1715f9ca93aa60f70011094bfa771c8

SHA256
713de74482d5cd85d206656c00e4f4011329977725c5ba8ef2a6012e6769e352

SHA512
df32a55cc4038c7c8a8fc88329fadc19bb1d0ee0850d607c6de5eec661991e4fd9c4267cbffb942836ebc9add125f9a0c4b50befcb904532ae26f6ba3dba49af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ecdac95-7f44-4c6e-9b8f-d9d7a078ff97.vbs

Filesize
713B

MD5
4b36e60315edd130bf7478c5df1300eb

SHA1
1bb96c3927d395e8ff2cc94f38d3c8310bc4025a

SHA256
f6981141241fdb60fd5d82216bcb824b3bd237ec390dc7e787d589c53e3846e1

SHA512
2f83de3bf1cc809b618095f73bca379c2966b83f32e1e13f96ec9a9070401e44d30be5df3da1df5106d888e934c8d2ea6753ee43cb107dfc5019efc75a53fe48

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c6c2944-6b64-4e1b-9633-d5560efe7388.vbs

Filesize
489B

MD5
27317972445d1fd5c57d63d56a0188b5

SHA1
221a97116893e6f9ff179fd8aaaa472d17ff7873

SHA256
1b365c0a26f8d5de67664647c033bf53e2283135fcec7fd9307bae363b25c231

SHA512
87ec8d170a694d9e7efa8b2ea1bd7d69c10b702ae994e35003790d5d59cd48ccba9bc1c33cb3a63427f20ed93feb53de4c6764edfcf57e9bd58a37e4240377cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d25d119-eb3d-4c07-a601-1a625eda671b.vbs

Filesize
713B

MD5
85097ee247495fd77537dadcc4c442c6

SHA1
5b45d5c6edc4b0dd2fc2ed580c6d5ec7f45dadfb

SHA256
5143d60861f3c551572fde1ed74a80b3cef9b1634c41931262aa8a458b29b446

SHA512
cd5483fc92614cae07838fc43f5130fec3b5b8d33c68ded9d1f826838a97ddf70a11cea82da0f37c2473c88653f6efb4f89b079e613cd1e7639dbfb8e3dd9858

Download Submit
C:\Users\Admin\AppData\Local\Temp\BZTuE4IZIU.bat

Filesize
202B

MD5
dcefc745af398b31a20aded608334714

SHA1
c79d152c0c539ad15c9d0fb3c95269b244511e87

SHA256
1ec3a5ea26c0b6cb3d3b72ef39ff153e812741933389d7d867c40ab30e9e8a52

SHA512
67cad2d6a6af5e36703d022ab4c5fed32c542d61bd686866f010d670bce6fa293f18b2c42de464383e0699a0c92996f0ddc65f8913b1c9054635c56416aab8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0205992-828a-4f1d-8635-ab62232e7877.vbs

Filesize
713B

MD5
b8d76bc0208134ae59a8fcaf02f13ea9

SHA1
e2eb929cc257fd35d5e29d452105598316184053

SHA256
62449d77daa62f03e8a435f80f7f6db90f46f6df07963a10765bf7592c2b2e11

SHA512
116834c87988f8691b583b5d7d7d6a98d32753a90cdbc07c40846b8d22d460aea9923d3998a18b71f0851ec50a6663590c63c6090345e29c9d22bde6ff6120a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cabc5449-ea3b-4ce3-9307-639e0044d379.vbs

Filesize
713B

MD5
3a87ccd072557894555323dd56ae8d46

SHA1
638f204456b0058072a726761dfbe53dda2b0ae3

SHA256
e22b026505886624426d923252bdc7aee5719229e4b409432f8a847dc10583fd

SHA512
f6dd3cf93110a3e9a178ac504eee6cecd8ad07c905c6ed406af6d754b84a175d69330471c6498bf6ce1f19a7bd8f0b2ceac0f6a0a569129600131fd3aa0aecca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6f84d6f-6540-49d5-a212-1aaabaeb2150.vbs

Filesize
713B

MD5
ebed288e79f19f4821a23687a6032fba

SHA1
af31bc1a9a0e43b59e0374b1d1d5bcbb20933270

SHA256
f7a61758692dcad036a6993a53a519161fdef916707fc08c5e880c22ad6deffe

SHA512
0cd4b849d837867151a983a6a287536d627d208dae0460b8f7977938e7c81971b247fedf8d63101b194424fb3743912577fd706b3ab76b9f0230b09b621fd8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0f34856-832c-4368-911a-a44373037f19.vbs

Filesize
713B

MD5
9e9da39bb76ce859c323421dceb6614e

SHA1
d9fe17a03ae7b0c33626a715b2b8ab54d5b13029

SHA256
8c67fe56c99ae24beba1f014d08920d354be3417c540de4f6d20f6f43fa62c63

SHA512
8c4e778fc9154fc538f5ecf17748d07a4b1f872fb46c449fe000c40e418dd974786a93fb87aedd70b5abd7a46f58ee59263a5103304eeebcba4c2992a075cbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB461.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10d01a3e5ea71bf1e7d2cbb46340e417

SHA1
a20d571b5b976a5b3e5e1ff3f616e0c89de1d39a

SHA256
7ada914a0a0607997606c15bd337ec7da68b3c324a51b346c0ca044297830a29

SHA512
fd4a12a9d2c9e41578416ed7d1482d0ce6afe490761decb9930121ea8af6ad89589379f4682bd44dc3a988b15d3a1d3905a3739119c0cf54943f96077e23228f

Download Submit
C:\Windows\security\audit\spoolsv.exe

Filesize
4.9MB

MD5
0435ef9e372a65ca2e42eae5dffe794c

SHA1
e3db9c767f9a64bf9074f8957f43514c6d7b3332

SHA256
21f01fe3e3474907ecfc1fd34f69bc9bcf79002df6b3eb0c5436c93c8d273e23

SHA512
0c1952e65c09b3307eb39cf30ca0cf8b6315d30b167904ad928417ba10a842b52c21cec1e1b9e886ddda6bcc79dc486af13f360b69828b78672c17e4c0f2b3d5

Download Submit
memory/932-306-0x00000000003F0000-0x00000000008E4000-memory.dmp

Filesize
5.0MB

Download
memory/1192-291-0x0000000000300000-0x00000000007F4000-memory.dmp

Filesize
5.0MB

Download
memory/1588-336-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/1856-179-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1868-219-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2144-234-0x0000000000200000-0x00000000006F4000-memory.dmp

Filesize
5.0MB

Download
memory/2212-321-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/2452-248-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/2728-139-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x000000001B390000-0x000000001B4BE000-memory.dmp

Filesize
1.2MB

Download
memory/2728-0-0x000007FEF5FF3000-0x000007FEF5FF4000-memory.dmp

Filesize
4KB

Download
memory/2728-16-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/2728-15-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2728-13-0x0000000002510000-0x000000000251E000-memory.dmp

Filesize
56KB

Download
memory/2728-9-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2728-10-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2728-11-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2728-14-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2728-12-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/2728-8-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2728-7-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/2728-6-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2728-168-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-5-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2728-4-0x0000000000810000-0x000000000082C000-memory.dmp

Filesize
112KB

Download
memory/2728-153-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-2-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-1-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download