dcrat | 28053f0b254f2ecc8d8a74e4de2af17fa3d6a746fbecf7ac173891663c95f994

Analysis

max time kernel
117s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Size

1.8MB
MD5

2f7a0b0d633254c477f9d8650d485d11
SHA1

1ce7e5c3989077d2965d9aac2a256f9930e5b98f
SHA256

4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0
SHA512

b6141e51687d39942fb04f593c7bb2c0a7ec9e0bc53200f22e4d4c94fdb5ce55aed3169ca35d014fb746089bd2087f585ad3f057931642650ff0063195054299
SSDEEP

49152:VbA3GzW8NA/VUPoFVwrIIV+DJGfZ19qigh:Vbs8NA/VUPoXIV+Dwbwfh

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1108	schtasks.exe
		2492	schtasks.exe
		948	schtasks.exe
		1964	schtasks.exe
		2036	schtasks.exe
		4596	schtasks.exe
		1972	schtasks.exe
		2684	schtasks.exe
		1948	schtasks.exe
		2084	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\121e5b5079f7c0		Crtmonitor.exe
		3748	schtasks.exe
		3964	schtasks.exe
		3384	schtasks.exe
		5036	schtasks.exe
		2476	schtasks.exe
		3448	schtasks.exe
		1772	schtasks.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991		Crtmonitor.exe
		2736	schtasks.exe
		4352	schtasks.exe
		5032	schtasks.exe
		392	schtasks.exe
		3536	schtasks.exe
		4148	schtasks.exe
		4532	schtasks.exe
		3488	schtasks.exe
		4440	schtasks.exe
		2820	schtasks.exe
		4448	schtasks.exe
		4336	schtasks.exe
		1944	schtasks.exe
		5012	schtasks.exe
		4440	schtasks.exe
		3700	schtasks.exe
		1984	schtasks.exe
		464	schtasks.exe
		5060	schtasks.exe
		2884	schtasks.exe
		1052	schtasks.exe
		3308	schtasks.exe
		3620	schtasks.exe
		1920	schtasks.exe
		4928	schtasks.exe
		3564	schtasks.exe
		4056	schtasks.exe
		4044	schtasks.exe
		1916	schtasks.exe
		4412	schtasks.exe
		2080	schtasks.exe
		2360	schtasks.exe
		2124	schtasks.exe
		4028	schtasks.exe
		2296	schtasks.exe
		1752	schtasks.exe
		4388	schtasks.exe
		1852	schtasks.exe
		3328	schtasks.exe
		4832	schtasks.exe
		3068	schtasks.exe
		4520	schtasks.exe
		3224	schtasks.exe
		708	schtasks.exe
		476	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	72	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1392	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1392	schtasks.exe	83

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001c00000002ab3e-10.dat	dcrat
behavioral1/memory/3112-12-0x00000000006D0000-0x000000000085E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4604	powershell.exe
2644	powershell.exe
3688	powershell.exe
1492	powershell.exe
2564	powershell.exe
2368	powershell.exe
4440	powershell.exe
4848	powershell.exe
4620	powershell.exe
3168	powershell.exe
2520	powershell.exe
1176	powershell.exe
1128	powershell.exe
3864	powershell.exe
2420	powershell.exe
4492	powershell.exe
5008	powershell.exe
2428	powershell.exe
1468	powershell.exe
4928	powershell.exe
232	powershell.exe
3420	powershell.exe
2404	powershell.exe
1472	powershell.exe
4392	powershell.exe
2564	powershell.exe
3448	powershell.exe
2920	powershell.exe
3620	powershell.exe
3368	powershell.exe
4888	powershell.exe
2896	powershell.exe
5024	powershell.exe
4172	powershell.exe
2632	powershell.exe
4376	powershell.exe
2760	powershell.exe
4348	powershell.exe
3716	powershell.exe
2992	powershell.exe
3728	powershell.exe
4872	powershell.exe
3380	powershell.exe
2232	powershell.exe
856	powershell.exe
3452	powershell.exe
2012	powershell.exe
2208	powershell.exe
3616	powershell.exe
3392	powershell.exe
3672	powershell.exe
1176	powershell.exe
5016	powershell.exe
2660	powershell.exe
5076	powershell.exe
1572	powershell.exe
4508	powershell.exe
2552	powershell.exe
1796	powershell.exe
324	powershell.exe
2184	powershell.exe
1808	powershell.exe
4784	powershell.exe
1396	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 19 IoCs

pid	Process
3112	Crtmonitor.exe
2464	sysmon.exe
2992	sysmon.exe
3696	sysmon.exe
2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
984	explorer.exe
232	Crtmonitor.exe
3716	Crtmonitor.exe
4928	Crtmonitor.exe
4268	wscript.exe
1200	conhost.exe
1768	Crtmonitor.exe
4148	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
3524	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
1796	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
6140	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
1972	Crtmonitor.exe
2008	Crtmonitor.exe
3388	wscript.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crtmonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crtmonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crtmonitor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Offline\explorer.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Google\Update\Offline\7a0fd90576e088	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9	Crtmonitor.exe
File created	C:\Program Files\7-Zip\Lang\817c8c8ec737a7	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\5940a34987c991	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe	Crtmonitor.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe	Crtmonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\121e5b5079f7c0	Crtmonitor.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	Crtmonitor.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Registry.exe	Crtmonitor.exe
File created	C:\Program Files\7-Zip\Lang\wscript.exe	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows Mail\cmd.exe	Crtmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\cmd.exe	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows Mail\ebf1f9fa8afd6d	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\27d1bcfc3c54e0	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\conhost.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\088424020bedd6	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files\dotnet\dllhost.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files\dotnet\5940a34987c991	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ee2ad38f3d4382	Crtmonitor.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\System.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\lsass.exe	Crtmonitor.exe
File created	C:\Windows\Prefetch\ReadyBoot\6203df4a6bafc7	Crtmonitor.exe
File created	C:\Windows\InputMethod\CHT\OfficeClickToRun.exe	Crtmonitor.exe
File created	C:\Windows\InputMethod\CHT\e6c9b481da804f	Crtmonitor.exe
File created	C:\Windows\debug\wscript.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File opened for modification	C:\Windows\debug\wscript.exe	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
File created	C:\Windows\debug\817c8c8ec737a7	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Crtmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Crtmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Crtmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	Crtmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	sysmon.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
1660	reg.exe
3016	reg.exe
1076	reg.exe
1076	reg.exe
936	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4816	schtasks.exe
3748	schtasks.exe
4520	schtasks.exe
2580	schtasks.exe
1852	schtasks.exe
2840	schtasks.exe
4924	schtasks.exe
3536	schtasks.exe
1752	schtasks.exe
5012	schtasks.exe
4532	schtasks.exe
3700	schtasks.exe
1588	schtasks.exe
4388	schtasks.exe
3328	schtasks.exe
2084	schtasks.exe
1920	schtasks.exe
3488	schtasks.exe
4440	schtasks.exe
1568	schtasks.exe
4352	schtasks.exe
2036	schtasks.exe
4336	schtasks.exe
1916	schtasks.exe
4056	schtasks.exe
708	schtasks.exe
1944	schtasks.exe
2000	schtasks.exe
4448	schtasks.exe
572	schtasks.exe
1256	schtasks.exe
72	schtasks.exe
2684	schtasks.exe
1588	schtasks.exe
1948	schtasks.exe
708	schtasks.exe
464	schtasks.exe
792	schtasks.exe
3708	schtasks.exe
3116	schtasks.exe
392	schtasks.exe
4832	schtasks.exe
660	schtasks.exe
3568	schtasks.exe
1944	schtasks.exe
2360	schtasks.exe
4028	schtasks.exe
948	schtasks.exe
5036	schtasks.exe
1984	schtasks.exe
4928	schtasks.exe
2884	schtasks.exe
3444	schtasks.exe
476	schtasks.exe
3564	schtasks.exe
3964	schtasks.exe
1108	schtasks.exe
1772	schtasks.exe
1964	schtasks.exe
1832	schtasks.exe
4412	schtasks.exe
3148	schtasks.exe
3536	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	Crtmonitor.exe
3112	Crtmonitor.exe
3112	Crtmonitor.exe
3112	Crtmonitor.exe
3112	Crtmonitor.exe
3112	Crtmonitor.exe
5080	powershell.exe
5080	powershell.exe
2564	powershell.exe
2564	powershell.exe
2360	powershell.exe
2360	powershell.exe
3420	powershell.exe
3420	powershell.exe
1100	powershell.exe
1100	powershell.exe
2896	powershell.exe
2896	powershell.exe
2208	powershell.exe
2208	powershell.exe
3728	powershell.exe
3728	powershell.exe
2896	powershell.exe
2012	powershell.exe
2012	powershell.exe
232	powershell.exe
232	powershell.exe
4776	powershell.exe
4776	powershell.exe
3672	powershell.exe
3672	powershell.exe
2012	powershell.exe
5080	powershell.exe
2564	powershell.exe
2360	powershell.exe
3420	powershell.exe
2208	powershell.exe
4776	powershell.exe
1100	powershell.exe
232	powershell.exe
3728	powershell.exe
3672	powershell.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2464	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
2992	sysmon.exe
3696	sysmon.exe
3696	sysmon.exe
3696	sysmon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	Crtmonitor.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	2464	sysmon.exe
Token: SeDebugPrivilege	2992	sysmon.exe
Token: SeDebugPrivilege	3696	sysmon.exe
Token: SeDebugPrivilege	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	984	explorer.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	232	Crtmonitor.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	3716	Crtmonitor.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4928	Crtmonitor.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3888	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
3024	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
4528	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
4948	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4040	5076	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	77
PID 5076 wrote to memory of 4040	5076	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	77
PID 5076 wrote to memory of 4040	5076	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	77
PID 4040 wrote to memory of 3696	4040	WScript.exe	80
PID 4040 wrote to memory of 3696	4040	WScript.exe	80
PID 4040 wrote to memory of 3696	4040	WScript.exe	80
PID 3696 wrote to memory of 3112	3696	cmd.exe	82
PID 3696 wrote to memory of 3112	3696	cmd.exe	82
PID 3112 wrote to memory of 2564	3112	Crtmonitor.exe	90
PID 3112 wrote to memory of 2564	3112	Crtmonitor.exe	90
PID 3112 wrote to memory of 5080	3112	Crtmonitor.exe	91
PID 3112 wrote to memory of 5080	3112	Crtmonitor.exe	91
PID 3112 wrote to memory of 232	3112	Crtmonitor.exe	92
PID 3112 wrote to memory of 232	3112	Crtmonitor.exe	92
PID 3112 wrote to memory of 2012	3112	Crtmonitor.exe	93
PID 3112 wrote to memory of 2012	3112	Crtmonitor.exe	93
PID 3112 wrote to memory of 4776	3112	Crtmonitor.exe	94
PID 3112 wrote to memory of 4776	3112	Crtmonitor.exe	94
PID 3112 wrote to memory of 3672	3112	Crtmonitor.exe	95
PID 3112 wrote to memory of 3672	3112	Crtmonitor.exe	95
PID 3112 wrote to memory of 2896	3112	Crtmonitor.exe	96
PID 3112 wrote to memory of 2896	3112	Crtmonitor.exe	96
PID 3112 wrote to memory of 3420	3112	Crtmonitor.exe	97
PID 3112 wrote to memory of 3420	3112	Crtmonitor.exe	97
PID 3112 wrote to memory of 2208	3112	Crtmonitor.exe	98
PID 3112 wrote to memory of 2208	3112	Crtmonitor.exe	98
PID 3112 wrote to memory of 1100	3112	Crtmonitor.exe	99
PID 3112 wrote to memory of 1100	3112	Crtmonitor.exe	99
PID 3112 wrote to memory of 2360	3112	Crtmonitor.exe	100
PID 3112 wrote to memory of 2360	3112	Crtmonitor.exe	100
PID 3112 wrote to memory of 3728	3112	Crtmonitor.exe	101
PID 3112 wrote to memory of 3728	3112	Crtmonitor.exe	101
PID 3112 wrote to memory of 1576	3112	Crtmonitor.exe	114
PID 3112 wrote to memory of 1576	3112	Crtmonitor.exe	114
PID 3696 wrote to memory of 1076	3696	cmd.exe	116
PID 3696 wrote to memory of 1076	3696	cmd.exe	116
PID 3696 wrote to memory of 1076	3696	cmd.exe	116
PID 1576 wrote to memory of 3616	1576	cmd.exe	117
PID 1576 wrote to memory of 3616	1576	cmd.exe	117
PID 1576 wrote to memory of 2464	1576	cmd.exe	118
PID 1576 wrote to memory of 2464	1576	cmd.exe	118
PID 2464 wrote to memory of 3640	2464	sysmon.exe	119
PID 2464 wrote to memory of 3640	2464	sysmon.exe	119
PID 2464 wrote to memory of 3232	2464	sysmon.exe	120
PID 2464 wrote to memory of 3232	2464	sysmon.exe	120
PID 2988 wrote to memory of 2992	2988	WScript.exe	122
PID 2988 wrote to memory of 2992	2988	WScript.exe	122
PID 3640 wrote to memory of 3696	3640	WScript.exe	123
PID 3640 wrote to memory of 3696	3640	WScript.exe	123
PID 3888 wrote to memory of 3660	3888	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	128
PID 3888 wrote to memory of 3660	3888	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	128
PID 3888 wrote to memory of 3660	3888	4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe	128
PID 2084 wrote to memory of 3716	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	148
PID 2084 wrote to memory of 3716	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	148
PID 2084 wrote to memory of 2552	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	149
PID 2084 wrote to memory of 2552	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	149
PID 2084 wrote to memory of 4872	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	150
PID 2084 wrote to memory of 4872	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	150
PID 2084 wrote to memory of 1468	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	151
PID 2084 wrote to memory of 1468	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	151
PID 2084 wrote to memory of 1396	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	152
PID 2084 wrote to memory of 1396	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	152
PID 2084 wrote to memory of 4564	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	154
PID 2084 wrote to memory of 4564	2084	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe	154

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Crtmonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
"C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\CombrowserSavesInto\Crtmonitor.exe
      "C:\CombrowserSavesInto\Crtmonitor.exe"
      4⤵
      DcRat
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJN1aSsoVS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3616
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1973236f-06ec-4c1a-9fe0-150ced328e23.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs"
        7⤵
        
        PID:3232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1973236f-06ec-4c1a-9fe0-150ced328e23.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sysmon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs"
1⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
"C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
  - - C:\CombrowserSavesInto\Crtmonitor.exe
      "C:\CombrowserSavesInto\Crtmonitor.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat"
        5⤵
        
        PID:4936
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3932
      - C:\CombrowserSavesInto\Crtmonitor.exe
        
        "C:\CombrowserSavesInto\Crtmonitor.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYD4RjTjc3.bat"
        7⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3696
        
        C:\Users\Default User\conhost.exe
        
        "C:\Users\Default User\conhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:1200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1076

C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
"C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Program Files (x86)\Google\Update\Offline\explorer.exe
  "C:\Program Files (x86)\Google\Update\Offline\explorer.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\debug\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Offline\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\CombrowserSavesInto\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\CombrowserSavesInto\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\CombrowserSavesInto\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\CombrowserSavesInto\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\CombrowserSavesInto\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\CombrowserSavesInto\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
"C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
  - - C:\CombrowserSavesInto\Crtmonitor.exe
      "C:\CombrowserSavesInto\Crtmonitor.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H4DfJFnEwO.bat"
        5⤵
        
        PID:716
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:464
      - C:\Users\All Users\Documents\wscript.exe
        
        "C:\Users\All Users\Documents\wscript.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:4268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs"
1⤵
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:72

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\All Users\Documents\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrtmonitorC" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\Crtmonitor.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Crtmonitor" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Crtmonitor.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrtmonitorC" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\Crtmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\CHT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\CHT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H4DfJFnEwO.bat" "
1⤵
PID:4532
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Users\Admin\Desktop\Crtmonitor.exe
"C:\Users\Admin\Desktop\Crtmonitor.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:1768

C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
"C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System policy modification
PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:856
- C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
  "C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies registry class
  - System policy modification
  PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/CombrowserSavesInto/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8RaRG7ml3.bat"
    3⤵
    PID:5280
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1276
  - - C:\CombrowserSavesInto\wscript.exe
      "C:\CombrowserSavesInto\wscript.exe"
      4⤵
      Executes dropped EXE
      PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1199b3e548e0a5cf7f1c1fb10259b8efe2685e571" /sc MINUTE /mo 12 /tr "'C:\CombrowserSavesInto\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1199b3e548e0a5cf7f1c1fb10259b8efe2685e57" /sc ONLOGON /tr "'C:\CombrowserSavesInto\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1199b3e548e0a5cf7f1c1fb10259b8efe2685e571" /sc MINUTE /mo 6 /tr "'C:\CombrowserSavesInto\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\csrss.exe'" /f
1⤵
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WindowsHolographicDevices\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
"C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5576
  - - C:\CombrowserSavesInto\Crtmonitor.exe
      "C:\CombrowserSavesInto\Crtmonitor.exe"
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs"
1⤵
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\CombrowserSavesInto\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\CombrowserSavesInto\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\CombrowserSavesInto\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\CombrowserSavesInto\wscript.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\CombrowserSavesInto\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\CombrowserSavesInto\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
"C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe"
1⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe
"C:\Users\Admin\AppData\Local\Temp\4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\CombrowserSavesInto\gFc2W3El0.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
  - - C:\CombrowserSavesInto\Crtmonitor.exe
      "C:\CombrowserSavesInto\Crtmonitor.exe"
      4⤵
      Executes dropped EXE
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs"
1⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe
"C:\Users\Admin\AppData\Local\Temp\1199b3e548e0a5cf7f1c1fb10259b8efe2685e57.exe"
1⤵
- Executes dropped EXE
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L8RaRG7ml3.bat" "
1⤵
PID:1304
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:2356

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CombrowserSavesInto\8XvFTVLpT5xtXdrooGsphRu.vbe

Filesize
205B

MD5
f9aa9ba9ca708623a6d8eafcab82b460

SHA1
c75bfeade1de9cd48b255a60679a2afd045fd737

SHA256
0b51137a1e50b6fde4624ccff526ceb7a3fb911c811c45dcdd2fd30004993471

SHA512
31ef0b612045b9261ab91921336931c318e4ff853197c58d29e9741c86eeb4db859a97d413d92ac6d6d18fbeabd4ee4a1c8d4512f25468818421c4ce63a4c7a8

Download Submit
C:\CombrowserSavesInto\Crtmonitor.exe

Filesize
1.5MB

MD5
4667f5be1002ce912e5590cca8da93b6

SHA1
2e408e483dd447b69d2e938218989265fbfdc2af

SHA256
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

SHA512
cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

Download Submit
C:\CombrowserSavesInto\gFc2W3El0.bat

Filesize
151B

MD5
341c56654b4b916155226d31ae60c33b

SHA1
15625cf5fdc9c74cd7ab2df39433ec7a3e1587e8

SHA256
a5712bbb877663ebb6f017ecb478fe7c79337afa84dbda0b7b1c75120cf7b38d

SHA512
32509ecdeed2748d7e66d26b1d8927f6ab1ee98bd7e3c2b585c1ac697f9aaccb6efd44c0f8d30c70c8baebb1b4e07a51a5ce6e437ad155975b33a7dfe7dbf994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Crtmonitor.exe.log

Filesize
1KB

MD5
4a154b138b22d8614bea6d4aa8bffecf

SHA1
e234d740d83d68c2233e8bf3ffd65406d5ca9563

SHA256
0c84f439b774b18f2f98ff2bd65b31a7540a064ec20aed0b5cd5fdd7546d56f6

SHA512
c3f7dabc72ddc377d50843b5e3a2bdc1600cee7d5dcdc52b7db9c675fbc5cb510be01ffe911462fd4e5af95737108ae1b19d006c00be5217f489c3772b7a68ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
8660c36dcff96744fee12820fc973263

SHA1
3be2a4dd4474873d20ee93b4f80b5e786424d814

SHA256
2520a9e21907ba0f4f0eee47783a432201c67d368a7269f8c1fd02f88a9156c8

SHA512
2833190db9a3863a4ebe89108c31b696b4f8ae5f4f31f9bcd97f4b618720040ad69440e4a969ccf4c1096f15e208922909312ad534e1e102f69c8bb79abdb7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b6c7f20485e3eb78dcebc57dbffd53a

SHA1
0b74b6fd0e39ac4802b6ace079c0f818e279cb28

SHA256
79171f02cd2053089116645c69ad0bcdcf591db073ecf3b7397fac2fb6e9fb9a

SHA512
1fc966ed88e45e026ee7207c9a2deb18df65be84d0e10b03642a72b094e37b7464bfd10aa73429de51d6b70e0b2cf5b54ebc06e2263f5dd0ad023f20633b0e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc4dd6766dd68388d8733f1b729f87e9

SHA1
7b883d87afec5be3eff2088409cd1f57f877c756

SHA256
3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

SHA512
3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cad6ee71e2f46608490520923ec5d2ff

SHA1
e975523ab16e08c69c671db25eb18a17ebeddeae

SHA256
a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753

SHA512
5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d929dba1cb42eb19a0cf23027728c113

SHA1
e5b9a6b96bf3ed001d44ad39a4b67c094cf546fa

SHA256
69770be296a917670e9102c23d10a1e2f4f16ee503ce93e08be3f70569fbc2b7

SHA512
3ec0fc1b99f21c08de01eaee63d77bd6615571f33a32e5ea2f35c29fd0afc8998300d5ecb995887e95644a149c389cbe33eca414d937e1e27d49515fb572b4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2882e136563e56aac4c52a68d657e298

SHA1
bb0e315c6e10a498fcad3700761bcc6e70eb1fbc

SHA256
5031b9aa422eb1f2ff88e012dc133f049e1f92c3e6edd6aef7cfe9c2b8272a25

SHA512
d2c5f857d5901c157cbe2e08366592e1dfbf6b6395e9ab7c1d94a1bf529ee17a72bbecf4f304e1728dfc9905b4de89be53b25dfe09c783ed9dd365a6c73523c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be40509e1acb9d6e3e0929bb725e3725

SHA1
68e0314dee1bbe68c0a1930b69d00e9fb9bc2b37

SHA256
1449992f97f35200495a8abb97e585e04addcc66a7cecd0926a6cc6ef57e858c

SHA512
cda0752f2620a5c2e842c39c91b163564cf3c22c8a139420309170c00682955adbcc98b7318a012a1a0a7432f3d7e01d354b752bf0b34c193a7a3ef377faf9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bba038a5b7f0d834cccd3c07218dfd84

SHA1
d0e54860c01f4783d5973c4fceeaa04a8b15b59b

SHA256
3d27ee1f7890592931e39e357cd8ac14f522fa4bd7dfa8043435fd4d72db6d2d

SHA512
2bed9ad6a2aecd69e1431c3b929be9d91b485383d8d818ff173acb6f59ad5d04bf8cd9f678ca35c9208c87eef8ba3192ee0bb245c3937f474f6bfbf44d0b7d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e02fc0b3bdb8f40184e3bd173e7ec2fe

SHA1
5798c44c7bb33eaa89cce50178180fc8b5411a17

SHA256
f80d602c298fb72e5c5f68ace593fa2785b97bacbc4277e5a187862b4b09272d

SHA512
6aab23f3512cc5238262b6188d0556006461a0f61e0a7a5ca0405c251d9a339226c27c46c4358e17e286b1e2b15fc094773ae5e685974570b4bbbfcb8b4daaac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b773b6415d89a2dd9c9f63f33a701e00

SHA1
956f9ce7f03d46d42e2a337d5ddd1c95bb1119e9

SHA256
efdcb7187302f6bb39db8898f919214494755fbf7adc9a1ec1422101e4a4cbf1

SHA512
71f6c054bcd6808fbe6d5e7b3a692cb841311dda62c4f9cf3bf792ff61c6bc69b9c5ef3271d93266161f5106e10991720fc6e1dbdd0afe609ae98eea5210c022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bda95964af6686f13b722b5afc511019

SHA1
a61077c1cf551bfb18bd4aa58a50fd127897c8fd

SHA256
fea4fcf87c1ba433a7c5a078733f65b837c20cc105c5b7125ba5f55ee65b49c7

SHA512
a44e2078f2486d3805e01d2eab93f750f2035a3c3e8f2deb3946470ecf42c06c8fdaa2b04ad8d2941ed33a6cd68f0ed75b47fd1dd650129dc047daa299bced47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f77e9123b81b0bceb1430a5ee16a1c6b

SHA1
39c7eaf7e2a7fa44bfe98806c9e8b5a6460c1465

SHA256
3075159a5cd53a7aa42b4de1f25d1baa31dae1ec182cc4528d8b9bc83a1ba661

SHA512
1c7c356ce84263490906445140e8bd79018ad3c5644a2a492829d692f692b87ffaee13a272e3b9a78e864b0a661cf564b2dda1dc635021db9de7b2812891cd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d1468279f8e95a0fa383753b4e80fa83

SHA1
5d1128d23068038e2a0a9237e0fa62cdce8c48b5

SHA256
2ff020de913ab372cf43cc4f196c08e13bb91621dddf411615f47a07ed932387

SHA512
81efb0c1c406dbed3c44ef832f329057c7469baf15203c34a38603b288263a31170dc280f84ead4a3960a8f091f86d031f332f8fcad4a2a428f5cb83aa833179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9030854a24cf37b7b4e3650aac67d427

SHA1
27f3e35705bbe6388da04bf97e09da1875a6bc71

SHA256
e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0

SHA512
f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ca61866d916f963b5c4833e831eb103c

SHA1
69b22597fa6d9dc18df3618129699226aa73c66f

SHA256
6cb584755d42f50d6f0bd8e4a5d8aa831f8657d9237d3c383ec0e2855c721fd0

SHA512
3c18486b284793bb1d97a4c4e994f2fef7b4564887e7961e66efa97c38d3d23d01a3f615baf8b5975f856dc062fb116e1c70e1369a14e8bfe7ea0d6259941d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcaf2ad1cc3d3050e4376830516a508d

SHA1
d9f1776b334c8e4d8eb3018a0b5537d578b1220c

SHA256
1e219cb4eb30617aac3feb6b075978fdc1c415a52cd173650c154d3164276a98

SHA512
9f6662fadd9368203e3d2d6c20b7341744f7d48695b0d6d7e1aefe4a265433dc6b8c154aecfe1e1c8e00006850a4790e6d014e3624e264b050b06fbdca1d36fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb67c2ed773ecf921eaf7938082d272e

SHA1
3237eca4ecd8db432890f3373053ddb84b63575a

SHA256
3f730af0271b66c797618d84dc860f03a462c3bfc6fee194b345549eb382ea5e

SHA512
ff3d2711ac4b564a8492fdaadf281b24df238da19093faf0477cb54f1e35542b2b1f9063989a3ca9c45876f57cce1ec99f5b6421f6bbfa2d17c5ac2f34d619e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59de841975cea5c045c2883ecdcd2e70

SHA1
020aee4a942de398cd857ce2041433082c026c03

SHA256
f69868801f4042873d4fa598cd30374bce211bb8273cb67147b0a9035517b14d

SHA512
386e7e6953e25c5c6566b02a6c245d087c1844d872009e2d1a1ed57488ea1c4b1fee535c2cd24b65f1dc25df40d9c5c3c7a3630756365936298f5a27033e4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\1973236f-06ec-4c1a-9fe0-150ced328e23.vbs

Filesize
760B

MD5
5c3b64eb89ee70197c65b55e68646901

SHA1
7988fdac92c31cda9e201dbf19184d278ea36318

SHA256
cae7f4b231ce215e8799ee7376d576db2005d240d45eb57e0f502802e30f44d5

SHA512
daaa5f835ac42de4eee6e26a23860e393dfcc99a48e60eb6662a4adaf15e48f615235f1c5fff2cbd73ddeb6b7523d29b875e89db749f77768f189a0879fafe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\H4DfJFnEwO.bat

Filesize
205B

MD5
06e9528493a4e0866e2e8a54e9a162bc

SHA1
ca93eb8ab8b499e0896185e28927f7baa8e3eb33

SHA256
f0918cbe7dd5cf147e73cb0cf394ba737298fd989729471c409c35006216edc8

SHA512
8e837c8e05f8b0fd268789ac90946a0abb29d2f761a3c7b89e488ec0db775c09b8ec2e59fb9e06b6c5d8d59aee23119737ea72b4eae81640efe0011e46788e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dr3e20qo.kqz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd627335-68b0-4cf6-a6f5-b68124b8d87b.vbs

Filesize
536B

MD5
66ebd75f63a8abb3e0770f1ee310fcfb

SHA1
f43257316c0efc3b7fbce6b6b932c2b8e11adf34

SHA256
e9e49d7c86e535c3735174f056ec96c3b158c5af496dc75062df1fb3d73f80ac

SHA512
dacb50714bfa3a01e14d67a6589b25fd4f79fdd1655de008778898fcbb71fc70e4d6f6e28d5d7b9776fdc98cc396b9c91122606516e4b60ed8dbcbc450ddaf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJN1aSsoVS.bat

Filesize
249B

MD5
c1b13e5cb584a6490861750407436c16

SHA1
6603f2c5fccb1ad63a21f42373c97cfc2fa2c0e4

SHA256
53552cace31fb1f2749e71e7bcbacd6c2f6a354a28ba40858cac9ba0d7670084

SHA512
a35949cccdd3e0408517a7807bda52c6f462a9ef754afbd2092962c673d7d67514e5086f2b513aa02fc77716ab83b904e117eeeb60b1bb0d4b1c9019df1cf4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\yDWQnRz0r7.bat

Filesize
202B

MD5
1015d084c9b825397d688997757796b8

SHA1
ea1c22e56be630ca09887f43924bed8c23bd484b

SHA256
87d6774578225a781071f9f20072e40b3fdead97599f8c3b35705de112366ea8

SHA512
f22f06832558fe0b93d028ef5f9fb46a8e5a8414b5e6254d6d4244cece13503727db1ba7498c0cefa9cb592611be19b41044613f6e0b0043ace4715901d0f185

Download Submit
memory/232-155-0x000001BF5A8C0000-0x000001BF5AA2A000-memory.dmp

Filesize
1.4MB

Download
memory/856-964-0x000001C5C54D0000-0x000001C5C561F000-memory.dmp

Filesize
1.3MB

Download
memory/1100-167-0x00000252DF8B0000-0x00000252DFA1A000-memory.dmp

Filesize
1.4MB

Download
memory/1176-952-0x000001D06D9F0000-0x000001D06DB3F000-memory.dmp

Filesize
1.3MB

Download
memory/1396-723-0x0000010A68BD0000-0x0000010A68D1F000-memory.dmp

Filesize
1.3MB

Download
memory/1472-977-0x000002B8C7F50000-0x000002B8C809F000-memory.dmp

Filesize
1.3MB

Download
memory/1492-976-0x000001CA2B690000-0x000001CA2B7DF000-memory.dmp

Filesize
1.3MB

Download
memory/1572-724-0x000001F552830000-0x000001F55297F000-memory.dmp

Filesize
1.3MB

Download
memory/1808-996-0x00000144DCD40000-0x00000144DCE8F000-memory.dmp

Filesize
1.3MB

Download
memory/2012-140-0x0000022073D20000-0x0000022073E8A000-memory.dmp

Filesize
1.4MB

Download
memory/2208-158-0x0000019B50250000-0x0000019B503BA000-memory.dmp

Filesize
1.4MB

Download
memory/2216-969-0x0000022636870000-0x00000226369BF000-memory.dmp

Filesize
1.3MB

Download
memory/2360-153-0x000001F8E1AC0000-0x000001F8E1C2A000-memory.dmp

Filesize
1.4MB

Download
memory/2404-972-0x000001C170820000-0x000001C17096F000-memory.dmp

Filesize
1.3MB

Download
memory/2412-981-0x0000026A71220000-0x0000026A7136F000-memory.dmp

Filesize
1.3MB

Download
memory/2420-958-0x00000178DD520000-0x00000178DD66F000-memory.dmp

Filesize
1.3MB

Download
memory/2520-985-0x00000128B65F0000-0x00000128B673F000-memory.dmp

Filesize
1.3MB

Download
memory/2564-154-0x00000243EE140000-0x00000243EE2AA000-memory.dmp

Filesize
1.4MB

Download
memory/2564-726-0x000001761F8F0000-0x000001761FA3F000-memory.dmp

Filesize
1.3MB

Download
memory/2632-731-0x0000016EFC0B0000-0x0000016EFC1FF000-memory.dmp

Filesize
1.3MB

Download
memory/2644-962-0x0000023046550000-0x000002304669F000-memory.dmp

Filesize
1.3MB

Download
memory/2748-968-0x00000208B0870000-0x00000208B09BF000-memory.dmp

Filesize
1.3MB

Download
memory/2760-986-0x0000026CD7210000-0x0000026CD735F000-memory.dmp

Filesize
1.3MB

Download
memory/2896-139-0x000001D46F4B0000-0x000001D46F61A000-memory.dmp

Filesize
1.4MB

Download
memory/3112-18-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/3112-26-0x000000001BE50000-0x000000001BE5C000-memory.dmp

Filesize
48KB

Download
memory/3112-21-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/3112-19-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/3112-12-0x00000000006D0000-0x000000000085E000-memory.dmp

Filesize
1.6MB

Download
memory/3112-14-0x000000001BA50000-0x000000001BAA0000-memory.dmp

Filesize
320KB

Download
memory/3112-20-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/3112-15-0x000000001BA00000-0x000000001BA16000-memory.dmp

Filesize
88KB

Download
memory/3112-25-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/3112-24-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/3112-23-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/3112-16-0x000000001BA20000-0x000000001BA2A000-memory.dmp

Filesize
40KB

Download
memory/3112-22-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3112-13-0x000000001B9E0000-0x000000001B9FC000-memory.dmp

Filesize
112KB

Download
memory/3112-17-0x000000001BA30000-0x000000001BA3C000-memory.dmp

Filesize
48KB

Download
memory/3168-950-0x000001D19DA50000-0x000001D19DB9F000-memory.dmp

Filesize
1.3MB

Download
memory/3300-714-0x000002B85CCD0000-0x000002B85CE1F000-memory.dmp

Filesize
1.3MB

Download
memory/3368-994-0x0000012F39530000-0x0000012F3967F000-memory.dmp

Filesize
1.3MB

Download
memory/3392-983-0x000001D8EC680000-0x000001D8EC7CF000-memory.dmp

Filesize
1.3MB

Download
memory/3420-150-0x000002146A890000-0x000002146A9FA000-memory.dmp

Filesize
1.4MB

Download
memory/3452-970-0x000001677E470000-0x000001677E5BF000-memory.dmp

Filesize
1.3MB

Download
memory/3616-954-0x00000193C9630000-0x00000193C977F000-memory.dmp

Filesize
1.3MB

Download
memory/3620-716-0x000001D3D3D70000-0x000001D3D3EBF000-memory.dmp

Filesize
1.3MB

Download
memory/3672-166-0x00000212A55A0000-0x00000212A570A000-memory.dmp

Filesize
1.4MB

Download
memory/3688-992-0x000002E9749B0000-0x000002E974AFF000-memory.dmp

Filesize
1.3MB

Download
memory/3728-170-0x000002825FCE0000-0x000002825FE4A000-memory.dmp

Filesize
1.4MB

Download
memory/3864-732-0x000001753F4D0000-0x000001753F61F000-memory.dmp

Filesize
1.3MB

Download
memory/4348-990-0x0000022C5E2D0000-0x0000022C5E41F000-memory.dmp

Filesize
1.3MB

Download
memory/4376-957-0x000001D9CC0F0000-0x000001D9CC23F000-memory.dmp

Filesize
1.3MB

Download
memory/4392-717-0x000001B26F1E0000-0x000001B26F32F000-memory.dmp

Filesize
1.3MB

Download
memory/4440-718-0x000001776AB30000-0x000001776AC7F000-memory.dmp

Filesize
1.3MB

Download
memory/4488-721-0x000002316A9E0000-0x000002316AB2F000-memory.dmp

Filesize
1.3MB

Download
memory/4492-734-0x000001E2346E0000-0x000001E23482F000-memory.dmp

Filesize
1.3MB

Download
memory/4508-978-0x00000289731A0000-0x00000289732EF000-memory.dmp

Filesize
1.3MB

Download
memory/4620-963-0x00000245B9310000-0x00000245B945F000-memory.dmp

Filesize
1.3MB

Download
memory/4776-161-0x000001F3EFBC0000-0x000001F3EFD2A000-memory.dmp

Filesize
1.4MB

Download
memory/4848-730-0x00000190ED450000-0x00000190ED59F000-memory.dmp

Filesize
1.3MB

Download
memory/4888-989-0x0000026246960000-0x0000026246AAF000-memory.dmp

Filesize
1.3MB

Download
memory/5080-149-0x00000265F34C0000-0x00000265F362A000-memory.dmp

Filesize
1.4MB

Download
memory/5080-40-0x00000265F30A0000-0x00000265F30C2000-memory.dmp

Filesize
136KB

Download