dcrat | hxxp://gitlab[.]com/oxx980710

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Users\\All Users\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Users\\All Users\\chrome.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Users\\All Users\\chrome.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\", \"C:\\odt\\dwm.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Users\\All Users\\chrome.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\", \"C:\\odt\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Users\\All Users\\chrome.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\", \"C:\\odt\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\chrome.exe\", \"C:\\odt\\OfficeClickToRun.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	mscontainer.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2196	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	2196	schtasks.exe	89

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/186816-142-0x0000000000400000-0x000000000053A000-memory.dmp	dcrat
behavioral2/memory/187040-159-0x0000000000400000-0x000000000053A000-memory.dmp	dcrat
behavioral2/files/0x0009000000023065-166.dat	dcrat
behavioral2/files/0x0009000000023065-167.dat	dcrat
behavioral2/memory/2316-169-0x0000000000880000-0x0000000000A3A000-memory.dmp	dcrat
behavioral2/memory/6060-206-0x0000000000550000-0x000000000070A000-memory.dmp	dcrat

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
4248	oxx9807_crypted.exe
187368	system.exe
2316	mscontainer.exe
6060	dwm.exe
6472	dwm.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mscontainer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dwm.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\All Users\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Windows Portable Devices\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\All Users\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\dwm.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\odt\\dwm.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Program Files (x86)\\Windows Portable Devices\\chrome.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\StartMenuExperienceHost.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\odt\\dwm.exe\""	mscontainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	mscontainer.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mscontainer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4248 set thread context of 186816	4248	oxx9807_crypted.exe	133
PID 187368 set thread context of 187040	187368	system.exe	145

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\chrome.exe	mscontainer.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX3C50.tmp	mscontainer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	mscontainer.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX48F7.tmp	mscontainer.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\chrome.exe	mscontainer.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\dwm.exe	mscontainer.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\55b276f4edf653	mscontainer.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	mscontainer.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a73b78f679a6f	mscontainer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCX43D5.tmp	mscontainer.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\dwm.exe	mscontainer.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\6cb0b6c459d5d3	mscontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3940	schtasks.exe
2040	schtasks.exe
4612	schtasks.exe
5076	schtasks.exe
3748	schtasks.exe
2720	schtasks.exe
2444	schtasks.exe
1696	schtasks.exe
4992	schtasks.exe
3876	schtasks.exe
3244	schtasks.exe
3840	schtasks.exe
4836	schtasks.exe
4584	schtasks.exe
1388	schtasks.exe
1868	schtasks.exe
3848	schtasks.exe
1028	schtasks.exe
2028	schtasks.exe
4300	schtasks.exe
228	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "862121712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992982"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373675843"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30992982"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "862121712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30992982"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "895247955"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c44a4356ead801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EB8AF19-5649-11ED-AECB-D2D0017C8629} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000fbaae263c7567492d13f09860e4ef7a1a9fa3600a4520fb08af6252708b34947000000000e8000000002000020000000a0ba9cf1b0cbd1457bb0d4a1b9a326914569dabcbb8e8ee5c45df05b4e598fa520000000d2f7d31372c631ff2f2000abf30debaa78ec9f459bdfd0a7f105af1453d0809a40000000aacd8a74ecdff5f1fe63ca85f06343c2c5eeaabe7fbb2c98c17848b48dfc397f71faca1ec0bed8644dc440a37ee791e918ff9590c8208a6dc1ff2cf99ce962f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d91200000000002000000000010660000000100002000000004675280db105e5456bb384140deab999380eca12dc09abfd6a68aea111f87f2000000000e80000000020000200000008078a7643eeec01699b4e39e7b9b8e57fa05dee480dd94786f032b20629ec70f2000000031d9c7c242154871c8a9bb24903ded28ce9350bc0e57c794bae284c9ff8f8d9140000000e3ebea9ad63e2bc0d69ca79a23138022d9f0e785365a645304e13d5f18c186bbad1f7cf202771537928c5315b37d7a4b249170a66552b61b7dd1139ff03f318c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d020604356ead801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	mscontainer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	dwm.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2220	chrome.exe
2220	chrome.exe
4284	chrome.exe
4284	chrome.exe
1140	chrome.exe
1140	chrome.exe
3512	chrome.exe
3512	chrome.exe
2316	chrome.exe
2316	chrome.exe
1872	chrome.exe
1872	chrome.exe
3960	chrome.exe
3960	chrome.exe
928	chrome.exe
928	chrome.exe
186816	AppLaunch.exe
187124	chrome.exe
187124	chrome.exe
186812	chrome.exe
186812	chrome.exe
186812	chrome.exe
186812	chrome.exe
3716	chrome.exe
3716	chrome.exe
2316	mscontainer.exe
4476	powershell.exe
4476	powershell.exe
4104	powershell.exe
4104	powershell.exe
3204	powershell.exe
3204	powershell.exe
1456	powershell.exe
1456	powershell.exe
3400	powershell.exe
3400	powershell.exe
608	powershell.exe
608	powershell.exe
2272	powershell.exe
2272	powershell.exe
4788	powershell.exe
4788	powershell.exe
4104	powershell.exe
4476	powershell.exe
3204	powershell.exe
3400	powershell.exe
2272	powershell.exe
4788	powershell.exe
1456	powershell.exe
608	powershell.exe
6060	dwm.exe
6472	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4392	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	186816	AppLaunch.exe
Token: SeDebugPrivilege	187040	AppLaunch.exe
Token: SeDebugPrivilege	2316	mscontainer.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	6060	dwm.exe
Token: SeDebugPrivilege	6472	dwm.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4392	iexplore.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4392	iexplore.exe
4392	iexplore.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2992	4392	iexplore.exe	85
PID 4392 wrote to memory of 2992	4392	iexplore.exe	85
PID 4392 wrote to memory of 2992	4392	iexplore.exe	85
PID 4284 wrote to memory of 2184	4284	chrome.exe	98
PID 4284 wrote to memory of 2184	4284	chrome.exe	98
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 4536	4284	chrome.exe	99
PID 4284 wrote to memory of 2220	4284	chrome.exe	100
PID 4284 wrote to memory of 2220	4284	chrome.exe	100
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101
PID 4284 wrote to memory of 2412	4284	chrome.exe	101

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	mscontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://gitlab.com/oxx980710
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff82e834f50,0x7ff82e834f60,0x7ff82e834f70
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1016 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4408
- C:\Users\Admin\Downloads\oxx9807_crypted.exe
  "C:\Users\Admin\Downloads\oxx9807_crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - UAC bypass
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:186816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56d37408-924c-4b62-9da1-85cb995f69a8.vbs"
      4⤵
      PID:187240
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        5⤵
        
        PID:788
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76de7e8f-e365-46be-856e-d84e59d42ed6.vbs"
      4⤵
      PID:187300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:79616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:186948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:187020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:187012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:187124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:187208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  PID:187200
- C:\Users\Admin\Downloads\system.exe
  "C:\Users\Admin\Downloads\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:187368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:187040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:187116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:186812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:187384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  PID:4420
- C:\Users\Admin\Downloads\mscontainer.exe
  "C:\Users\Admin\Downloads\mscontainer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\mscontainer.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\acpBpZZxpv.bat"
    3⤵
    PID:5500
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5868
  - - C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
      "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks computer location settings
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:6060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b06b5fc-b567-47e9-9805-e7d717dfd00f.vbs"
        5⤵
        
        PID:6200
      - C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826b41c6-9c7a-40f5-ac7c-80a5db630706.vbs"
        7⤵
        
        PID:6600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7761902e-d821-4bce-a1ab-4ea8dbacb1a2.vbs"
        7⤵
        
        PID:6656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca7484d-5bd3-4464-ab43-8cfb09cc5b60.vbs"
        5⤵
        
        PID:6228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1008 /prefetch:8
  2⤵
  PID:6308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,9347315418971015656,2599921249946776302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:6424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\All Users\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery