dcrat | 3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Size

1.2MB
MD5

1e1141a8c3483801e0520a803d004dfc
SHA1

4dd65bf996f2ab466e658208cc6d36b9bd63df7f
SHA256

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229
SHA512

cc1aa00306b66af19f3fe2e32c730d928da6e5f80b78c7131ef5936d9984d5a60190ec4a061446b77d797a44a7b9a5f034e64b1c39fb5bd52c8060ec1a24c562
SSDEEP

24576:FR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:rJaDKf4p4UD1v

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2652	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2652	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2416-0-0x0000000001380000-0x00000000014BA000-memory.dmp	dcrat
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	dcrat
behavioral1/memory/1864-99-0x000000001AD50000-0x000000001ADD0000-memory.dmp	dcrat
behavioral1/memory/2456-137-0x0000000000360000-0x000000000049A000-memory.dmp	dcrat
behavioral1/memory/2828-219-0x00000000003A0000-0x00000000004DA000-memory.dmp	dcrat
behavioral1/memory/2548-233-0x0000000000C60000-0x0000000000D9A000-memory.dmp	dcrat
behavioral1/memory/1260-248-0x0000000001050000-0x000000000118A000-memory.dmp	dcrat
behavioral1/memory/2256-262-0x00000000000E0000-0x000000000021A000-memory.dmp	dcrat
behavioral1/memory/320-277-0x0000000001000000-0x000000000113A000-memory.dmp	dcrat
behavioral1/memory/320-279-0x0000000000F80000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2616-333-0x00000000011B0000-0x00000000012EA000-memory.dmp	dcrat
behavioral1/memory/2616-335-0x000000001B0D0000-0x000000001B150000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-0-0x0000000001380000-0x00000000014BA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1864-99-0x000000001AD50000-0x000000001ADD0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2456-137-0x0000000000360000-0x000000000049A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2828-219-0x00000000003A0000-0x00000000004DA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2548-233-0x0000000000C60000-0x0000000000D9A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/1260-248-0x0000000001050000-0x000000000118A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2256-262-0x00000000000E0000-0x000000000021A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/320-277-0x0000000001000000-0x000000000113A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/320-279-0x0000000000F80000-0x0000000001000000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral1/memory/2616-333-0x00000000011B0000-0x00000000012EA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-5-0x0000000000580000-0x0000000000590000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-8-0x0000000000B70000-0x0000000000B7A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-10-0x0000000000B90000-0x0000000000B9C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-13-0x0000000000BC0000-0x0000000000BCC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-15-0x0000000000D60000-0x0000000000D6A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-17-0x00000000012E0000-0x00000000012EC000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2416-19-0x0000000001300000-0x000000000130A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 11 IoCs

Processes:

pid	process
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2828	wininit.exe
2548	wininit.exe
1260	wininit.exe
2256	wininit.exe
320	wininit.exe
1028	wininit.exe
2296	wininit.exe
1704	wininit.exe
2616	wininit.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wininit.exewininit.exewininit.exewininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exewininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in Program Files directory 15 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\c5b4cb5e9653cc	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Journal\explorer.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\b75386f1303e64	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\Windows Journal\explorer.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Journal\7a0fd90576e088	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files (x86)\Windows Sidebar\services.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\services.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\cc11b995f2a76d	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Program Files\Windows Media Player\winlogon.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Drops file in Windows directory 22 IoCs

Processes:

description	ioc	process
File created	C:\Windows\tracing\f3b6ecef712a24	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\L2Schemas\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Resources\Ease of Access Themes\886983d96e3d3e	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\addins\taskhost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Migration\WTR\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Migration\WTR\886983d96e3d3e	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\Offline Web Pages\services.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Resources\Ease of Access Themes\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\ehome\de-DE\wininit.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\addins\taskhost.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\addins\RCX2AEF.tmp	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\tracing\spoolsv.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\ehome\de-DE\56085415360792	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\tracing\spoolsv.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Offline Web Pages\services.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\L2Schemas\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\L2Schemas\9cfc546d28b943	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\Migration\WTR\csrss.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File opened for modification	C:\Windows\ehome\de-DE\wininit.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\addins\b75386f1303e64	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
File created	C:\Windows\Offline Web Pages\c5b4cb5e9653cc	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
1748	schtasks.exe
2416	schtasks.exe
1592	schtasks.exe
1028	schtasks.exe
2080	schtasks.exe
2768	schtasks.exe
2432	schtasks.exe
2732	schtasks.exe
2200	schtasks.exe
1688	schtasks.exe
2268	schtasks.exe
2796	schtasks.exe
1816	schtasks.exe
2012	schtasks.exe
1368	schtasks.exe
1056	schtasks.exe
1776	schtasks.exe
328	schtasks.exe
2544	schtasks.exe
764	schtasks.exe
2004	schtasks.exe
756	schtasks.exe
2728	schtasks.exe
2504	schtasks.exe
2228	schtasks.exe
1744	schtasks.exe
2592	schtasks.exe
1304	schtasks.exe
1480	schtasks.exe
1552	schtasks.exe
1524	schtasks.exe
800	schtasks.exe
1296	schtasks.exe
2756	schtasks.exe
1372	schtasks.exe
2052	schtasks.exe
1556	schtasks.exe
2788	schtasks.exe
536	schtasks.exe
2856	schtasks.exe
1736	schtasks.exe
1840	schtasks.exe
1876	schtasks.exe
880	schtasks.exe
2348	schtasks.exe
2760	schtasks.exe
1616	schtasks.exe
2572	schtasks.exe
2756	schtasks.exe
2024	schtasks.exe
1880	schtasks.exe
900	schtasks.exe
2004	schtasks.exe
2060	schtasks.exe
2988	schtasks.exe
1432	schtasks.exe
280	schtasks.exe
848	schtasks.exe
2540	schtasks.exe
2332	schtasks.exe
1672	schtasks.exe
2164	schtasks.exe
1576	schtasks.exe
848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Token: SeDebugPrivilege	1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Token: SeDebugPrivilege	2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Token: SeDebugPrivilege	2828	wininit.exe
Token: SeDebugPrivilege	2548	wininit.exe
Token: SeDebugPrivilege	1260	wininit.exe
Token: SeDebugPrivilege	2256	wininit.exe
Token: SeDebugPrivilege	320	wininit.exe
Token: SeDebugPrivilege	1028	wininit.exe
Token: SeDebugPrivilege	2296	wininit.exe
Token: SeDebugPrivilege	1704	wininit.exe
Token: SeDebugPrivilege	2616	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execmd.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.execmd.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exe

description	pid	process	target process
PID 2416 wrote to memory of 1864	2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 2416 wrote to memory of 1864	2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 2416 wrote to memory of 1864	2416	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 1864 wrote to memory of 2964	1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 1864 wrote to memory of 2964	1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 1864 wrote to memory of 2964	1864	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 2964 wrote to memory of 2612	2964	cmd.exe	w32tm.exe
PID 2964 wrote to memory of 2612	2964	cmd.exe	w32tm.exe
PID 2964 wrote to memory of 2612	2964	cmd.exe	w32tm.exe
PID 2964 wrote to memory of 2456	2964	cmd.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 2964 wrote to memory of 2456	2964	cmd.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 2964 wrote to memory of 2456	2964	cmd.exe	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
PID 2456 wrote to memory of 872	2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 2456 wrote to memory of 872	2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 2456 wrote to memory of 872	2456	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe	cmd.exe
PID 872 wrote to memory of 2744	872	cmd.exe	w32tm.exe
PID 872 wrote to memory of 2744	872	cmd.exe	w32tm.exe
PID 872 wrote to memory of 2744	872	cmd.exe	w32tm.exe
PID 872 wrote to memory of 2828	872	cmd.exe	wininit.exe
PID 872 wrote to memory of 2828	872	cmd.exe	wininit.exe
PID 872 wrote to memory of 2828	872	cmd.exe	wininit.exe
PID 2828 wrote to memory of 1368	2828	wininit.exe	WScript.exe
PID 2828 wrote to memory of 1368	2828	wininit.exe	WScript.exe
PID 2828 wrote to memory of 1368	2828	wininit.exe	WScript.exe
PID 2828 wrote to memory of 1672	2828	wininit.exe	WScript.exe
PID 2828 wrote to memory of 1672	2828	wininit.exe	WScript.exe
PID 2828 wrote to memory of 1672	2828	wininit.exe	WScript.exe
PID 1368 wrote to memory of 2548	1368	WScript.exe	wininit.exe
PID 1368 wrote to memory of 2548	1368	WScript.exe	wininit.exe
PID 1368 wrote to memory of 2548	1368	WScript.exe	wininit.exe
PID 2548 wrote to memory of 2632	2548	wininit.exe	WScript.exe
PID 2548 wrote to memory of 2632	2548	wininit.exe	WScript.exe
PID 2548 wrote to memory of 2632	2548	wininit.exe	WScript.exe
PID 2548 wrote to memory of 2204	2548	wininit.exe	WScript.exe
PID 2548 wrote to memory of 2204	2548	wininit.exe	WScript.exe
PID 2548 wrote to memory of 2204	2548	wininit.exe	WScript.exe
PID 2632 wrote to memory of 1260	2632	WScript.exe	wininit.exe
PID 2632 wrote to memory of 1260	2632	WScript.exe	wininit.exe
PID 2632 wrote to memory of 1260	2632	WScript.exe	wininit.exe
PID 1260 wrote to memory of 880	1260	wininit.exe	WScript.exe
PID 1260 wrote to memory of 880	1260	wininit.exe	WScript.exe
PID 1260 wrote to memory of 880	1260	wininit.exe	WScript.exe
PID 1260 wrote to memory of 280	1260	wininit.exe	WScript.exe
PID 1260 wrote to memory of 280	1260	wininit.exe	WScript.exe
PID 1260 wrote to memory of 280	1260	wininit.exe	WScript.exe
PID 880 wrote to memory of 2256	880	WScript.exe	wininit.exe
PID 880 wrote to memory of 2256	880	WScript.exe	wininit.exe
PID 880 wrote to memory of 2256	880	WScript.exe	wininit.exe
PID 2256 wrote to memory of 2408	2256	wininit.exe	WScript.exe
PID 2256 wrote to memory of 2408	2256	wininit.exe	WScript.exe
PID 2256 wrote to memory of 2408	2256	wininit.exe	WScript.exe
PID 2256 wrote to memory of 2948	2256	wininit.exe	WScript.exe
PID 2256 wrote to memory of 2948	2256	wininit.exe	WScript.exe
PID 2256 wrote to memory of 2948	2256	wininit.exe	WScript.exe
PID 2408 wrote to memory of 320	2408	WScript.exe	wininit.exe
PID 2408 wrote to memory of 320	2408	WScript.exe	wininit.exe
PID 2408 wrote to memory of 320	2408	WScript.exe	wininit.exe
PID 320 wrote to memory of 1524	320	wininit.exe	WScript.exe
PID 320 wrote to memory of 1524	320	wininit.exe	WScript.exe
PID 320 wrote to memory of 1524	320	wininit.exe	WScript.exe
PID 320 wrote to memory of 2036	320	wininit.exe	WScript.exe
PID 320 wrote to memory of 2036	320	wininit.exe	WScript.exe
PID 320 wrote to memory of 2036	320	wininit.exe	WScript.exe
PID 1524 wrote to memory of 1028	1524	WScript.exe	wininit.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

wininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exewininit.exe3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exewininit.exewininit.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
"C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416

C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
"C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
"C:\Users\Admin\AppData\Local\Temp\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WfzwFH8ar.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2744

C:\Windows\ehome\de-DE\wininit.exe
"C:\Windows\ehome\de-DE\wininit.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f993976-82ad-4ed9-b06f-0803b5df334c.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37df64b9-b802-426e-bd6f-fce2e35e335d.vbs"
9⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd72f23-aefd-4462-8abd-00ac5b9a9501.vbs"
11⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85103449-d8ab-40a2-a1a9-aba939e4b52c.vbs"
13⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b764c44-be3e-4dc2-bbf7-697670116ea8.vbs"
15⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28f61c62-c1aa-4385-9f59-a015cff08dfc.vbs"
17⤵
PID:1388

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f37a32e-c86c-4e60-94fd-6b6df05606bd.vbs"
19⤵
PID:2544

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c4dda53-72a4-4c27-8948-7027a78193de.vbs"
21⤵
PID:1804

C:\Windows\ehome\de-DE\wininit.exe
C:\Windows\ehome\de-DE\wininit.exe
22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\908e5d5f-940a-4e32-b864-b991b18de87b.vbs"
23⤵
PID:2680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b90340f-01ae-4282-a4ed-0f0c34e6f6ac.vbs"
23⤵
PID:2268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9c330f8-6cdb-46d9-bc71-5bc1d2bf5b80.vbs"
21⤵
PID:2636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c46511c-6cd2-4388-b134-0d0c82810f08.vbs"
19⤵
PID:1552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb3d45d-fde6-4401-9740-2e458981e324.vbs"
17⤵
PID:2416

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a69c21a7-de29-4ddb-a01c-ae7203f96f9e.vbs"
15⤵
PID:2036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9cfd9ac-341c-4e8e-94ab-4f3001238186.vbs"
13⤵
PID:2948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2499db1f-84ad-46af-98c6-b712c8b3163b.vbs"
11⤵
PID:280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ffe0c4-2250-4505-93b6-aca338287e02.vbs"
9⤵
PID:2204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d089451f-2e8d-408a-a56a-095b558bf577.vbs"
7⤵
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229" /sc ONLOGON /tr "'C:\Windows\L2Schemas\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\explorer.exe'" /f
1⤵
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\de-DE\wininit.exe'" /f
1⤵
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ehome\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /f
1⤵
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e22122293" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\smss.exe'" /f
1⤵
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\smss.exe'" /rl HIGHEST /f
1⤵
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\spoolsv.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229.exe
Filesize
1.2MB

MD5
1e1141a8c3483801e0520a803d004dfc

SHA1
4dd65bf996f2ab466e658208cc6d36b9bd63df7f

SHA256
3915927862667dcfed03c9f5cd6b9af7ff6840bcc4226b06404320f9e2212229

SHA512
cc1aa00306b66af19f3fe2e32c730d928da6e5f80b78c7131ef5936d9984d5a60190ec4a061446b77d797a44a7b9a5f034e64b1c39fb5bd52c8060ec1a24c562

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WfzwFH8ar.bat
Filesize
199B

MD5
eff09fe961f153bd2a8e43a0869e000a

SHA1
03cae8e585dc5962c3339ed4998662c7177e0c04

SHA256
db0de25f0a3ffa58e149fe18867d028cc4ea4d56753411d7f92b37fcc8e5289e

SHA512
432ffd6b5c8f89b51be1ded34704d08b729c9fff44eb56d93d261ca2c156dee5c38945d316e258ad2bf46976110a41c70a0bf45d8f40865d962709f05a60fd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\28f61c62-c1aa-4385-9f59-a015cff08dfc.vbs
Filesize
710B

MD5
7be5f75d9ea6ae2041090a6a08bbfa7e

SHA1
4d890ec8dba4218e6a4535ec527a0c6a9a68c7b2

SHA256
d5a05226a89c6a6bafe70924ede73f05ed83b8d6fc09b1c764539e84aab6aeef

SHA512
6ea569e0e1b551f879a0161aea034542d0f3b113b6df3b804c6da34df063bb47514e18c1f63732d0407492f9c8b7d40fac87b32988a21737032d05426eb9ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f37a32e-c86c-4e60-94fd-6b6df05606bd.vbs
Filesize
710B

MD5
bca651f0a4c85eaa92d201f9980ba477

SHA1
0d58dcb1352aca7769f8162005083c693a9e390d

SHA256
4998fc06035e2b204bcf6546f4ff8f7e4dd8459269c6df08a20f34edfd7cfb47

SHA512
c542f9f03f751c31bff695059a8e8387c9dc325e9fe6c544ee783b01926e5fbf89fb37a2424ce3649dae3b52cc3e0d2541b83149d65e516342f9d299fff61dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\37df64b9-b802-426e-bd6f-fce2e35e335d.vbs
Filesize
710B

MD5
2bceb78511c1b747af61951cc09a9b49

SHA1
aaa68f62f3cfe7abb7133eef95a2b90840ac7512

SHA256
df0d99337546b94c13d4e0c6f07cf88dafb1f6b92e22b208b2f7d979477f4198

SHA512
8a8c13a77ce01fd67a10bbbd8deb0bf82cf5be097b9da4183e8acdb60c2154b2c8898adab1a03632fbb012cd78a4a8f46d5c1a7ea2c365229ce1350d6adc4a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c4dda53-72a4-4c27-8948-7027a78193de.vbs
Filesize
710B

MD5
9e6a194df37f45ec7de68627446679d6

SHA1
d6900b0804d417ec3543b79fbaaee2fe0403677e

SHA256
c137679c475ad3f80d780a9ffe743d4dd50ad98d16b4d44f74acb01f25322998

SHA512
86315b3ea50834ee4bf62f6870d019b96e340e6e01f54eed7c68ed3058c18913de57337b6cf560b0fd2b2add831a5b420026065fdbb57077a3c2d1bd1ee3024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859
Filesize
712B

MD5
f392f583b9cc16da61c2510251aaf17f

SHA1
d0afdf417508f90f5b68af2663e1104d095ff3f1

SHA256
fbc168521fcc7f62c4cc4959b8d200315e056211a0869f669625626aae20fe48

SHA512
26604b42baa483f6e32ae5fe036981957d93d43c4fa4447de6e8d60d44e8bbfedb37d6ceaaf6d0ea98aff89db09f285fb64a814105b01820f8d99b20a1ebd864

Download Submit
C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859
Filesize
1KB

MD5
9ab06939238cfa1790e2d2dda6787ecf

SHA1
8ca7cd30735ea09b217c077d1b7dfd7ac6826c8f

SHA256
c33992b27c1c73e9e54711b741be855716be6fe43fe066f285dd13667db1babb

SHA512
316e5423eedbac8451d8a9c62bdc524619c83f388ff9298119e03902d0d5889ba8ad64f0df9fc911c2a26d03e12cae2ef9dd9eea7b7464d09ca5b47604f857f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f993976-82ad-4ed9-b06f-0803b5df334c.vbs
Filesize
710B

MD5
60141f6546f9b51a0fb13a6303b30917

SHA1
e7472ad462b37dcdbe0c92a9224ccd1d16fabc1b

SHA256
e3b3bace0bf44eb36a60027133088a94afee7d1de2e7e7ba285b93a800909f47

SHA512
e0e351f948a3163d0188ee4957530da33a4b9f444dd14f5d77456cfbf7812e91ff518e3d01a93ddebccab8f715c420bca253f1be0e3fc1f10c8abaa734bf5252

Download Submit
C:\Users\Admin\AppData\Local\Temp\85103449-d8ab-40a2-a1a9-aba939e4b52c.vbs
Filesize
710B

MD5
f89b17e539d70972850730d3b19e3012

SHA1
66c1df2f1ef154862182323886aef3215f4b9ed1

SHA256
a96240059375b13c080cc01b7708bdbf328ac69ec49c15436bb8c913b297918e

SHA512
3ea601d1a7bdf95691bc2aa14c1eda72ebb926baccb4158b8639410eba33055cba12b7ba137b7b94aea10380849ce323d1064b9323d47953060277b861473e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b764c44-be3e-4dc2-bbf7-697670116ea8.vbs
Filesize
709B

MD5
020705549668784626a7501d3e3c06fd

SHA1
3ddf3a1feb144678d7050e67ee465bb89470bbce

SHA256
07f19bb0dcf1a64c6012d53bc139a334fa0446ddfb074cf04454b3ba7ad96f67

SHA512
dd67d14c5b351e2749fb339030e2aaec38b84e87fd2514937eb6d73bfbccd82b9e3aae1a3dcbb6f78e7c3a74e5042a4f2e72375a1aece93090f9031a6c6733ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\908e5d5f-940a-4e32-b864-b991b18de87b.vbs
Filesize
710B

MD5
02077b11269d96316b4c79a149f6258c

SHA1
1052d6314a156cb25a5c03849cb06f8c3537b975

SHA256
893a3dbd8e2aad9c051a14cc597082f709fa68558ded6268180fcce8db668686

SHA512
ec335eff94473dde54dc42d9b06d585dadec47305efa29acc597e483714c5d3838c3e8e9dd0a71b3660fd15287b918af315183e4855326dfc9011b8e5c0f9c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dd72f23-aefd-4462-8abd-00ac5b9a9501.vbs
Filesize
710B

MD5
b819494cb5bf4fbe6064595410cc73de

SHA1
229ac6d7db2d1edbfff4bb6a6c9f059ce99ce55c

SHA256
5a85d340e36b2bc8123b63af59dd6e0cb8f2d3c1eaced753b94b201d6c748fd8

SHA512
eb840c39ef452f9a62763fd7d6bcb8966e08099c381022b2e96dd1ac6a40ba53e2c20be8b18d781cbeef005275169ade30fd267a0134ad51a20582beb41c983e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P5SY0RjS3i.bat
Filesize
267B

MD5
186c4b12f35f74a03e1e511966a1126f

SHA1
8648c35bad053490c437dd9b1db8e010fb5619d2

SHA256
31f7e059ddbff9cbf766d4883ee6db14c777a471ab0c64601276b6d0113b15de

SHA512
3696d61dd80746eeac1ce7f6b88b5b976acdc6e61b0183db2977aa87d3a43d1db53d83cb7e2a95989ea6b474b5930bf455fcea536278675bc0bf6316fe15f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\d089451f-2e8d-408a-a56a-095b558bf577.vbs
Filesize
486B

MD5
daa393ab8d22a9ef0c402a0248eced86

SHA1
a136dc2ec7ff1978625e1cc39fc70a8c89f58469

SHA256
2aff536210f5dc22f9364444af5d9ca1a3e0b48b7b15103e048a9e315eb3902a

SHA512
8435219eea7f9f5ce614af53fde8147372c1d312a4230c1b83fab976c9be61d55e06c408b50c4bc5ac59b01f3b5dd600cfd0149c2e7f82b99e240d8dc8081c5c

Download Submit
memory/320-290-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/320-279-0x0000000000F80000-0x0000000001000000-memory.dmp

Filesize
512KB

Download
memory/320-278-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/320-277-0x0000000001000000-0x000000000113A000-memory.dmp

Filesize
1.2MB

Download
memory/1028-304-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-292-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-293-0x000000001AFB0000-0x000000001B030000-memory.dmp

Filesize
512KB

Download
memory/1260-260-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1260-249-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1260-248-0x0000000001050000-0x000000000118A000-memory.dmp

Filesize
1.2MB

Download
memory/1704-331-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/1704-320-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/1704-319-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/1864-99-0x000000001AD50000-0x000000001ADD0000-memory.dmp

Filesize
512KB

Download
memory/1864-134-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/1864-97-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-263-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-264-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2256-262-0x00000000000E0000-0x000000000021A000-memory.dmp

Filesize
1.2MB

Download
memory/2256-275-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-306-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-317-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-18-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2416-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2416-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-2-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2416-3-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/2416-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2416-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2416-7-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2416-8-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2416-9-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2416-10-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2416-11-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2416-12-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2416-98-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-20-0x0000000001310000-0x000000000131C000-memory.dmp

Filesize
48KB

Download
memory/2416-19-0x0000000001300000-0x000000000130A000-memory.dmp

Filesize
40KB

Download
memory/2416-0-0x0000000001380000-0x00000000014BA000-memory.dmp

Filesize
1.2MB

Download
memory/2416-17-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/2416-15-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/2416-16-0x0000000001170000-0x000000000117E000-memory.dmp

Filesize
56KB

Download
memory/2416-14-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2416-13-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2456-138-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2456-137-0x0000000000360000-0x000000000049A000-memory.dmp

Filesize
1.2MB

Download
memory/2456-139-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2456-215-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-235-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2548-246-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-234-0x000007FEF52F0000-0x000007FEF5CDC000-memory.dmp

Filesize
9.9MB

Download
memory/2548-233-0x0000000000C60000-0x0000000000D9A000-memory.dmp

Filesize
1.2MB

Download
memory/2616-333-0x00000000011B0000-0x00000000012EA000-memory.dmp

Filesize
1.2MB

Download
memory/2616-334-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-335-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2828-221-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2828-219-0x00000000003A0000-0x00000000004DA000-memory.dmp

Filesize
1.2MB

Download
memory/2828-220-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-231-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download