dcrat | e8560b6c4995a7a59a5f0e67485259d7adb625a438bb25b0ed209bd24cad58b8

Analysis

max time kernel
104s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Size

4.9MB
MD5

6c1254f6b6b376f8d51b7fb1efc557b0
SHA1

87d0cf2bda3a3cc1033d0a859d1446ccf70a1704
SHA256

e8560b6c4995a7a59a5f0e67485259d7adb625a438bb25b0ed209bd24cad58b8
SHA512

5b1c6b910d88d839fdb1dfc25d6eecffd7a2fe544b8b7c62c4012c5773e4633002dbf5d04d1bfc71ae546c8ffc893fc94cab7576acfbd81e6aff2be69f6904a7
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2604	schtasks.exe

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe6c1254f6b6b376f8d51b7fb1efc557b0N.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2804-2-0x000000001B560000-0x000000001B68E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1420	powershell.exe
1072	powershell.exe
1532	powershell.exe
532	powershell.exe
760	powershell.exe
1832	powershell.exe
2756	powershell.exe
1984	powershell.exe
1472	powershell.exe
2544	powershell.exe
1048	powershell.exe
552	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid process

2428 OSPPSVC.exe
2312 OSPPSVC.exe
2328 OSPPSVC.exe
2152 OSPPSVC.exe
2540 OSPPSVC.exe
2512 OSPPSVC.exe
1940 OSPPSVC.exe
1832 OSPPSVC.exe

pid	process
2428	OSPPSVC.exe
2312	OSPPSVC.exe
2328	OSPPSVC.exe
2152	OSPPSVC.exe
2540	OSPPSVC.exe
2512	OSPPSVC.exe
1940	OSPPSVC.exe
1832	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe6c1254f6b6b376f8d51b7fb1efc557b0N.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops file in Program Files directory 20 IoCs

Processes:

6c1254f6b6b376f8d51b7fb1efc557b0N.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Uninstall Information\dllhost.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXF89.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Microsoft Office\6c1254f6b6b376f8d51b7fb1efc557b0N.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Microsoft Office\3d5d557de8984f	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX1A19.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\taskhost.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCXFE81.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX70D.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX11FA.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\1610b97d3ab4a7	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Program Files\Microsoft Office\6c1254f6b6b376f8d51b7fb1efc557b0N.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe

Drops file in Windows directory 13 IoCs

Processes:

6c1254f6b6b376f8d51b7fb1efc557b0N.exe

description	ioc	process
File opened for modification	C:\Windows\AppPatch\ja-JP\spoolsv.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\AppPatch\ja-JP\f3b6ecef712a24	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\1610b97d3ab4a7	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\ehome\CreateDisc\style\Idle.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\RCXF603.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\Speech\Common\fr-FR\audiodg.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music\RCXFC7D.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music\OSPPSVC.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\AppPatch\ja-JP\spoolsv.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\OSPPSVC.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File created	C:\Windows\ehome\CreateDisc\style\6ccacd8608530f	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Windows\ehome\CreateDisc\style\RCX911.tmp	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
File opened for modification	C:\Windows\ehome\CreateDisc\style\Idle.exe	6c1254f6b6b376f8d51b7fb1efc557b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
844	schtasks.exe
1152	schtasks.exe
1320	schtasks.exe
2056	schtasks.exe
1880	schtasks.exe
1228	schtasks.exe
2212	schtasks.exe
1540	schtasks.exe
2384	schtasks.exe
1716	schtasks.exe
1692	schtasks.exe
2144	schtasks.exe
1236	schtasks.exe
1484	schtasks.exe
1868	schtasks.exe
1372	schtasks.exe
780	schtasks.exe
1860	schtasks.exe
2112	schtasks.exe
1960	schtasks.exe
2988	schtasks.exe
2772	schtasks.exe
2828	schtasks.exe
1048	schtasks.exe
2068	schtasks.exe
2444	schtasks.exe
2120	schtasks.exe
2808	schtasks.exe
2448	schtasks.exe
612	schtasks.exe
1188	schtasks.exe
2268	schtasks.exe
1412	schtasks.exe
2356	schtasks.exe
532	schtasks.exe
2176	schtasks.exe
928	schtasks.exe
2072	schtasks.exe
2860	schtasks.exe
2896	schtasks.exe
1816	schtasks.exe
2316	schtasks.exe
2912	schtasks.exe
2812	schtasks.exe
1584	schtasks.exe
1832	schtasks.exe
900	schtasks.exe
1928	schtasks.exe
2620	schtasks.exe
2572	schtasks.exe
2756	schtasks.exe
1896	schtasks.exe
440	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

6c1254f6b6b376f8d51b7fb1efc557b0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exepowershell.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	process
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
552	powershell.exe
2544	powershell.exe
1832	powershell.exe
1532	powershell.exe
2756	powershell.exe
760	powershell.exe
532	powershell.exe
1472	powershell.exe
1048	powershell.exe
1984	powershell.exe
1420	powershell.exe
2428	OSPPSVC.exe
1072	powershell.exe
2312	OSPPSVC.exe
2328	OSPPSVC.exe
2152	OSPPSVC.exe
2540	OSPPSVC.exe
2512	OSPPSVC.exe
1940	OSPPSVC.exe
1832	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

6c1254f6b6b376f8d51b7fb1efc557b0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	pid	process
Token: SeDebugPrivilege	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2428	OSPPSVC.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2312	OSPPSVC.exe
Token: SeDebugPrivilege	2328	OSPPSVC.exe
Token: SeDebugPrivilege	2152	OSPPSVC.exe
Token: SeDebugPrivilege	2540	OSPPSVC.exe
Token: SeDebugPrivilege	2512	OSPPSVC.exe
Token: SeDebugPrivilege	1940	OSPPSVC.exe
Token: SeDebugPrivilege	1832	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c1254f6b6b376f8d51b7fb1efc557b0N.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exe

description	pid	process	target process
PID 2804 wrote to memory of 552	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 552	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 552	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 760	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 760	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 760	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1420	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1420	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1420	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1832	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1832	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1832	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1072	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1072	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1072	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2756	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2756	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2756	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1984	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1984	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1984	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1532	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1472	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1472	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1472	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2544	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2544	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2544	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1048	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1048	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 1048	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	powershell.exe
PID 2804 wrote to memory of 2428	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	OSPPSVC.exe
PID 2804 wrote to memory of 2428	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	OSPPSVC.exe
PID 2804 wrote to memory of 2428	2804	6c1254f6b6b376f8d51b7fb1efc557b0N.exe	OSPPSVC.exe
PID 2428 wrote to memory of 2168	2428	OSPPSVC.exe	WScript.exe
PID 2428 wrote to memory of 2168	2428	OSPPSVC.exe	WScript.exe
PID 2428 wrote to memory of 2168	2428	OSPPSVC.exe	WScript.exe
PID 2428 wrote to memory of 2240	2428	OSPPSVC.exe	WScript.exe
PID 2428 wrote to memory of 2240	2428	OSPPSVC.exe	WScript.exe
PID 2428 wrote to memory of 2240	2428	OSPPSVC.exe	WScript.exe
PID 2168 wrote to memory of 2312	2168	WScript.exe	OSPPSVC.exe
PID 2168 wrote to memory of 2312	2168	WScript.exe	OSPPSVC.exe
PID 2168 wrote to memory of 2312	2168	WScript.exe	OSPPSVC.exe
PID 2312 wrote to memory of 1540	2312	OSPPSVC.exe	WScript.exe
PID 2312 wrote to memory of 1540	2312	OSPPSVC.exe	WScript.exe
PID 2312 wrote to memory of 1540	2312	OSPPSVC.exe	WScript.exe
PID 2312 wrote to memory of 1964	2312	OSPPSVC.exe	WScript.exe
PID 2312 wrote to memory of 1964	2312	OSPPSVC.exe	WScript.exe
PID 2312 wrote to memory of 1964	2312	OSPPSVC.exe	WScript.exe
PID 1540 wrote to memory of 2328	1540	WScript.exe	OSPPSVC.exe
PID 1540 wrote to memory of 2328	1540	WScript.exe	OSPPSVC.exe
PID 1540 wrote to memory of 2328	1540	WScript.exe	OSPPSVC.exe
PID 2328 wrote to memory of 584	2328	OSPPSVC.exe	WScript.exe
PID 2328 wrote to memory of 584	2328	OSPPSVC.exe	WScript.exe
PID 2328 wrote to memory of 584	2328	OSPPSVC.exe	WScript.exe
PID 2328 wrote to memory of 2968	2328	OSPPSVC.exe	WScript.exe
PID 2328 wrote to memory of 2968	2328	OSPPSVC.exe	WScript.exe
PID 2328 wrote to memory of 2968	2328	OSPPSVC.exe	WScript.exe
PID 584 wrote to memory of 2152	584	WScript.exe	OSPPSVC.exe

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe6c1254f6b6b376f8d51b7fb1efc557b0N.exeOSPPSVC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c1254f6b6b376f8d51b7fb1efc557b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c1254f6b6b376f8d51b7fb1efc557b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6c1254f6b6b376f8d51b7fb1efc557b0N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a740d287-e901-4416-9b86-b1bd4d49d78a.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66e5beaf-dc0d-4f2d-8755-630c27e98f2b.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7cb45b9-2905-4402-8ae6-ead1bb64cd57.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2152

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\699a87e5-193c-4202-8c51-f12711a031ef.vbs"
9⤵
PID:1696

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe47991-3d06-438e-8b1b-18f89ca7a919.vbs"
11⤵
PID:1788

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a78eef-d4b3-4386-8603-187adda713a5.vbs"
13⤵
PID:2924

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40af5aeb-f38d-42cd-83e4-acbdb2e13c85.vbs"
15⤵
PID:1540

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c3a8726-3f3d-4a17-9962-d87de4694b8a.vbs"
17⤵
PID:1728

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
18⤵
PID:1556

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b45be973-e70f-4749-8702-b4c2ba46d1df.vbs"
19⤵
PID:1636

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
20⤵
PID:2680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854062bf-2f19-4654-a88c-394415366272.vbs"
21⤵
PID:980

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
22⤵
PID:2304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1ae7ec-9e85-4d47-b847-f647a99f5db7.vbs"
23⤵
PID:2644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aa3d074-f272-4d68-8b81-39b5ad6092fa.vbs"
23⤵
PID:2632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8e88dc-71f5-436b-be42-2ebd79a544ac.vbs"
21⤵
PID:2972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c522bb-72b5-4007-aae0-90faa659cd5a.vbs"
19⤵
PID:832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa08754d-189b-42a8-bd4a-6cd9fce1c6b1.vbs"
17⤵
PID:1216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1e0c05-3ad3-4066-9608-38e7053c6e16.vbs"
15⤵
PID:1120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9672d92b-e189-4ebf-afbd-306a7ba9402c.vbs"
13⤵
PID:2456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac18879-236d-47c6-99b4-313742441803.vbs"
11⤵
PID:1816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c891c898-9f51-49a8-9611-aeeb4eeb4148.vbs"
9⤵
PID:696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea23c3fa-cf6c-45fc-ad97-d9ed653ef86e.vbs"
7⤵
PID:2968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\492c3f3f-5f6d-4d0a-ba5f-9f6d4587fbc1.vbs"
5⤵
PID:1964

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26563c1c-2091-4146-83d4-5afc4890bfbe.vbs"
3⤵
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\CreateDisc\style\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ehome\CreateDisc\style\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\CreateDisc\style\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c1254f6b6b376f8d51b7fb1efc557b0N6" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\6c1254f6b6b376f8d51b7fb1efc557b0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c1254f6b6b376f8d51b7fb1efc557b0N" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\6c1254f6b6b376f8d51b7fb1efc557b0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c1254f6b6b376f8d51b7fb1efc557b0N6" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\6c1254f6b6b376f8d51b7fb1efc557b0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\TableTextService\ja-JP\OSPPSVC.exe

Filesize
4.9MB

MD5
6c1254f6b6b376f8d51b7fb1efc557b0

SHA1
87d0cf2bda3a3cc1033d0a859d1446ccf70a1704

SHA256
e8560b6c4995a7a59a5f0e67485259d7adb625a438bb25b0ed209bd24cad58b8

SHA512
5b1c6b910d88d839fdb1dfc25d6eecffd7a2fe544b8b7c62c4012c5773e4633002dbf5d04d1bfc71ae546c8ffc893fc94cab7576acfbd81e6aff2be69f6904a7

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe

Filesize
2.5MB

MD5
2030be8b464ad8400f8743e24c6cee6e

SHA1
bdfed56eb78a163e78aeb18e9abd547e6245bb6a

SHA256
0dc6024c5b59e1b84c7fdf8f8b44c5586226ee520389a1394f48bcea8bff4592

SHA512
1a67c9f5514b6484e091c4b2c1eabdc7e9cbed0fede934fe049b0c4113b7183813a6200c0b1902e3efc79533e6eca0b029fea70bb26d5aa9bd46063534ca70c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\01a78eef-d4b3-4386-8603-187adda713a5.vbs

Filesize
736B

MD5
e78a0fba442d5a78055e56328857c8c2

SHA1
0fe52724b4cca236fb978f872ca591508f3827e2

SHA256
5eab4eec2beb9a6638260bf6de9a07212325d85ac8083da0b2539f2f9325fe7a

SHA512
28494cec78a7997ddbbeec7e4fb4a597e2468f66de22523f12dfb0befed5cf9991819a0277cc5782353a513eda3b3fdf23b844403f7d38be463eb4098e3bd39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\26563c1c-2091-4146-83d4-5afc4890bfbe.vbs

Filesize
512B

MD5
c33a72b1516b9b0f7369893355843cec

SHA1
ea779d0cbe5fe374ff534cbbdb7a195bf735cb75

SHA256
e6cd831fa26ec6f5c2303f66115029a42e6db7468f23e210622ea6a485652382

SHA512
be6fd987346da3a606f478dddb7069dcdb3d1cd1c534997f924b7a7c9dbcffe802619a9cd3e5049656f0fece8512544cb8b9c0097e206a55dbbe5508f03683e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\40af5aeb-f38d-42cd-83e4-acbdb2e13c85.vbs

Filesize
736B

MD5
8cbf64c7a42041ae7c6d3236aacad62c

SHA1
221513eeb1fff5fdadee6dfd061bdfb83ab4cde7

SHA256
ea2d15ef8efdd51baf22cbf28b98c4d328b0fc5a362f8e54dbf3327de2631015

SHA512
4922f7bf7183963c27b21cd898792f622cd3f665d800ae55d1a91d628fc53e2c081401e0dba000d6b2c3a829a9405ebab2ae4fedda36cca693480a14c349e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\66e5beaf-dc0d-4f2d-8755-630c27e98f2b.vbs

Filesize
736B

MD5
6a2ec091be9dd865afda1924bc22eebe

SHA1
e0f3d65419dd6a30b356e871f73b34dbff48ed72

SHA256
a2a6b05de9800dd7b57944ecffdc38a54579283da923364f38370d45a6af44d0

SHA512
b9c7b71152eac735e2d8a0c92bc64396c483b2a7f23bf7fe6c8a2fa0078d1bfc415fe0d53119d93638be7b35f7e3b389cae43f7f7221ad255b4cf6f9f245b9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\699a87e5-193c-4202-8c51-f12711a031ef.vbs

Filesize
736B

MD5
ce9dcb823dea3e9d31e8b4709103ffd1

SHA1
701641273874a576bc2d03220aa25bf2762d13df

SHA256
fd04ec950ee7bd67391f87ed64597922e3ec4179a7230e4d4fb587f436816434

SHA512
1c4a91ff9831c0fec2b91f8ed9c9c0a88cf2108d648e2623c61ee6c5ecc73bb50c63fff60a9cfa66a7c31372c7a10bd159cf062e2c2371f0dd16aa49b1001b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\854062bf-2f19-4654-a88c-394415366272.vbs

Filesize
736B

MD5
1bdf21d0a0021d0d1ec46b8331aced32

SHA1
08bbb6573039ff4691353011fd4578e0f388f1e1

SHA256
4c7430b5f5fb7cc23aeeda3ca6fe9e76682aefd461e36cb6aacb1549b5115e0a

SHA512
e011445bcccb1616c7fab40abac51afe27474ae9e7a88b8fd6d86eda252ab30d6a4f700d93c133dfb78f018e32efa83bcdfa295e2b9fab388e4cbb44e26ae284

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c3a8726-3f3d-4a17-9962-d87de4694b8a.vbs

Filesize
736B

MD5
72d328bda80695fbedd18c683f17a8b4

SHA1
2dd1db59c9b1bfdd805579ececd6490e3eb4ffbe

SHA256
8ced65698c21742d678b4fd4025d15636228c1648fe2670491b028e783b9f3b9

SHA512
306eb281efccec732445feaa946b79b54e74577fe670de5fe00f6330aa9a579abdc5933f7c4bcc8bbde1ecbb1f2b4a79cb7c103f5fddc455434379061fe19005

Download Submit
C:\Users\Admin\AppData\Local\Temp\a740d287-e901-4416-9b86-b1bd4d49d78a.vbs

Filesize
736B

MD5
88d24b962e094f6733d8f0fbb65eb51d

SHA1
7514ca784dfb58f2090c77aa3ea6559e12bb8c18

SHA256
49f18acabe487b7840c0896e6bd7ec9e05f9596b817fbf0555523d5161959c1b

SHA512
e09e8286dd8ba9a462f90be25737e7014d97a7005904e38903784ee4fc8df06b23b91acc92dca6dc588cae5464ec7439ac90837caa9e0d78c8ef1513952b8f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\afe47991-3d06-438e-8b1b-18f89ca7a919.vbs

Filesize
736B

MD5
bb4cdf2e8373d68fbb205ef5a8df3b82

SHA1
6c1b2e8d484af88c8c5e5ad0e510f7c51a0e3883

SHA256
b1488af7f98c2826d15dd4efe314a18200b81aee99d683d4979ad297e94ae62a

SHA512
cc8fbec48dbb809c046cd0072b35f5006fd02d6c8c9822202c0d7e8f3e4f2a1fd375dcc0a05031094f24c573a6813eb0e0e5345ab4457fb269ef6e7314e71d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\b45be973-e70f-4749-8702-b4c2ba46d1df.vbs

Filesize
736B

MD5
329ef7b7abe563c17b772f76bb0dd493

SHA1
99c3d478fc45a528195d1f20e668c1c79559578d

SHA256
fcf5493f130114dd0adeb1d96d3d6412ad993b1f6daf440f21846178a84ab547

SHA512
bf215b8ab0da2b670466a0ab08f31ac0a4f3bac834cecdbf76b5a4d714e7c51d583852fb63e7907d53d0210499743f87d749fa62800a402ee2b9602e4e6cc255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccebd0349ffdfa81c0687e1f9fd738efbc14f899.exe

Filesize
1.6MB

MD5
0bf834eb56e353762fcaf03f1cfc8868

SHA1
000ad3a55a26dd1d3a7f0aa5d1ae07d6ec4400ac

SHA256
e80de7d0ff98e86578bba993ab80699533d527095831b5e8a1d108763b192c11

SHA512
21d27dab493ad046a24a56b6fa34f895bb7239e927660e981f7da0ef365cea99ecf15a30697fb38411dc44244dd3fbb0515c112a5c7a969a9c3cc236493fdba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7cb45b9-2905-4402-8ae6-ead1bb64cd57.vbs

Filesize
736B

MD5
e0afd55a1cfaec414f605e943236623b

SHA1
e5f07ee07b6f1f7c49cdc6c644e7d1e968ad7d89

SHA256
01847c42ecbd97bc1502305b8e71ddcc8d3171d81cbece7d846fe0dd4416bfdb

SHA512
6f74c25e3fb8d06319b9e5baf4f595a788adaf70d4b8d260b32d39a323d8e78011bd3b6c3d779a1bd0a551555c562887b36dff18c0928bb5b10a7c71c8ea12fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe1ae7ec-9e85-4d47-b847-f647a99f5db7.vbs

Filesize
736B

MD5
bd9e95e27b22181fbc61547809df0c47

SHA1
e71a5b00d7aba159f57497b6b81ee09e87b426d8

SHA256
f44ba6da427d7c1d8ae5b8353ef3351b95a011dc952aeda27e5e4b684fa9afd3

SHA512
fac6620933fde3c26b7e63a6fbb58998d0f452525e34320f514fbb3b2269856bed575f8b9626697c4ae9f884c65ddb0c8ae8b871a68403ea4037a2ccf6d3afb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe2269e60865beae4517083da64cc4b2

SHA1
3bb59f3180cca3d08211633ccbca22e0625add86

SHA256
431490d3b770f7a8db9727ebd1c75781a91b0857d1653bee867bdb0c50a22d63

SHA512
3ea18835d44f8e7fdc8a2431196087860078a9aabcb000df2fa1f3c18754b4baa062e0ca14d6aa04602f1d033baa5c485cb487de06528514361abdbc699f350e

Download Submit
C:\Users\Default\Videos\RCX1611.tmp

Filesize
4.9MB

MD5
6731a7fd5720d8c09fa8b90664bf5d87

SHA1
92420988c8ac1d4db487a6a4f677651636f77161

SHA256
62547c5373a9b0e91d5237eafe81f36c607295309854d6359323edca7ad2c403

SHA512
bc70f5791ff8a1562ccecafe6a49465005567f50fa4d73a6b3ec56c9096986366ad5472aab335da4832dbdef317a83ce0df152d47eada399840eb7df7305139b

Download Submit
memory/552-196-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/1556-367-0x0000000001170000-0x0000000001664000-memory.dmp

Filesize
5.0MB

Download
memory/1832-195-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1832-352-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/1940-337-0x0000000000DC0000-0x00000000012B4000-memory.dmp

Filesize
5.0MB

Download
memory/2152-293-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2304-396-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2312-262-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download
memory/2328-277-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2328-278-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2428-194-0x0000000000ED0000-0x00000000013C4000-memory.dmp

Filesize
5.0MB

Download
memory/2428-243-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2512-322-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/2804-15-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/2804-144-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2804-1-0x0000000000D30000-0x0000000001224000-memory.dmp

Filesize
5.0MB

Download
memory/2804-212-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-159-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-14-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2804-16-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2804-13-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/2804-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2804-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2804-7-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/2804-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2804-5-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2804-4-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2804-3-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-12-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2804-2-0x000000001B560000-0x000000001B68E000-memory.dmp

Filesize
1.2MB

Download
memory/2804-8-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download