dcrat | 6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Size

4.9MB
MD5

58bf250686082cc8e02eea346661ea7f
SHA1

a465d280d33acc4ad04dc92ec4994703d8868ade
SHA256

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6
SHA512

881421c58bcc9570c5f4889a1bd79fad81fb2863c46369a84fd8a2506167fd749e72f4f75b8b2ededb79d7694baf54193057887d7f50dd7b786e67e09a1c392b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2700	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2700	schtasks.exe	29

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exe6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2436-2-0x000000001B4E0000-0x000000001B60E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2388	powershell.exe
2904	powershell.exe
2800	powershell.exe
2600	powershell.exe
2408	powershell.exe
2640	powershell.exe
2728	powershell.exe
2912	powershell.exe
1388	powershell.exe
2616	powershell.exe
2364	powershell.exe
2612	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
2860	taskhost.exe
2292	taskhost.exe
2916	taskhost.exe
2964	taskhost.exe
2876	taskhost.exe
976	taskhost.exe
2236	taskhost.exe
2120	taskhost.exe
2648	taskhost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 24 IoCs

Processes:

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXE020.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Uninstall Information\b75386f1303e64	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD591.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Windows Mail\winlogon.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXDBEA.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\taskhost.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Uninstall Information\taskhost.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\f3b6ecef712a24	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Windows Mail\winlogon.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Mozilla Firefox\taskhost.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Mozilla Firefox\b75386f1303e64	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXCC49.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Windows Mail\RCXD9D7.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\7a0fd90576e088	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Windows Mail\cc11b995f2a76d	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Program Files\Uninstall Information\taskhost.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXC758.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe

Drops file in Windows directory 9 IoCs

Processes:

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe

description	ioc	Process
File created	C:\Windows\Speech\Engines\SR\es-ES\services.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Windows\inf\UGTHRSVC\0a1fd5f707cd16	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\sppsvc.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Windows\inf\UGTHRSVC\sppsvc.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXC46A.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\RCXD7B4.tmp	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\27d1bcfc3c54e0	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2612	schtasks.exe
1192	schtasks.exe
928	schtasks.exe
968	schtasks.exe
2496	schtasks.exe
952	schtasks.exe
680	schtasks.exe
2016	schtasks.exe
2688	schtasks.exe
2244	schtasks.exe
1536	schtasks.exe
2288	schtasks.exe
3020	schtasks.exe
2020	schtasks.exe
2480	schtasks.exe
2308	schtasks.exe
1008	schtasks.exe
2844	schtasks.exe
2744	schtasks.exe
2632	schtasks.exe
740	schtasks.exe
2180	schtasks.exe
2384	schtasks.exe
2492	schtasks.exe
924	schtasks.exe
1596	schtasks.exe
1724	schtasks.exe
2880	schtasks.exe
2616	schtasks.exe
940	schtasks.exe
2784	schtasks.exe
2852	schtasks.exe
2584	schtasks.exe
2656	schtasks.exe
1984	schtasks.exe
2248	schtasks.exe
2548	schtasks.exe
2956	schtasks.exe
1836	schtasks.exe
2596	schtasks.exe
3016	schtasks.exe
1096	schtasks.exe
3048	schtasks.exe
2504	schtasks.exe
2476	schtasks.exe
1840	schtasks.exe
1560	schtasks.exe
2440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
1388	powershell.exe
2912	powershell.exe
2616	powershell.exe
2600	powershell.exe
2800	powershell.exe
2728	powershell.exe
2640	powershell.exe
2364	powershell.exe
2612	powershell.exe
2388	powershell.exe
2904	powershell.exe
2408	powershell.exe
2860	taskhost.exe
2292	taskhost.exe
2916	taskhost.exe
2964	taskhost.exe
2876	taskhost.exe
976	taskhost.exe
2236	taskhost.exe
2120	taskhost.exe
2648	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2860	taskhost.exe
Token: SeDebugPrivilege	2292	taskhost.exe
Token: SeDebugPrivilege	2916	taskhost.exe
Token: SeDebugPrivilege	2964	taskhost.exe
Token: SeDebugPrivilege	2876	taskhost.exe
Token: SeDebugPrivilege	976	taskhost.exe
Token: SeDebugPrivilege	2236	taskhost.exe
Token: SeDebugPrivilege	2120	taskhost.exe
Token: SeDebugPrivilege	2648	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	Process	procid_target
PID 2436 wrote to memory of 2912	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	78
PID 2436 wrote to memory of 2912	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	78
PID 2436 wrote to memory of 2912	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	78
PID 2436 wrote to memory of 1388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	79
PID 2436 wrote to memory of 1388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	79
PID 2436 wrote to memory of 1388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	79
PID 2436 wrote to memory of 2904	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	80
PID 2436 wrote to memory of 2904	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	80
PID 2436 wrote to memory of 2904	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	80
PID 2436 wrote to memory of 2388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	82
PID 2436 wrote to memory of 2388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	82
PID 2436 wrote to memory of 2388	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	82
PID 2436 wrote to memory of 2640	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	83
PID 2436 wrote to memory of 2640	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	83
PID 2436 wrote to memory of 2640	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	83
PID 2436 wrote to memory of 2408	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	84
PID 2436 wrote to memory of 2408	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	84
PID 2436 wrote to memory of 2408	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	84
PID 2436 wrote to memory of 2728	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	85
PID 2436 wrote to memory of 2728	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	85
PID 2436 wrote to memory of 2728	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	85
PID 2436 wrote to memory of 2612	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	86
PID 2436 wrote to memory of 2612	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	86
PID 2436 wrote to memory of 2612	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	86
PID 2436 wrote to memory of 2600	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	88
PID 2436 wrote to memory of 2600	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	88
PID 2436 wrote to memory of 2600	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	88
PID 2436 wrote to memory of 2364	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	89
PID 2436 wrote to memory of 2364	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	89
PID 2436 wrote to memory of 2364	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	89
PID 2436 wrote to memory of 2800	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	90
PID 2436 wrote to memory of 2800	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	90
PID 2436 wrote to memory of 2800	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	90
PID 2436 wrote to memory of 2616	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	91
PID 2436 wrote to memory of 2616	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	91
PID 2436 wrote to memory of 2616	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	91
PID 2436 wrote to memory of 740	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	102
PID 2436 wrote to memory of 740	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	102
PID 2436 wrote to memory of 740	2436	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe	102
PID 740 wrote to memory of 2472	740	cmd.exe	104
PID 740 wrote to memory of 2472	740	cmd.exe	104
PID 740 wrote to memory of 2472	740	cmd.exe	104
PID 740 wrote to memory of 2860	740	cmd.exe	105
PID 740 wrote to memory of 2860	740	cmd.exe	105
PID 740 wrote to memory of 2860	740	cmd.exe	105
PID 2860 wrote to memory of 1532	2860	taskhost.exe	106
PID 2860 wrote to memory of 1532	2860	taskhost.exe	106
PID 2860 wrote to memory of 1532	2860	taskhost.exe	106
PID 2860 wrote to memory of 2668	2860	taskhost.exe	107
PID 2860 wrote to memory of 2668	2860	taskhost.exe	107
PID 2860 wrote to memory of 2668	2860	taskhost.exe	107
PID 1532 wrote to memory of 2292	1532	WScript.exe	108
PID 1532 wrote to memory of 2292	1532	WScript.exe	108
PID 1532 wrote to memory of 2292	1532	WScript.exe	108
PID 2292 wrote to memory of 916	2292	taskhost.exe	109
PID 2292 wrote to memory of 916	2292	taskhost.exe	109
PID 2292 wrote to memory of 916	2292	taskhost.exe	109
PID 2292 wrote to memory of 2080	2292	taskhost.exe	110
PID 2292 wrote to memory of 2080	2292	taskhost.exe	110
PID 2292 wrote to memory of 2080	2292	taskhost.exe	110
PID 916 wrote to memory of 2916	916	WScript.exe	111
PID 916 wrote to memory of 2916	916	WScript.exe	111
PID 916 wrote to memory of 2916	916	WScript.exe	111
PID 2916 wrote to memory of 1012	2916	taskhost.exe	112

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exe6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe
"C:\Users\Admin\AppData\Local\Temp\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiyNQFHINv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2472
- - C:\MSOCache\All Users\taskhost.exe
    "C:\MSOCache\All Users\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c61d14-ccf5-4da0-b0a4-f708531bfbb8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2292
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee55304-e4d8-44aa-be74-168d654ef574.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6cb3dee-2eda-4aa8-a0e8-5fc21f27a8e8.vbs"
        8⤵
        
        PID:1012
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bfd06b-2f44-4a0d-8bfa-273e6de71e15.vbs"
        10⤵
        
        PID:2728
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7238364e-730f-4248-9632-2cea205953b0.vbs"
        12⤵
        
        PID:2764
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\034ba1b6-77ba-4d33-ab1b-22d98d2505ae.vbs"
        14⤵
        
        PID:2280
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29ee1dc1-444f-4ec7-942e-4e9d8a6cffbb.vbs"
        16⤵
        
        PID:1584
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\454983fa-01c0-4fe5-a1e1-e44aed01a0cb.vbs"
        18⤵
        
        PID:2308
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26185d7b-bc9b-43f3-a30a-4490d467b64f.vbs"
        20⤵
        
        PID:2432
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        21⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d86a6f-bbc0-40a0-bad0-d9da1a22f210.vbs"
        20⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c55b5e11-4af9-49eb-8650-0fdeaba0847f.vbs"
        18⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2a2ba86-c19f-4d5a-9373-a9c0a2fe0746.vbs"
        16⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea46c478-f9a6-48dd-9b16-19b04c5086a5.vbs"
        14⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5e1c9bc-fff4-4b90-8586-36d9e8a7b8df.vbs"
        12⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cb94d52-6cab-46c3-bdac-49d2a46d5ae0.vbs"
        10⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\379d5f15-7db2-4df7-8a67-fed6762fe017.vbs"
        8⤵
        
        PID:2152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0f0720-5c1b-4863-b771-ea497df292c2.vbs"
        6⤵
        
        PID:2080
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08ba8dc-3ec9-4357-a644-76973ba58e8d.vbs"
      4⤵
      PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGTHRSVC\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e66" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e66" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
4.9MB

MD5
607fc21493b0bfe19df65ec8c86ee13c

SHA1
143fe9b9d66305f72f825a548ab381dec4a22288

SHA256
99e3f7b5ce46d3d8aa3c191fe3ef374b416a70189a57fd8686695726c644dc28

SHA512
35dd487514ca4477fdc4ce7ab2342e861b235b2db361a47515c87993786d85275d075599ff5b72e52ce7d37721ceb1912b084a12e8103e120f7502a6b79a44d0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
4.9MB

MD5
58bf250686082cc8e02eea346661ea7f

SHA1
a465d280d33acc4ad04dc92ec4994703d8868ade

SHA256
6f00291aa8d783e5a5949251820dc4fe03a732a206890d7f4b3902f8994819e6

SHA512
881421c58bcc9570c5f4889a1bd79fad81fb2863c46369a84fd8a2506167fd749e72f4f75b8b2ededb79d7694baf54193057887d7f50dd7b786e67e09a1c392b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXE7A2.tmp

Filesize
4.9MB

MD5
6f93fb4cc3b2fb23f2979df2481ca4eb

SHA1
f5899c32d698bbe1f7196e3e332ed9f74fbac018

SHA256
725d184e4980e12a14ad61143a5d52a943411ce6e4eb44f5f07036e1c3a3f348

SHA512
9bb0d7ff611f7b5fba3cbd3353f8483705d97c673ac60ce96d5322efcd4b16c84cd6afdca26c2d54ddd609c0ed4df6ca7a0ea013be04b004cfbfd11ca34ed5be

Download Submit
C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\RCXE57F.tmp

Filesize
4.9MB

MD5
ca507bbf8a9cc5879d9eddb4d0e06fbe

SHA1
0a20459d876b3e7953c5ee45d77140aeb909e763

SHA256
2cdd4a71190e7731100db8edcf65cf0aa96817cf2d3da54866a1227e5d3539d1

SHA512
79859a4ee9dcf628f359aba8cddef0f62588859f9d1c08dd6b1bfad087ecc0aa3decc2ee52c7150e1c7a7116fe32d82d274622942b40371295071f13dd3da9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\034ba1b6-77ba-4d33-ab1b-22d98d2505ae.vbs

Filesize
709B

MD5
0da710ab447efaa92a905a261f037da2

SHA1
061d17c378d2600333159559e506d691dde2fb6c

SHA256
69b58bf32b40a76938e3c3b511fe74ed59eb87ba1d6534ced65b79267b13df9a

SHA512
4e5b1efb1e9c260ee3c42f3de7e2d33b618232d30f3d81238e151b3b58864a397854a3987da151614cdf7f5ee32a29f318c052b7dea902c3ac82958ed2f62e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\20bfd06b-2f44-4a0d-8bfa-273e6de71e15.vbs

Filesize
710B

MD5
6bfabb0b994707a2c7a93d00adb043a7

SHA1
2c18b8527a6db1d5f76eb8755638a1fe1ceac48b

SHA256
5572dd6151a46a1ad28bcb79ce02016494031c3411e00f96ca99afd3d2c42fb8

SHA512
a5856793eb08df3ea01fc125607575a3d2697d6b29c92438c105b63b51d187a68000cadcb5399fc4bf339ef7bf56ab55bbc2c91184154246874a3e72048ba755

Download Submit
C:\Users\Admin\AppData\Local\Temp\26185d7b-bc9b-43f3-a30a-4490d467b64f.vbs

Filesize
710B

MD5
ae49bf7cf74186f8796f68bd88e94722

SHA1
1dfe1797b61976647c21366727fc2571dc3f0ee9

SHA256
c25f9b755bfa6defb2c197a3ee6f74cd32a6699f12ff9d590b0593dde8148013

SHA512
06498aa927ed0733bcb564ef08f77a147341e63567da82d0e1e54ca94e918957d01f06687ff1ffeed58a49bb9efb5c249a1e82b9164a63727e0a6f88ea75295f

Download Submit
C:\Users\Admin\AppData\Local\Temp\29ee1dc1-444f-4ec7-942e-4e9d8a6cffbb.vbs

Filesize
710B

MD5
d7a8fdea0c2dee112d0321ccc5386e2e

SHA1
adcf0d541caec8124cec6ff32ef6496e34aaa98f

SHA256
42aa8b155b148423a29000a04da82902f4d9e3036ff6139ab582e9954ad124ec

SHA512
a6d359c788862770fe4642adee09bd0c7238da032e708a124536a678feabdce38b3ffce5818de6d04642ce1c91d25fd0470fb550d16909ac7dc6747a2586f8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\454983fa-01c0-4fe5-a1e1-e44aed01a0cb.vbs

Filesize
710B

MD5
1b85e1fdfa1b1e90b767fb8a82df5562

SHA1
bf25d27d116249fd6b62952f06fd1ce54a56d95f

SHA256
422c23034710a4c919a9e41932c2f6d2e4d74d7d416d7f626e1ad23bdc35a838

SHA512
d69cef724a770f4be999de254115d29c0e2e528337084c90f8f587f83a95809d3d67e1222cdb3eb6d7e5e903577662f4e23f1d8a95b0abb7a5162ffea7e856c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\49c61d14-ccf5-4da0-b0a4-f708531bfbb8.vbs

Filesize
710B

MD5
aa9c8b48cccc114a0fc5bf934ff25b4b

SHA1
63478eead11904484f7d80dfe22602cc06a801f7

SHA256
0d84036b07c21fd5c9a7902f95257d89ba18dfd9d3db0d51c5843dfabc43db99

SHA512
fa1b9d3dd623bfe96ef1198ce4449044be50401cd6bc252a2636fc714ed5ab925d26add9037f0b0e79280dfecd186de386009c792038f1bde2a00443833e21ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7238364e-730f-4248-9632-2cea205953b0.vbs

Filesize
710B

MD5
af650467a7814bff600bc791591cc3bb

SHA1
0744d99f1fc5a021a23ba818869513ec95ae3576

SHA256
92929167e589ccc9699c7c1aa6c5821ec707b325c847ac5534d3c4dff4c85bed

SHA512
e06c07ad1e649c3d1f0a2ca119fd78f310d4f23dfe7c7ab0e373c732751f90c439a7b15126a2d4795d2cd44bd687662a57171d757ac0a7bee12f44f26756ddec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiyNQFHINv.bat

Filesize
199B

MD5
b19a26104aea041e110fb245e335b263

SHA1
c478dc8e12c3fb9871036d668d2a55ac3f57693b

SHA256
b21a2b6a54e7e88da5fff8eb4551f6588f9a7979130bece59e3b93bd88d03977

SHA512
d6c44f83fe3aa04bbdd28a2060576efa84a7ad5abdff23a678d85862855f196552426714e4dd388d6fa70b215a74e349b93aa88aab1707ea7337c819c9807588

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6cb3dee-2eda-4aa8-a0e8-5fc21f27a8e8.vbs

Filesize
710B

MD5
d3fdb1377eb6b7bd3d29030ef9756f8d

SHA1
9911fb8c4a1848dc8b372413952f1b9efac00e5b

SHA256
7522db82d56f532a2a0d8f86d70230f8e630c88387219de6a44c24ab3493ddab

SHA512
20b13ecfc26ed41f996ab5678ac1410f33f3fef584d2d454f0aa196e19a5cb267cd950c0b91c5e2268d97578ec9ab6b619875a1d8336c2d2aef9728f074ab268

Download Submit
C:\Users\Admin\AppData\Local\Temp\eee55304-e4d8-44aa-be74-168d654ef574.vbs

Filesize
710B

MD5
418c2166abfce51f46e0d20b65bf86b4

SHA1
4929ba4e21c242baaacdb6234f3140d4770e8e34

SHA256
49a6a06d9230b83ecfe42b0a2d4530e3fd186ec42c222fa603e8799e02a18978

SHA512
ed42ff886c2af1a55bfbcfd5dc495b82939124dd10bda54bafaa2f535f04cb78f4e2563f924c518048a64cfcfaa2f638071d05c466fd1a1383504b5e41b329a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f08ba8dc-3ec9-4357-a644-76973ba58e8d.vbs

Filesize
486B

MD5
a4e97d7d8bddd6b55054f08ec11719f8

SHA1
61705646aa369be41c54dfc080b641fe5289b456

SHA256
6a2b38b501ce7a84071da05b85613bfa6ae72ca6163b580ca0878a94f604f32f

SHA512
d1b1125764b83d0ca9781d3fc4d69ad288e1b78d35795e44a6061787f6332fc696486b1aa6dda2f9ad8084fe030c195416113cd29d4cfb452e509d5881061468

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C57.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c46039068823c35d62d8cee22e47526

SHA1
fdcdfde0e35fdcf28357fa9ac86bf0372bf1701b

SHA256
96945171a526a2bdbb5c6cfd24eb72e18bfe30bdb50f1e47c35fa76206a20a7b

SHA512
936973d63dd2fd67f70db2306b97d8a763c8aa98eaa6d9da184a7f04f0b124d7818d013778f75a6b2194f1ed94c1a27b80c00e467c5fbfaf15678a07c5d78cc7

Download Submit
memory/1388-179-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/1388-178-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1736-362-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2436-11-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2436-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2436-93-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2436-16-0x000000001AA90000-0x000000001AA9C000-memory.dmp

Filesize
48KB

Download
memory/2436-186-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-15-0x000000001AA80000-0x000000001AA88000-memory.dmp

Filesize
32KB

Download
memory/2436-14-0x000000001AA70000-0x000000001AA78000-memory.dmp

Filesize
32KB

Download
memory/2436-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2436-1-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download
memory/2436-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2436-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2436-10-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2436-9-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/2436-2-0x000000001B4E0000-0x000000001B60E000-memory.dmp

Filesize
1.2MB

Download
memory/2436-8-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2436-3-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-7-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/2436-6-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2436-5-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2436-108-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-346-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/2648-347-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/2860-232-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/2916-260-0x0000000000FE0000-0x00000000014D4000-memory.dmp

Filesize
5.0MB

Download
memory/2964-275-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download