dcrat | 8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78e

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Size

4.9MB
MD5

2c5faad0c4c5b9d351a4c51797e97240
SHA1

b34a6bd05c0f79d5a74817c1ed4fc2d3d9fa01d6
SHA256

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78e
SHA512

0dc0495c73f494ffb2f12722960932340dfec112a5a9c1ba35c5f769c8773bc8a092545d9b1c1c07856ef9e716b76dea8ed7e6b4549fdf589d859ce5c3a4f19e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1912	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1912	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2096-3-0x000000001B630000-0x000000001B75E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1680	powershell.exe
1148	powershell.exe
824	powershell.exe
1584	powershell.exe
3036	powershell.exe
1724	powershell.exe
1000	powershell.exe
1144	powershell.exe
788	powershell.exe
1444	powershell.exe
2776	powershell.exe
2200	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
2668	taskhost.exe
1916	taskhost.exe
2636	taskhost.exe
1660	taskhost.exe
3064	taskhost.exe
2440	taskhost.exe
2492	taskhost.exe
2832	taskhost.exe
1508	taskhost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 12 IoCs

Processes:

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\6203df4a6bafc7	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\4d171367c548fa	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\RCXB959.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\smss.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXBBCA.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXC09C.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\smss.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\69ddcba757bf72	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

Drops file in Windows directory 16 IoCs

Processes:

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

description	ioc	Process
File created	C:\Windows\Migration\WTR\wininit.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\de-DE\RCXCD9D.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\de-DE\dwm.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\ShellNew\RCXD4F0.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\Migration\WTR\wininit.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\ModemLogs\smss.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\ModemLogs\69ddcba757bf72	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\Migration\WTR\56085415360792	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\de-DE\dwm.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\ShellNew\services.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\ShellNew\c5b4cb5e9653cc	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\de-DE\6cb0b6c459d5d3	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\ModemLogs\RCXAC66.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File created	C:\Windows\ModemLogs\smss.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\Migration\WTR\RCXC520.tmp	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
File opened for modification	C:\Windows\ShellNew\services.exe	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1780	schtasks.exe
2032	schtasks.exe
1260	schtasks.exe
348	schtasks.exe
2020	schtasks.exe
2460	schtasks.exe
2324	schtasks.exe
2044	schtasks.exe
1984	schtasks.exe
2696	schtasks.exe
1708	schtasks.exe
2764	schtasks.exe
2640	schtasks.exe
1736	schtasks.exe
1892	schtasks.exe
2828	schtasks.exe
752	schtasks.exe
896	schtasks.exe
820	schtasks.exe
580	schtasks.exe
2468	schtasks.exe
2804	schtasks.exe
1404	schtasks.exe
2524	schtasks.exe
2936	schtasks.exe
2056	schtasks.exe
1448	schtasks.exe
1692	schtasks.exe
2240	schtasks.exe
1756	schtasks.exe
2708	schtasks.exe
2672	schtasks.exe
872	schtasks.exe
2744	schtasks.exe
2592	schtasks.exe
2584	schtasks.exe
2740	schtasks.exe
1836	schtasks.exe
816	schtasks.exe
1720	schtasks.exe
3000	schtasks.exe
1808	schtasks.exe
2600	schtasks.exe
3024	schtasks.exe
2216	schtasks.exe
2660	schtasks.exe
1144	schtasks.exe
1556	schtasks.exe
1440	schtasks.exe
2824	schtasks.exe
2064	schtasks.exe
2704	schtasks.exe
2400	schtasks.exe
2392	schtasks.exe
1716	schtasks.exe
2384	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
788	powershell.exe
3036	powershell.exe
1680	powershell.exe
1144	powershell.exe
1724	powershell.exe
1148	powershell.exe
824	powershell.exe
2776	powershell.exe
1000	powershell.exe
2200	powershell.exe
1444	powershell.exe
1584	powershell.exe
2668	taskhost.exe
1916	taskhost.exe
2636	taskhost.exe
1660	taskhost.exe
3064	taskhost.exe
2440	taskhost.exe
2492	taskhost.exe
2832	taskhost.exe
1508	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2668	taskhost.exe
Token: SeDebugPrivilege	1916	taskhost.exe
Token: SeDebugPrivilege	2636	taskhost.exe
Token: SeDebugPrivilege	1660	taskhost.exe
Token: SeDebugPrivilege	3064	taskhost.exe
Token: SeDebugPrivilege	2440	taskhost.exe
Token: SeDebugPrivilege	2492	taskhost.exe
Token: SeDebugPrivilege	2832	taskhost.exe
Token: SeDebugPrivilege	1508	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 2200	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	89
PID 2096 wrote to memory of 2200	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	89
PID 2096 wrote to memory of 2200	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	89
PID 2096 wrote to memory of 3036	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	90
PID 2096 wrote to memory of 3036	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	90
PID 2096 wrote to memory of 3036	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	90
PID 2096 wrote to memory of 1680	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	91
PID 2096 wrote to memory of 1680	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	91
PID 2096 wrote to memory of 1680	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	91
PID 2096 wrote to memory of 1724	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	92
PID 2096 wrote to memory of 1724	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	92
PID 2096 wrote to memory of 1724	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	92
PID 2096 wrote to memory of 1000	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	93
PID 2096 wrote to memory of 1000	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	93
PID 2096 wrote to memory of 1000	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	93
PID 2096 wrote to memory of 1144	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	94
PID 2096 wrote to memory of 1144	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	94
PID 2096 wrote to memory of 1144	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	94
PID 2096 wrote to memory of 1148	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	95
PID 2096 wrote to memory of 1148	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	95
PID 2096 wrote to memory of 1148	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	95
PID 2096 wrote to memory of 824	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	96
PID 2096 wrote to memory of 824	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	96
PID 2096 wrote to memory of 824	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	96
PID 2096 wrote to memory of 788	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	97
PID 2096 wrote to memory of 788	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	97
PID 2096 wrote to memory of 788	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	97
PID 2096 wrote to memory of 1584	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	98
PID 2096 wrote to memory of 1584	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	98
PID 2096 wrote to memory of 1584	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	98
PID 2096 wrote to memory of 1444	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	99
PID 2096 wrote to memory of 1444	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	99
PID 2096 wrote to memory of 1444	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	99
PID 2096 wrote to memory of 2776	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	100
PID 2096 wrote to memory of 2776	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	100
PID 2096 wrote to memory of 2776	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	100
PID 2096 wrote to memory of 2152	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	113
PID 2096 wrote to memory of 2152	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	113
PID 2096 wrote to memory of 2152	2096	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe	113
PID 2152 wrote to memory of 2688	2152	cmd.exe	115
PID 2152 wrote to memory of 2688	2152	cmd.exe	115
PID 2152 wrote to memory of 2688	2152	cmd.exe	115
PID 2152 wrote to memory of 2668	2152	cmd.exe	116
PID 2152 wrote to memory of 2668	2152	cmd.exe	116
PID 2152 wrote to memory of 2668	2152	cmd.exe	116
PID 2668 wrote to memory of 592	2668	taskhost.exe	117
PID 2668 wrote to memory of 592	2668	taskhost.exe	117
PID 2668 wrote to memory of 592	2668	taskhost.exe	117
PID 2668 wrote to memory of 1500	2668	taskhost.exe	118
PID 2668 wrote to memory of 1500	2668	taskhost.exe	118
PID 2668 wrote to memory of 1500	2668	taskhost.exe	118
PID 592 wrote to memory of 1916	592	WScript.exe	119
PID 592 wrote to memory of 1916	592	WScript.exe	119
PID 592 wrote to memory of 1916	592	WScript.exe	119
PID 1916 wrote to memory of 2520	1916	taskhost.exe	120
PID 1916 wrote to memory of 2520	1916	taskhost.exe	120
PID 1916 wrote to memory of 2520	1916	taskhost.exe	120
PID 1916 wrote to memory of 1904	1916	taskhost.exe	121
PID 1916 wrote to memory of 1904	1916	taskhost.exe	121
PID 1916 wrote to memory of 1904	1916	taskhost.exe	121
PID 2520 wrote to memory of 2636	2520	WScript.exe	122
PID 2520 wrote to memory of 2636	2520	WScript.exe	122
PID 2520 wrote to memory of 2636	2520	WScript.exe	122
PID 2636 wrote to memory of 632	2636	taskhost.exe	123

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe
"C:\Users\Admin\AppData\Local\Temp\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nX0FLzXQTr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2688
- - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
    "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d809072a-ac18-41e5-80e2-4a4036a938ee.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1916
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71b0cd74-5a2d-4230-9e06-ee5d688be84c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba572383-de85-4f93-87c6-d7195a391020.vbs"
        8⤵
        
        PID:632
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80086d4c-bd49-415b-8da6-d51c0e1ae28f.vbs"
        10⤵
        
        PID:2032
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e219b797-d3dc-43d0-8751-8be991790c33.vbs"
        12⤵
        
        PID:2592
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44bcb1bf-8fe2-4a71-ac7c-2c27ca765914.vbs"
        14⤵
        
        PID:1616
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fcfbe3a-14db-473d-b1b5-f23d722b464a.vbs"
        16⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641d7b6a-384f-4143-809a-621297fc0c62.vbs"
        18⤵
        
        PID:2868
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e6972c6-33c2-4b5e-b41f-cd4b133ae8c1.vbs"
        18⤵
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5204ccc-803e-4091-9f0d-4ea8263ea301.vbs"
        16⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f08c82b9-55bc-4841-a072-da364791e9be.vbs"
        14⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f784959-f948-4725-b015-92425d2a5016.vbs"
        12⤵
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\550bfdaa-1c8b-4233-b043-42c5ed3e298c.vbs"
        10⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10df59ad-18cf-44d0-8072-70c0c610f69b.vbs"
        8⤵
        
        PID:2920
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e136448-1c0e-40ae-85a6-a02d4f450211.vbs"
        6⤵
        
        PID:1904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e50d9c5a-508d-479f-853b-91c3774898c1.vbs"
      4⤵
      PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN8" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN8" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN8" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN8" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellNew\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe

Filesize
4.9MB

MD5
0340798040027b602ce84a0771b813cb

SHA1
017130c9977f085ead6d5153ff7d213a529c4a24

SHA256
d2cc0ba49d06ea2e1f11f0fa30b06c7fb2a7bc5c2db191d12394d7785c4ca67c

SHA512
48043832287d513474671f8ff33519ef0dafcdd38ce68f8548e8d06d8ab74823bf8cead645fd4c7288397165b4ec13922e52ae0e61aa7b952b2eb59e3cd0727d

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

Filesize
4.9MB

MD5
0a577d35850e8341b15ca7626746a62f

SHA1
d8911836449d0ec28a47577ebc72dc8c69087ff9

SHA256
b65f9d89214e43ff060f0269810ed78e70a27057a802a06009c923b703422150

SHA512
bc3596a6eef0d8d62cd413ca39f27bc3f645bda26f3f535922d19c319326f32c75576ab9b47ea1433f4839fee55b70746c8e7213569bfc838252ec1144282ad2

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78eN.exe

Filesize
4.9MB

MD5
2c5faad0c4c5b9d351a4c51797e97240

SHA1
b34a6bd05c0f79d5a74817c1ed4fc2d3d9fa01d6

SHA256
8286bc5b89759048ad65136a2d8d4ee52a431798a4664917e926dea98c61e78e

SHA512
0dc0495c73f494ffb2f12722960932340dfec112a5a9c1ba35c5f769c8773bc8a092545d9b1c1c07856ef9e716b76dea8ed7e6b4549fdf589d859ce5c3a4f19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\44bcb1bf-8fe2-4a71-ac7c-2c27ca765914.vbs

Filesize
751B

MD5
916f644e3a4e2d9b1813a527b10327fb

SHA1
98d16cb815b874da19c210f76dddbf11707a1990

SHA256
114d253ba2d343a0d4d7cdf5d2c3cf7bd367d58092a2da6da2a189386072f11c

SHA512
12590b888ab6b43795efb812e2960bec27f2223ae1e90da62be16fc37be901e9935d40717a9400d00acebd58fbef922f9fed2289b05fc577f23f4f4946389c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\641d7b6a-384f-4143-809a-621297fc0c62.vbs

Filesize
751B

MD5
476675530584b2d6d2b604c6b8146337

SHA1
5fafa6843611a7060ddcc7d2d98a0575f1d416e2

SHA256
9a56f6d1213524a7b1def1b265f7fda7fdc2195a848a808641502ce8c699eb72

SHA512
c5be28eaf16244153fc2b3c0cb52c0ca932a71aaa8a98f0de73a0ab33b66038ccd2513d62a2eb8b70d05de591c68b030f8cee66469db265e31e96aab1553c3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\71b0cd74-5a2d-4230-9e06-ee5d688be84c.vbs

Filesize
751B

MD5
f6b4ef18cb54f520a8d3ab7504aeab3f

SHA1
f7612b4e220f5ae33ebef056c53eef54b72f1664

SHA256
d2908c5429c8e281846993d8767fd65d0bd27c2ff999cdfb3e754b93175a325a

SHA512
9f6bed1f8f5a5649ba2be258289a6ec4653bacaf8c9eb68c6117baa8f8e4123fa1dbb7693ad1ac3d39580a8e6b5170345b4fccdf61c81b72b70af1a3208aa1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\80086d4c-bd49-415b-8da6-d51c0e1ae28f.vbs

Filesize
751B

MD5
57524edb9ce0b0e9116bc5e7758706f6

SHA1
9a5263a2b03e35188abc8db3c46b55e2fc4c9443

SHA256
0a06842f583c188ea033bbaa382c3165cf374cd86dfc131d3110a79a697adc7a

SHA512
4d5b2bcfc018eab2539e5223005772055473952cc657c58cde76bd93ce420c3e36d1616b74fab502efeb09dd3860de961cc72589189b56cd9bd5fb7ef064279b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fcfbe3a-14db-473d-b1b5-f23d722b464a.vbs

Filesize
751B

MD5
201f47d92fe548711051925e497f05e3

SHA1
d394f871375464cba8cfcb0b1fe185fdb2e86557

SHA256
2bad7bba9506bb0581e96d0db4c21bfc06e1d78258d13f7361bd43f7f6e8894e

SHA512
4ffe269cd8f8919ad0ffd511dba1147045cbb6205066789447727b06f4a236e99f15757b48fbef987ba8806780d1ae0ff9368639d4c775d401d40d31acd0a23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba572383-de85-4f93-87c6-d7195a391020.vbs

Filesize
751B

MD5
0ba82fe25a8e5f301d203b374a735c24

SHA1
9b89e933f57a87afccb04d5951cc0c812b2d62c5

SHA256
83212b38889e9e8e8d5527e0bce6d2e59b199a69f85d3447f90094352159a0e4

SHA512
19ea3ee62c9b5b099b741efa2ec134c6ecfa0a792869815ed075e25c546d5c674e0bf02cc7d8013f186c56f836468b642bf7b86a5c54ca9a2f3107000fe972db

Download Submit
C:\Users\Admin\AppData\Local\Temp\d809072a-ac18-41e5-80e2-4a4036a938ee.vbs

Filesize
751B

MD5
e11e2fa88a725aed02f644a59459edc4

SHA1
2fd393a52bc29d42332c620d84014bdbd5e9c5a3

SHA256
41039361470357d634743b950239a8285d96c34bd15e98211da300f5961223c1

SHA512
2aeeb92e289440672e7af17cb2cc58839d4f4e1271a2a1d27433e41099cde19c1e32ac0cbd27a93cbaf7ef1dbe868cd3da011e3120a88f6c7ae1457a1ac25008

Download Submit
C:\Users\Admin\AppData\Local\Temp\e219b797-d3dc-43d0-8751-8be991790c33.vbs

Filesize
751B

MD5
c7fc6d6a80db893f3de513db20814784

SHA1
d6f83a45a45266fa383b9d1100ea230afaf2eb16

SHA256
1e0daa52b258c830376a72fe8fff8bfed3f1d01608b1e4a938eb013a6b08ed32

SHA512
47836aefe6de68d5440f791d931cc679de7449e125676d37e2af11507ef6d274adc9f994720ce8ef073577daa8eba3e850ad870a0f917ffd99e799a51f7bcf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e50d9c5a-508d-479f-853b-91c3774898c1.vbs

Filesize
527B

MD5
20c261012de21721efc4194a62f6c8d9

SHA1
6f797053b14ceb43244d275fc41301d0bec8984d

SHA256
8c4ce50cbd280cd06918187357f3674f79f4b003079ea3e6870d48cb32d5dcbf

SHA512
29618f24e27e0bbf6dbf44c12bce7e6df797ec31c6dd567e865eb3ecab5d60abe846e37d8a66a19493cb2bbc0db6f84e5d7f21b6b904ad36cc8ce8529ecf8414

Download Submit
C:\Users\Admin\AppData\Local\Temp\nX0FLzXQTr.bat

Filesize
240B

MD5
8ed44324137a246a99847191b9b0f51d

SHA1
e074dfa6c62fa26f72962c8336994f48d60c8dea

SHA256
70e7e89a2f4f37b7158626131cbb5adf925fa1b3da550f10d03eb25354fb58f0

SHA512
55fdb59b90d919b8196fe209c5120369a5eec06f5ba78119af869ca6e67232e37a77f1cde9004ccddbbef49ecc535ad651c5e5667dcd787f62ad7386b202d04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF95C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8edf43a567c6df884e25f45a565a44ed

SHA1
8ddf85aaa6ec4d47aad362e92d0513467f9216be

SHA256
2bfe7cdbc1a8c86dc55ae762aa36875eb3887939075b03814ee91f1394dd40e4

SHA512
08af5d8a65b8c91174bf32cfacc778ae4d2dcba284e62b0422639028acadc1b27b1e596912e032174c8197644b5317c11b6c1cbd55058cf3cfc26c4a1fd1017d

Download Submit
memory/788-253-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/788-254-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1660-302-0x0000000000890000-0x0000000000D84000-memory.dmp

Filesize
5.0MB

Download
memory/1916-272-0x0000000000ED0000-0x00000000013C4000-memory.dmp

Filesize
5.0MB

Download
memory/2096-11-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/2096-8-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2096-154-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-16-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/2096-216-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-15-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2096-14-0x00000000024C0000-0x00000000024C8000-memory.dmp

Filesize
32KB

Download
memory/2096-13-0x0000000002430000-0x000000000243E000-memory.dmp

Filesize
56KB

Download
memory/2096-1-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/2096-12-0x0000000002420000-0x000000000242E000-memory.dmp

Filesize
56KB

Download
memory/2096-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2096-10-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/2096-9-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/2096-139-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2096-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-7-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2096-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2096-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2096-3-0x000000001B630000-0x000000001B75E000-memory.dmp

Filesize
1.2MB

Download
memory/2096-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2440-332-0x0000000000BF0000-0x00000000010E4000-memory.dmp

Filesize
5.0MB

Download
memory/2636-287-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/2668-258-0x0000000000C20000-0x0000000001114000-memory.dmp

Filesize
5.0MB

Download
memory/2832-361-0x00000000011F0000-0x00000000016E4000-memory.dmp

Filesize
5.0MB

Download
memory/3064-317-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download