dcrat | b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166e

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Size

4.9MB
MD5

c31fedba9ce9222a356e7715a3c34920
SHA1

0461a57e40a68464e8bd0c1a8450013da3b343d7
SHA256

b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166e
SHA512

86a6e7190b99a8f204871f28b6614e7c44d9fb6bbf9118afdcc1d81094aa2de72b5ca0e415bf408b84fcfc3fd715482139f69f11e64189f60c1bc647bffc0632
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2964	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1592-2-0x000000001B640000-0x000000001B76E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
1624	powershell.exe
1892	powershell.exe
1652	powershell.exe
2176	powershell.exe
2312	powershell.exe
2928	powershell.exe
1012	powershell.exe
1684	powershell.exe
972	powershell.exe
3004	powershell.exe
1752	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
1976	WmiPrvSE.exe
2256	WmiPrvSE.exe
320	WmiPrvSE.exe
2276	WmiPrvSE.exe
2916	WmiPrvSE.exe
2900	WmiPrvSE.exe
3016	WmiPrvSE.exe
3060	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\lsm.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\RCXE1D3.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Google\Chrome\dllhost.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Google\Chrome\5940a34987c991	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\lsm.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\24dbde2999530e	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\csrss.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXEACC.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Google\Chrome\dllhost.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXD86D.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Internet Explorer\images\csrss.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Internet Explorer\images\886983d96e3d3e	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\101b941d020240	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXD64A.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\system\56909e2d628bc9	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\es-ES\wininit.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\es-ES\56085415360792	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXEF12.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\system\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\42af1c969fbb7b	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\es-ES\RCXE83C.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\es-ES\wininit.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.7601.17514_none_0614df8fb9269bc6\System.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\system\RCXCD31.tmp	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
File opened for modification	C:\Windows\system\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe
1116	schtasks.exe
3000	schtasks.exe
1980	schtasks.exe
2992	schtasks.exe
2804	schtasks.exe
1812	schtasks.exe
2888	schtasks.exe
2052	schtasks.exe
2284	schtasks.exe
480	schtasks.exe
1972	schtasks.exe
2976	schtasks.exe
840	schtasks.exe
936	schtasks.exe
2728	schtasks.exe
1712	schtasks.exe
3060	schtasks.exe
1048	schtasks.exe
112	schtasks.exe
1248	schtasks.exe
2492	schtasks.exe
2548	schtasks.exe
2260	schtasks.exe
1496	schtasks.exe
2040	schtasks.exe
1196	schtasks.exe
324	schtasks.exe
1900	schtasks.exe
1080	schtasks.exe
1660	schtasks.exe
684	schtasks.exe
2208	schtasks.exe
1200	schtasks.exe
1252	schtasks.exe
680	schtasks.exe
580	schtasks.exe
1732	schtasks.exe
2356	schtasks.exe
1512	schtasks.exe
2896	schtasks.exe
2712	schtasks.exe
2780	schtasks.exe
2732	schtasks.exe
1680	schtasks.exe
752	schtasks.exe
1936	schtasks.exe
2552	schtasks.exe
1600	schtasks.exe
2764	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
1012	powershell.exe
1752	powershell.exe
1652	powershell.exe
1684	powershell.exe
2368	powershell.exe
1624	powershell.exe
972	powershell.exe
3004	powershell.exe
1892	powershell.exe
2928	powershell.exe
2176	powershell.exe
2312	powershell.exe
1976	WmiPrvSE.exe
2256	WmiPrvSE.exe
320	WmiPrvSE.exe
2276	WmiPrvSE.exe
2916	WmiPrvSE.exe
2900	WmiPrvSE.exe
3016	WmiPrvSE.exe
3060	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Token: SeDebugPrivilege	1976	WmiPrvSE.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2256	WmiPrvSE.exe
Token: SeDebugPrivilege	320	WmiPrvSE.exe
Token: SeDebugPrivilege	2276	WmiPrvSE.exe
Token: SeDebugPrivilege	2916	WmiPrvSE.exe
Token: SeDebugPrivilege	2900	WmiPrvSE.exe
Token: SeDebugPrivilege	3016	WmiPrvSE.exe
Token: SeDebugPrivilege	3060	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 972	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	82
PID 1592 wrote to memory of 972	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	82
PID 1592 wrote to memory of 972	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	82
PID 1592 wrote to memory of 2312	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	83
PID 1592 wrote to memory of 2312	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	83
PID 1592 wrote to memory of 2312	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	83
PID 1592 wrote to memory of 3004	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	84
PID 1592 wrote to memory of 3004	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	84
PID 1592 wrote to memory of 3004	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	84
PID 1592 wrote to memory of 2928	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	86
PID 1592 wrote to memory of 2928	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	86
PID 1592 wrote to memory of 2928	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	86
PID 1592 wrote to memory of 1012	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	87
PID 1592 wrote to memory of 1012	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	87
PID 1592 wrote to memory of 1012	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	87
PID 1592 wrote to memory of 2368	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	88
PID 1592 wrote to memory of 2368	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	88
PID 1592 wrote to memory of 2368	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	88
PID 1592 wrote to memory of 1752	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	89
PID 1592 wrote to memory of 1752	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	89
PID 1592 wrote to memory of 1752	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	89
PID 1592 wrote to memory of 1684	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	90
PID 1592 wrote to memory of 1684	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	90
PID 1592 wrote to memory of 1684	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	90
PID 1592 wrote to memory of 2176	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	91
PID 1592 wrote to memory of 2176	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	91
PID 1592 wrote to memory of 2176	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	91
PID 1592 wrote to memory of 1652	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	92
PID 1592 wrote to memory of 1652	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	92
PID 1592 wrote to memory of 1652	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	92
PID 1592 wrote to memory of 1892	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	94
PID 1592 wrote to memory of 1892	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	94
PID 1592 wrote to memory of 1892	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	94
PID 1592 wrote to memory of 1624	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	95
PID 1592 wrote to memory of 1624	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	95
PID 1592 wrote to memory of 1624	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	95
PID 1592 wrote to memory of 1976	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	106
PID 1592 wrote to memory of 1976	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	106
PID 1592 wrote to memory of 1976	1592	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe	106
PID 1976 wrote to memory of 2296	1976	WmiPrvSE.exe	107
PID 1976 wrote to memory of 2296	1976	WmiPrvSE.exe	107
PID 1976 wrote to memory of 2296	1976	WmiPrvSE.exe	107
PID 1976 wrote to memory of 2680	1976	WmiPrvSE.exe	108
PID 1976 wrote to memory of 2680	1976	WmiPrvSE.exe	108
PID 1976 wrote to memory of 2680	1976	WmiPrvSE.exe	108
PID 2296 wrote to memory of 2256	2296	WScript.exe	109
PID 2296 wrote to memory of 2256	2296	WScript.exe	109
PID 2296 wrote to memory of 2256	2296	WScript.exe	109
PID 2256 wrote to memory of 1672	2256	WmiPrvSE.exe	110
PID 2256 wrote to memory of 1672	2256	WmiPrvSE.exe	110
PID 2256 wrote to memory of 1672	2256	WmiPrvSE.exe	110
PID 2256 wrote to memory of 520	2256	WmiPrvSE.exe	111
PID 2256 wrote to memory of 520	2256	WmiPrvSE.exe	111
PID 2256 wrote to memory of 520	2256	WmiPrvSE.exe	111
PID 1672 wrote to memory of 320	1672	WScript.exe	112
PID 1672 wrote to memory of 320	1672	WScript.exe	112
PID 1672 wrote to memory of 320	1672	WScript.exe	112
PID 320 wrote to memory of 1196	320	WmiPrvSE.exe	113
PID 320 wrote to memory of 1196	320	WmiPrvSE.exe	113
PID 320 wrote to memory of 1196	320	WmiPrvSE.exe	113
PID 320 wrote to memory of 1988	320	WmiPrvSE.exe	114
PID 320 wrote to memory of 1988	320	WmiPrvSE.exe	114
PID 320 wrote to memory of 1988	320	WmiPrvSE.exe	114
PID 1196 wrote to memory of 2276	1196	WScript.exe	115

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe
"C:\Users\Admin\AppData\Local\Temp\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
  "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1976
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72e49763-65bd-46d9-ac8b-556f8833b7c7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
      "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2256
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d9c899b-2b71-45c8-861c-98ea31bde2ca.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e9c65e9-c1c8-4c1c-95e3-7b7d5ff717d3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af838e61-3b0f-4b44-9b35-c58894728b9f.vbs"
        9⤵
        
        PID:972
        
        C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e730c8-ce24-4ebe-8a09-b9ef29848a55.vbs"
        11⤵
        
        PID:1544
        
        C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f8546fd-1d8c-49e1-ab36-b76676655e43.vbs"
        13⤵
        
        PID:2408
        
        C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29cded0d-7767-4ec2-8254-7d69537a6a1c.vbs"
        15⤵
        
        PID:580
        
        C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1820136-d15b-4806-bb8e-c433a92668dc.vbs"
        17⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d3e377e-485f-46a2-a32b-b5121185a0af.vbs"
        17⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4aa5bd6-1c26-4284-8ad4-855ab0866d79.vbs"
        15⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3b31d57-b1f9-4f73-b83b-7df5e51cd97e.vbs"
        13⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2fdc7f-3bc9-414b-98e5-82193d5d781e.vbs"
        11⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac87ade-b095-49e6-934f-15d30f58300e.vbs"
        9⤵
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b90f1c-426e-48e1-8fb3-7bb91b70389f.vbs"
        7⤵
        
        PID:1988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a12eb3b-0357-4d29-ab0f-250455778108.vbs"
        5⤵
        
        PID:520
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bdb2b5c-0bdf-4234-b34e-86eac77808a5.vbs"
    3⤵
    PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\LocalLow\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eNb" /sc MINUTE /mo 6 /tr "'C:\Windows\system\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN" /sc ONLOGON /tr "'C:\Windows\system\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eNb" /sc MINUTE /mo 8 /tr "'C:\Windows\system\b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe

Filesize
4.9MB

MD5
c31fedba9ce9222a356e7715a3c34920

SHA1
0461a57e40a68464e8bd0c1a8450013da3b343d7

SHA256
b8a5a65f1c36e6e16080dfa07bbcb2296023b1092006dcdf5ea49c9b46be166e

SHA512
86a6e7190b99a8f204871f28b6614e7c44d9fb6bbf9118afdcc1d81094aa2de72b5ca0e415bf408b84fcfc3fd715482139f69f11e64189f60c1bc647bffc0632

Download Submit
C:\Users\Admin\AppData\Local\Temp\29cded0d-7767-4ec2-8254-7d69537a6a1c.vbs

Filesize
727B

MD5
18dae5ffb097b1dc52be4bea679b327e

SHA1
f1012dd28221b41e95882e7164ca51dfc13d3bb6

SHA256
8ffe8233be9816affd2a35b4392157b0fbf69f4c89183f488bd4814ec5677a3a

SHA512
94d586c8715272b2289d40effa2b570620817836a274aac0b085a6c8dacba33e9a162f02c15d72822af6c608be7e1235843b29a139e47dd00044eacd765f49e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f8546fd-1d8c-49e1-ab36-b76676655e43.vbs

Filesize
727B

MD5
8e8f988375d2df9457aca52eccd78c0a

SHA1
410c23a4c226a0fcbe0b9b34120c91f7afedd376

SHA256
b69b18eb26c10f5e0c56e5ec45dd5d34bbcf9eb17858bbc8e724b8fc1402c3e2

SHA512
d5a2481e8d185ae034966d9c0984f5150e9c06e3baccc8c9e5c693d72e27b7d395f65b383f5760a53c75bd4b540daa5ca8ab4355aa1d4b8452c674ad91044a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\72e49763-65bd-46d9-ac8b-556f8833b7c7.vbs

Filesize
727B

MD5
dc6383d856c71628721e8a6411eaba93

SHA1
db958b1b26c15177d79e8105d8d426b96cc3f73c

SHA256
2f3feadfb70ad34eb8623d539f262aec525c79ec4d477a255308255e06aa2745

SHA512
e93f4231272ce92728727c8cea9c6c9de7850d3e12b45ee6786676fe0699bd7f5efcb746946ca5aceefefb22a1746c6005f8f0f00642cf098db6784c4925773d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bdb2b5c-0bdf-4234-b34e-86eac77808a5.vbs

Filesize
503B

MD5
00ffa28dc75c3d7ed03fbc74cc160457

SHA1
c457be615057e8b2aaadcc4cc98b5587a247d03d

SHA256
f027799c52aca92ab6d6e407e48f6ce7750a4733b981e2f93b72ac96920dcaee

SHA512
9e4232b6df8ff2dce04ddead065c415e19fb488fd14811e729b3fc16af8c82c72cc1cac7362c9b1f57605420d80040e04b7ae31e724065a78e5a624f2166c800

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e9c65e9-c1c8-4c1c-95e3-7b7d5ff717d3.vbs

Filesize
726B

MD5
a14897121557cd44dddbc5def1cfa01c

SHA1
595fadbb2f1182d4cc1d86ba412398594ea18355

SHA256
1e6cb7e86840b04b9abd40d8f3ce3db6ea9eb7958043b0b840e370bbff4e68e8

SHA512
0e319eb6592b9b0373ea65317d5f088fda887321b38b8b2cd2c371df911cc4b14fa212096b64cf83a6c4b79c2a2a9c2b120a486a5cb5b903e798cec6636b8cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d9c899b-2b71-45c8-861c-98ea31bde2ca.vbs

Filesize
727B

MD5
fcfec1b8be860aff32e5d77fe522d177

SHA1
de62d2d0fba72f00e7b187b6ab6f7a374b7a7c1c

SHA256
ae0017ff66170e3b0cfd11a1e692ba106ca840fce5502c731a92aa636b318e6a

SHA512
b5394c35c5f78d05b858ac60fa37c069d10039a716d56d6a613de539e2813713908d336bbcee4b22dcb8ed33ad989f353e596acc04acc481106e5a385f865983

Download Submit
C:\Users\Admin\AppData\Local\Temp\af838e61-3b0f-4b44-9b35-c58894728b9f.vbs

Filesize
727B

MD5
3cd015b5c8bba4ab32260f16822e5e36

SHA1
ebaaf1e0cce72f35a5ce07a6ce121dc35670987c

SHA256
f30f230a39bd4158f3ec1e45e66bdab831ab7aa2c3f6e2061f272417fa889dfd

SHA512
84a9b493eeba130c46174b2a89514877993cca22a9442c1922b2c7fb3e9ffc3256c347b1b800458c52d12cf48b83d262cba656955df7e726ab1ac7d16676b7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1820136-d15b-4806-bb8e-c433a92668dc.vbs

Filesize
727B

MD5
a09e4ce6b603207f427eeec8034eadf6

SHA1
4d580ebf93b9fd7aceaa0c75ca9620866ac3673c

SHA256
a659abfe05813f42b1026963e45de675a53b16d3b9161954c88a0e2d8b3e3857

SHA512
9e79c4ce393342faca1e0572254abc8dd2a7f5446a7a5be0c6018ff4c849d1f691afd063d2209c7a80de0aaf153dd63f79edb916d14f4290dfe1d69ff9883cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2e730c8-ce24-4ebe-8a09-b9ef29848a55.vbs

Filesize
727B

MD5
e6df74a10055f309798c0b8125cf24db

SHA1
43063ed2352449742d66addefbfa9d407b569d8d

SHA256
2ef1cf5b30b4ffae66f4456a54dcd7bca28343ea723d42282ad2d765b2f1fd13

SHA512
e7a55405d757c7a21581034f9ec77eebb7c0157fb182cb1ab24ea4d8623dcc24b857b30041955a16aad0c98f08b3d87347f3e8d59568c85e5594f6def96f383b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
53d2a42d83592e8b877e0cdbd93368cc

SHA1
d27998c162a1adfe33f4ea5f1288796dc732a516

SHA256
063fc1ad6426c64d7c43b47962f829d74b8403aec1ca2390d7075d5efad733d1

SHA512
a219a48fb262c413bdf16efcfdbd4bc83330bc8a5f3c2c001d6be5f324cb2225fb520f2cb425911697389d0cd5786892c0fdbc7349d7e43f48199b3a29b6b97f

Download Submit
memory/1012-238-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1592-10-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/1592-7-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/1592-15-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/1592-16-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/1592-28-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/1592-29-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1592-13-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/1592-1-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download
memory/1592-12-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1592-231-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1592-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1592-2-0x000000001B640000-0x000000001B76E000-memory.dmp

Filesize
1.2MB

Download
memory/1592-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/1592-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/1592-9-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1592-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/1592-4-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/1592-8-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1592-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1592-5-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1892-237-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1976-239-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/1976-179-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2256-253-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2276-282-0x00000000001F0000-0x00000000006E4000-memory.dmp

Filesize
5.0MB

Download
memory/2900-312-0x0000000000090000-0x0000000000584000-memory.dmp

Filesize
5.0MB

Download
memory/2916-297-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/3016-327-0x0000000001140000-0x0000000001634000-memory.dmp

Filesize
5.0MB

Download
memory/3016-328-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/3060-343-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download