dcrat | e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684ab

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Size

4.9MB
MD5

b3122af5e8a9fb754de586ed15e82010
SHA1

1742944ca846cf6a21912116aea128dc073cd379
SHA256

e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684ab
SHA512

35cee29e3cf2c1116a01e24491a572c065c482c2038fbd71676f2a18ce9eb550997ac81c45f8b2411036e615082a634f72175cf48c08e5ebc64b4e7a6a8b5319
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1996	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1996	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1196-2-0x000000001B400000-0x000000001B52E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1660	powershell.exe
312	powershell.exe
1836	powershell.exe
2996	powershell.exe
1736	powershell.exe
848	powershell.exe
2228	powershell.exe
2924	powershell.exe
1732	powershell.exe
2636	powershell.exe
2884	powershell.exe
2108	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2876	dwm.exe
2608	dwm.exe
2264	dwm.exe
2716	dwm.exe
2304	dwm.exe
772	dwm.exe
1700	dwm.exe
2376	dwm.exe
2644	dwm.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\RCXBDAC.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\audiodg.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\cc11b995f2a76d	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\42af1c969fbb7b	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files\7-Zip\Lang\dwm.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\audiodg.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\winlogon.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\886983d96e3d3e	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\winlogon.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXCF41.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXC425.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXC8B9.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\dwm.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\RCXB937.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\RemotePackages\886983d96e3d3e	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\Resources\Ease of Access Themes\winlogon.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\SoftwareDistribution\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\Resources\Ease of Access Themes\cc11b995f2a76d	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\TAPI\RCXB2C0.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\TAPI\wininit.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\SoftwareDistribution\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXC629.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\winlogon.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\TAPI\56085415360792	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\RemotePackages\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\SoftwareDistribution\886983d96e3d3e	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\RemotePackages\RCXB531.tmp	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File opened for modification	C:\Windows\RemotePackages\csrss.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
File created	C:\Windows\TAPI\wininit.exe	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2860	schtasks.exe
1932	schtasks.exe
2884	schtasks.exe
2852	schtasks.exe
2492	schtasks.exe
1916	schtasks.exe
1760	schtasks.exe
2040	schtasks.exe
2308	schtasks.exe
1260	schtasks.exe
2400	schtasks.exe
2872	schtasks.exe
2388	schtasks.exe
2816	schtasks.exe
1724	schtasks.exe
324	schtasks.exe
2596	schtasks.exe
1600	schtasks.exe
2468	schtasks.exe
2432	schtasks.exe
612	schtasks.exe
1092	schtasks.exe
2908	schtasks.exe
2072	schtasks.exe
2560	schtasks.exe
1872	schtasks.exe
1348	schtasks.exe
960	schtasks.exe
2396	schtasks.exe
1976	schtasks.exe
1504	schtasks.exe
772	schtasks.exe
2732	schtasks.exe
2620	schtasks.exe
2880	schtasks.exe
752	schtasks.exe
2964	schtasks.exe
2856	schtasks.exe
1492	schtasks.exe
2932	schtasks.exe
992	schtasks.exe
1780	schtasks.exe
532	schtasks.exe
1356	schtasks.exe
1316	schtasks.exe
352	schtasks.exe
2876	schtasks.exe
996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
2996	powershell.exe
2924	powershell.exe
312	powershell.exe
1732	powershell.exe
2228	powershell.exe
2636	powershell.exe
848	powershell.exe
2884	powershell.exe
1660	powershell.exe
1836	powershell.exe
1736	powershell.exe
2108	powershell.exe
2876	dwm.exe
2608	dwm.exe
2264	dwm.exe
2716	dwm.exe
2304	dwm.exe
772	dwm.exe
1700	dwm.exe
2376	dwm.exe
2644	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2876	dwm.exe
Token: SeDebugPrivilege	2608	dwm.exe
Token: SeDebugPrivilege	2264	dwm.exe
Token: SeDebugPrivilege	2716	dwm.exe
Token: SeDebugPrivilege	2304	dwm.exe
Token: SeDebugPrivilege	772	dwm.exe
Token: SeDebugPrivilege	1700	dwm.exe
Token: SeDebugPrivilege	2376	dwm.exe
Token: SeDebugPrivilege	2644	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 312	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	80
PID 1196 wrote to memory of 312	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	80
PID 1196 wrote to memory of 312	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	80
PID 1196 wrote to memory of 2924	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	81
PID 1196 wrote to memory of 2924	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	81
PID 1196 wrote to memory of 2924	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	81
PID 1196 wrote to memory of 1836	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	82
PID 1196 wrote to memory of 1836	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	82
PID 1196 wrote to memory of 1836	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	82
PID 1196 wrote to memory of 2996	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	83
PID 1196 wrote to memory of 2996	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	83
PID 1196 wrote to memory of 2996	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	83
PID 1196 wrote to memory of 1732	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	84
PID 1196 wrote to memory of 1732	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	84
PID 1196 wrote to memory of 1732	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	84
PID 1196 wrote to memory of 2636	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	85
PID 1196 wrote to memory of 2636	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	85
PID 1196 wrote to memory of 2636	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	85
PID 1196 wrote to memory of 2884	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	86
PID 1196 wrote to memory of 2884	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	86
PID 1196 wrote to memory of 2884	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	86
PID 1196 wrote to memory of 1736	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	87
PID 1196 wrote to memory of 1736	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	87
PID 1196 wrote to memory of 1736	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	87
PID 1196 wrote to memory of 848	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	96
PID 1196 wrote to memory of 848	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	96
PID 1196 wrote to memory of 848	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	96
PID 1196 wrote to memory of 2228	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	97
PID 1196 wrote to memory of 2228	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	97
PID 1196 wrote to memory of 2228	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	97
PID 1196 wrote to memory of 1660	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	98
PID 1196 wrote to memory of 1660	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	98
PID 1196 wrote to memory of 1660	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	98
PID 1196 wrote to memory of 2108	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	99
PID 1196 wrote to memory of 2108	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	99
PID 1196 wrote to memory of 2108	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	99
PID 1196 wrote to memory of 2876	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	104
PID 1196 wrote to memory of 2876	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	104
PID 1196 wrote to memory of 2876	1196	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe	104
PID 2876 wrote to memory of 2848	2876	dwm.exe	105
PID 2876 wrote to memory of 2848	2876	dwm.exe	105
PID 2876 wrote to memory of 2848	2876	dwm.exe	105
PID 2876 wrote to memory of 2092	2876	dwm.exe	106
PID 2876 wrote to memory of 2092	2876	dwm.exe	106
PID 2876 wrote to memory of 2092	2876	dwm.exe	106
PID 2848 wrote to memory of 2608	2848	WScript.exe	107
PID 2848 wrote to memory of 2608	2848	WScript.exe	107
PID 2848 wrote to memory of 2608	2848	WScript.exe	107
PID 2608 wrote to memory of 1860	2608	dwm.exe	108
PID 2608 wrote to memory of 1860	2608	dwm.exe	108
PID 2608 wrote to memory of 1860	2608	dwm.exe	108
PID 2608 wrote to memory of 2284	2608	dwm.exe	109
PID 2608 wrote to memory of 2284	2608	dwm.exe	109
PID 2608 wrote to memory of 2284	2608	dwm.exe	109
PID 1860 wrote to memory of 2264	1860	WScript.exe	110
PID 1860 wrote to memory of 2264	1860	WScript.exe	110
PID 1860 wrote to memory of 2264	1860	WScript.exe	110
PID 2264 wrote to memory of 2460	2264	dwm.exe	111
PID 2264 wrote to memory of 2460	2264	dwm.exe	111
PID 2264 wrote to memory of 2460	2264	dwm.exe	111
PID 2264 wrote to memory of 1616	2264	dwm.exe	112
PID 2264 wrote to memory of 1616	2264	dwm.exe	112
PID 2264 wrote to memory of 1616	2264	dwm.exe	112
PID 2460 wrote to memory of 2716	2460	WScript.exe	113

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe
"C:\Users\Admin\AppData\Local\Temp\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Program Files\7-Zip\Lang\dwm.exe
  "C:\Program Files\7-Zip\Lang\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ed52d6-19bf-43fc-8b57-0acffe436c6e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files\7-Zip\Lang\dwm.exe
      "C:\Program Files\7-Zip\Lang\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5cb8c6c-aaaa-4285-9652-b226a6268678.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01836339-c4a1-48b8-b40c-174a7498e2cd.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80eb0a3e-2ea3-4cc6-94ee-0821596cb032.vbs"
        9⤵
        
        PID:1292
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8596f5c-0c7a-48ff-9025-0a446378b598.vbs"
        11⤵
        
        PID:336
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f186c8e-0199-4b51-9ce3-ce593d7a5e32.vbs"
        13⤵
        
        PID:2848
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\411d3d84-88b2-4c85-aabf-313a5283d507.vbs"
        15⤵
        
        PID:2352
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a30940d-cc14-4610-8195-28b41650f3e8.vbs"
        17⤵
        
        PID:1936
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f00f2f1-ebc4-4f7a-84d0-880caf92ebfc.vbs"
        19⤵
        
        PID:2584
        
        C:\Program Files\7-Zip\Lang\dwm.exe
        
        "C:\Program Files\7-Zip\Lang\dwm.exe"
        20⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b982ec44-fec8-4bc9-8681-292908c932f2.vbs"
        19⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55e13e3e-88cf-44ac-bee5-71127b2c7ae2.vbs"
        17⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d8e9f2-61f2-4f80-b19e-0585163862a3.vbs"
        15⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3c10e2a-44a8-4536-bf13-d4a3c4022990.vbs"
        13⤵
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ec1006-7be4-4666-b119-bc0224ce1fb2.vbs"
        11⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f6e6e2b-ee76-4995-87c3-3b1397da7e45.vbs"
        9⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35a661a5-83e7-40c6-a2b6-b3b539dce277.vbs"
        7⤵
        
        PID:1616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eef9f90d-1f91-4fd7-b36c-517fbbdb118e.vbs"
        5⤵
        
        PID:2284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b92ab99b-d82d-430c-863c-f2e23025ebee.vbs"
    3⤵
    PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\RemotePackages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abNe" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abNe" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684abN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe

Filesize
4.9MB

MD5
19b923a631a3d16ae022c4faa6085eba

SHA1
d5b3386957ded6e56b43faa9680ed169643077df

SHA256
de1a37f023b71a36e5467033bd077f6bddd2e23f4e691a368f7aea45cc825b2d

SHA512
83250544a192e6c76f66a0877892e47a041c135d146e5219371eabbe92bd383cd28da48553ebfadacc21fbc0677abae7e8be2e5428b356e2cb12fba799b3e0fd

Download Submit
C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe

Filesize
4.9MB

MD5
b3122af5e8a9fb754de586ed15e82010

SHA1
1742944ca846cf6a21912116aea128dc073cd379

SHA256
e9d26b96ddaa6f85d5ecfa6d939460a8651ad655afbca1b26b23d6ec92f684ab

SHA512
35cee29e3cf2c1116a01e24491a572c065c482c2038fbd71676f2a18ce9eb550997ac81c45f8b2411036e615082a634f72175cf48c08e5ebc64b4e7a6a8b5319

Download Submit
C:\Users\Admin\AppData\Local\Temp\01836339-c4a1-48b8-b40c-174a7498e2cd.vbs

Filesize
711B

MD5
34b915e1f952caac54cbbad873703c8d

SHA1
3deae27515057bcad362e3790fbc93b3d55c4693

SHA256
3ce6aa71625d6640f036cd9cd1e980aeb99796339fede6ac15be15e185d6b24d

SHA512
2ee370607f302ffce350478f3ff1d16150c6c97de092e8acb07b13580de370133c098fc3930b89087de4536efa4a66264fdd5f20b6311d7f8fd4eac766cdb80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\01ed52d6-19bf-43fc-8b57-0acffe436c6e.vbs

Filesize
711B

MD5
c6af1d6c75e9a3e4606592283a6921eb

SHA1
48a009a1b2b8a9a74bf3cd47e13a1765bee319f3

SHA256
25e58429297f5c09dfcabe2f9998f72dc1d8bbbb986d994742bc8d4682b505dc

SHA512
080ecd6aafa66b43413a7c5fc8956715f4d36c13d366bb97d06e3a979c44552a98f690d1b30152e6ae59ff47050f050fe2a275e7435a98df9aeed9ae7e993ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f00f2f1-ebc4-4f7a-84d0-880caf92ebfc.vbs

Filesize
711B

MD5
0fa5a6d66087f37ac9e8d3147eb6c3a4

SHA1
04958abe36f0e5a44a9105999e323a397f0e1d8c

SHA256
342b99446c55a4cc718f63f5124733bc9a1ee1cb4608a593b8ecb8598d53145a

SHA512
a9dd4def9634eabf0e5f9053176a84c3304f8d0146233c930397ba8cb37fb6798a3d5e4d77b3542639de6c31026fb133a5dc98043746c3d71c73112cf3e3dad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\411d3d84-88b2-4c85-aabf-313a5283d507.vbs

Filesize
711B

MD5
75b4fd6dddaa48da41e5880a897ff735

SHA1
32eba937bbc60a62b9408801d715a71795cc41a0

SHA256
8e6987b49a8dddccf649024122417c12c55b5b619d30f55c559b11452aecce1c

SHA512
84e48973e7d70f789c034423be19cec97b999cdf474f8a753c2c126ee080aedecdc78da336c39b4e3858fc2caa506a42d7713d38c32188dd625b991ec6c578c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f186c8e-0199-4b51-9ce3-ce593d7a5e32.vbs

Filesize
710B

MD5
3a637a7454a1e00644ce178668dd1697

SHA1
1ca199d5d2d1b6a30c8e5c5b330a793699f19d6c

SHA256
ea52687e417dcc955f1cf921c785fef5538412c2f43d67e4e518b8184096ceee

SHA512
c5091ad2d5b047ae862ef0169d10e5a90dee85446692ff0849603738494ef45eb61c7e521ed8c1d13f1f25bbcec737f5207a3ddb946e0dedc318a33c34d7d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a30940d-cc14-4610-8195-28b41650f3e8.vbs

Filesize
711B

MD5
f6ecfd712dfcf262057a11662c98afa7

SHA1
a1a17277070b598ed98b0f4410b89ef7e5a65372

SHA256
28350a7d5dadf4eeb12dbac8ca10dfd48181062067457e935a8424af4a86609b

SHA512
9a98033b0901f2fef842d84c798981fd8ff365c52e581b2e5521cf8d6b7ac665e783649dda37c6a69b600d4374b327eeeb8087ecbc4f5098dcc7976e591d185f

Download Submit
C:\Users\Admin\AppData\Local\Temp\80eb0a3e-2ea3-4cc6-94ee-0821596cb032.vbs

Filesize
711B

MD5
097ca25667bee27ef95b99de37cf3831

SHA1
639f4fa3fb9d81951159eba7e89363fd3a6dc77e

SHA256
9548ba18bfb055abed53dff818e176dba67545e1fbe9cd786d35cf1b07512aeb

SHA512
0d279ab7cde77b37b2762391f0199edd228962a1a255a5ff7c8121ed08dde42f5a7298a467b67e710843e6e6ca108417ab6a2f468515fd6f2fc05ce05b6f43d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b92ab99b-d82d-430c-863c-f2e23025ebee.vbs

Filesize
487B

MD5
3496f217d3760fa80ba88a596ae0ac3e

SHA1
75d8aa4ab67e557f56c0c64921f3f6ae2f72f926

SHA256
1dd8db23b050f4eac849c04daab903d4156592b8c22c892bf459337d7cbad0ab

SHA512
ca0ce3a11a321c2a6fb8307a66e56629053ca69a4fe84f236b7815d93aeef1a86c79511a4c566e47372957dda24fa0234b7398f08ec954458fda823abca19849

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5cb8c6c-aaaa-4285-9652-b226a6268678.vbs

Filesize
711B

MD5
7e93646b4f96d6058928fa6da3822840

SHA1
bd364009de9f419ccd14971f33c82b228581af87

SHA256
318f4d7abb40283ad53f35d5ab9bf5f48c8c84c73ac2f69f7933fda4bb663958

SHA512
0a67f017b31f9f4e1d90c3a682953458f223821d235779ef2aa2608f68d6d8983a21c6d093cab01861bc6cc9fd1719e394a619e62d5fff8227e323ea440ee5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8596f5c-0c7a-48ff-9025-0a446378b598.vbs

Filesize
711B

MD5
97aed04d278befd9c01e243d3de7afdc

SHA1
86cfea50c34005a7210a9be546a534c9bb68d3ab

SHA256
0d03d589b8ec0bf8dc1ea588c0b805c7d440273d0dd8a6583a1b084cb0363e91

SHA512
7cbc71fbcee9a5ff63417309f15989db6f36e86746fbc33a8af5552336c5c94ac24f223e13a82f78737ec469b7c56958a7c7efd321d4db267401fd7bdaac763f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0FC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f39a20d4e63ecd83340d833c531f5a47

SHA1
8892a836c01b9e8172c44d9e0a9c88587d38c971

SHA256
fbb9b90567f42b6aa7b889abf1b1252e1ce224f72a296070862d61fa635c9c76

SHA512
b6b3525e2ea885d392be74fd49d0edbfe4c7a18fd0bfb4d8e5e274db1737e55469230706be6aa4b0efd6b438f9a77146f07e9265258772d2878bb43e802677e1

Download Submit
C:\Windows\Resources\Ease of Access Themes\winlogon.exe

Filesize
4.9MB

MD5
471df3809bea23ed614cff3b593c1520

SHA1
4b213bf2b03d8f11e1b3b8bd90516d9617bbf18f

SHA256
caf314d04f572ba567a29653228d9c0c0ce16e811aaa202316c3f6c8a8d23bd0

SHA512
863e2abf0703767566fb2e1c8ef6be85dd4defaa33c796a8704d150a0ebfc732899067d3434ebc187dbe544550e9152592e937b274aa6da2bcec6a59aec7bea4

Download Submit
memory/1196-9-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/1196-10-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1196-15-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1196-129-0x000007FEF5613000-0x000007FEF5614000-memory.dmp

Filesize
4KB

Download
memory/1196-14-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/1196-13-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/1196-143-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/1196-12-0x00000000024E0000-0x00000000024EE000-memory.dmp

Filesize
56KB

Download
memory/1196-1-0x00000000009E0000-0x0000000000ED4000-memory.dmp

Filesize
5.0MB

Download
memory/1196-11-0x00000000024D0000-0x00000000024DA000-memory.dmp

Filesize
40KB

Download
memory/1196-195-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/1196-16-0x0000000002520000-0x000000000252C000-memory.dmp

Filesize
48KB

Download
memory/1196-7-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/1196-8-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1196-6-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1196-5-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/1196-0-0x000007FEF5613000-0x000007FEF5614000-memory.dmp

Filesize
4KB

Download
memory/1196-4-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/1196-3-0x000007FEF5610000-0x000007FEF5FFC000-memory.dmp

Filesize
9.9MB

Download
memory/1196-2-0x000000001B400000-0x000000001B52E000-memory.dmp

Filesize
1.2MB

Download
memory/1700-317-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/1744-362-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/2264-257-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2264-256-0x00000000012A0000-0x0000000001794000-memory.dmp

Filesize
5.0MB

Download
memory/2304-288-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/2376-332-0x0000000000D10000-0x0000000001204000-memory.dmp

Filesize
5.0MB

Download
memory/2608-241-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2608-240-0x0000000000AE0000-0x0000000000FD4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-347-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download
memory/2716-273-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2716-272-0x0000000000220000-0x0000000000714000-memory.dmp

Filesize
5.0MB

Download
memory/2876-226-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2876-172-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/2996-183-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2996-184-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download