dcrat | 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Size

4.9MB
MD5

4331bb6448c6da37580f2ac382b45750
SHA1

4516ce7712311a62a03c332aec5d0dec7513efc3
SHA256

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de
SHA512

9ee79af2228dacf6294a06a069f3ef4addd897bfcd930d7c78a51062dec60ef611edcb3332f3d8181188b029dbc2635e1e35a8a2f6b8c88cb348f967da8a1b9a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2656	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2656	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exeservices.exe9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2208-2-0x000000001B130000-0x000000001B25E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1916	powershell.exe
2020	powershell.exe
2264	powershell.exe
1604	powershell.exe
2700	powershell.exe
1080	powershell.exe
2520	powershell.exe
1676	powershell.exe
2596	powershell.exe
1716	powershell.exe
2400	powershell.exe
540	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	Process
2464	services.exe
692	services.exe
3008	services.exe
108	services.exe
812	services.exe
2996	services.exe
2836	services.exe
952	services.exe
664	services.exe
2944	services.exe
2884	services.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 24 IoCs

Processes:

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\f3b6ecef712a24	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXB27E.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Common Files\System\RCXB4A1.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\0a1fd5f707cd16	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Java\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXB6B4.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Java\6ccacd8608530f	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Windows Defender\ja-JP\886983d96e3d3e	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Windows Mail\en-US\24dbde2999530e	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9428.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Java\RCXA6A6.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Common Files\System\6ccacd8608530f	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXAB4A.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Common Files\System\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Java\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Windows Defender\ja-JP\csrss.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Program Files\Common Files\System\Idle.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

Drops file in Windows directory 8 IoCs

Processes:

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXA203.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\TAPI\RCXADDA.tmp	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File opened for modification	C:\Windows\TAPI\OSPPSVC.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\TAPI\OSPPSVC.exe	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
File created	C:\Windows\TAPI\1610b97d3ab4a7	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2924	schtasks.exe
2248	schtasks.exe
2604	schtasks.exe
2684	schtasks.exe
2644	schtasks.exe
2532	schtasks.exe
1492	schtasks.exe
372	schtasks.exe
2488	schtasks.exe
2632	schtasks.exe
296	schtasks.exe
2316	schtasks.exe
2412	schtasks.exe
108	schtasks.exe
2144	schtasks.exe
936	schtasks.exe
2984	schtasks.exe
2792	schtasks.exe
2752	schtasks.exe
1800	schtasks.exe
428	schtasks.exe
2156	schtasks.exe
2476	schtasks.exe
2288	schtasks.exe
1932	schtasks.exe
1384	schtasks.exe
2504	schtasks.exe
1596	schtasks.exe
2392	schtasks.exe
1288	schtasks.exe
1676	schtasks.exe
1520	schtasks.exe
1008	schtasks.exe
2416	schtasks.exe
2312	schtasks.exe
692	schtasks.exe
1772	schtasks.exe
2672	schtasks.exe
1668	schtasks.exe
1900	schtasks.exe
1888	schtasks.exe
2980	schtasks.exe
2892	schtasks.exe
2268	schtasks.exe
1664	schtasks.exe
2700	schtasks.exe
2176	schtasks.exe
680	schtasks.exe
2716	schtasks.exe
1468	schtasks.exe
1680	schtasks.exe
2824	schtasks.exe
2948	schtasks.exe
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	Process
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
2264	powershell.exe
1604	powershell.exe
2520	powershell.exe
2020	powershell.exe
1916	powershell.exe
2596	powershell.exe
2700	powershell.exe
1080	powershell.exe
1676	powershell.exe
2400	powershell.exe
1716	powershell.exe
540	powershell.exe
2464	services.exe
692	services.exe
3008	services.exe
108	services.exe
812	services.exe
2996	services.exe
2836	services.exe
952	services.exe
664	services.exe
2944	services.exe
2884	services.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2464	services.exe
Token: SeDebugPrivilege	692	services.exe
Token: SeDebugPrivilege	3008	services.exe
Token: SeDebugPrivilege	108	services.exe
Token: SeDebugPrivilege	812	services.exe
Token: SeDebugPrivilege	2996	services.exe
Token: SeDebugPrivilege	2836	services.exe
Token: SeDebugPrivilege	952	services.exe
Token: SeDebugPrivilege	664	services.exe
Token: SeDebugPrivilege	2944	services.exe
Token: SeDebugPrivilege	2884	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exeservices.exeWScript.exeservices.exeWScript.exeservices.exeWScript.exe

description	pid	Process	procid_target
PID 2208 wrote to memory of 2400	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	85
PID 2208 wrote to memory of 2400	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	85
PID 2208 wrote to memory of 2400	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	85
PID 2208 wrote to memory of 2700	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	86
PID 2208 wrote to memory of 2700	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	86
PID 2208 wrote to memory of 2700	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	86
PID 2208 wrote to memory of 540	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2208 wrote to memory of 540	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2208 wrote to memory of 540	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	87
PID 2208 wrote to memory of 1080	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2208 wrote to memory of 1080	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2208 wrote to memory of 1080	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	88
PID 2208 wrote to memory of 1916	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2208 wrote to memory of 1916	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2208 wrote to memory of 1916	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	89
PID 2208 wrote to memory of 2520	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2208 wrote to memory of 2520	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2208 wrote to memory of 2520	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	90
PID 2208 wrote to memory of 2020	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2208 wrote to memory of 2020	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2208 wrote to memory of 2020	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	91
PID 2208 wrote to memory of 1604	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2208 wrote to memory of 1604	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2208 wrote to memory of 1604	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	92
PID 2208 wrote to memory of 1716	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2208 wrote to memory of 1716	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2208 wrote to memory of 1716	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	93
PID 2208 wrote to memory of 2596	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	94
PID 2208 wrote to memory of 2596	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	94
PID 2208 wrote to memory of 2596	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	94
PID 2208 wrote to memory of 1676	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	95
PID 2208 wrote to memory of 1676	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	95
PID 2208 wrote to memory of 1676	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	95
PID 2208 wrote to memory of 2264	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	97
PID 2208 wrote to memory of 2264	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	97
PID 2208 wrote to memory of 2264	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	97
PID 2208 wrote to memory of 2464	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	109
PID 2208 wrote to memory of 2464	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	109
PID 2208 wrote to memory of 2464	2208	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe	109
PID 2464 wrote to memory of 1316	2464	services.exe	110
PID 2464 wrote to memory of 1316	2464	services.exe	110
PID 2464 wrote to memory of 1316	2464	services.exe	110
PID 2464 wrote to memory of 852	2464	services.exe	111
PID 2464 wrote to memory of 852	2464	services.exe	111
PID 2464 wrote to memory of 852	2464	services.exe	111
PID 1316 wrote to memory of 692	1316	WScript.exe	112
PID 1316 wrote to memory of 692	1316	WScript.exe	112
PID 1316 wrote to memory of 692	1316	WScript.exe	112
PID 692 wrote to memory of 1032	692	services.exe	113
PID 692 wrote to memory of 1032	692	services.exe	113
PID 692 wrote to memory of 1032	692	services.exe	113
PID 692 wrote to memory of 2804	692	services.exe	114
PID 692 wrote to memory of 2804	692	services.exe	114
PID 692 wrote to memory of 2804	692	services.exe	114
PID 1032 wrote to memory of 3008	1032	WScript.exe	115
PID 1032 wrote to memory of 3008	1032	WScript.exe	115
PID 1032 wrote to memory of 3008	1032	WScript.exe	115
PID 3008 wrote to memory of 1656	3008	services.exe	116
PID 3008 wrote to memory of 1656	3008	services.exe	116
PID 3008 wrote to memory of 1656	3008	services.exe	116
PID 3008 wrote to memory of 540	3008	services.exe	117
PID 3008 wrote to memory of 540	3008	services.exe	117
PID 3008 wrote to memory of 540	3008	services.exe	117
PID 1656 wrote to memory of 108	1656	WScript.exe	118

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

services.exeservices.exeservices.exe9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
"C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Users\Public\services.exe
  "C:\Users\Public\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf7b4256-af1d-4ba3-88af-b95ea2dda911.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Users\Public\services.exe
      C:\Users\Public\services.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0e5f2d-8882-4481-bdf9-2ca4576a6f0b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf5193f-bb29-483b-8677-d06a13b155a4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c41b3f96-2f3f-4b35-a4ec-e6e94bec3163.vbs"
        9⤵
        
        PID:1688
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7328739e-7e43-4043-b9d2-fe8cfe9ac07a.vbs"
        11⤵
        
        PID:1904
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55981472-0a26-48ff-8852-c41b508c5902.vbs"
        13⤵
        
        PID:2660
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f697392f-44bd-4d7d-b95b-809b98b9357b.vbs"
        15⤵
        
        PID:1628
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ba6fda0-2124-4f4b-af41-f600537039ac.vbs"
        17⤵
        
        PID:2916
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c6bd172-818b-4320-b713-3763c4607fc2.vbs"
        19⤵
        
        PID:1036
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ffcb3ba-6b55-4a73-b997-45350c7ca36e.vbs"
        21⤵
        
        PID:2404
        
        C:\Users\Public\services.exe
        
        C:\Users\Public\services.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7e63b5b-851a-4d92-995d-fda1ba55a90d.vbs"
        23⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27fca9c6-9802-4dba-88c2-c1db10b095a3.vbs"
        23⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a2ee1b-4603-41e6-8dcb-fa6b32984c96.vbs"
        21⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aa3ead8-90d1-4b55-8048-35ef1d84d90d.vbs"
        19⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0086f2ad-c54d-4497-9b75-2b2576d7bc44.vbs"
        17⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\913ab137-3f86-45cc-9774-bc1b4335ba84.vbs"
        15⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f2560ad-2500-4109-b9f7-b550e82e7b9b.vbs"
        13⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432a7163-8313-41f6-bcb5-10af61a37e32.vbs"
        11⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c871e0-a23a-4a8e-8ed4-bcd6c05f3585.vbs"
        9⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b692320-c1ed-490c-b125-e58aa00d18a8.vbs"
        7⤵
        
        PID:540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c76ae6f-ea14-4899-8077-c64ba63ca569.vbs"
        5⤵
        
        PID:2804
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7a94741-c273-4c90-bb7a-82fa886498b8.vbs"
    3⤵
    PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN9" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN" /sc ONLOGON /tr "'C:\Users\Default\Templates\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN9" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\TAPI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN9" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN9" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\WmiPrvSE.exe

Filesize
4.9MB

MD5
4331bb6448c6da37580f2ac382b45750

SHA1
4516ce7712311a62a03c332aec5d0dec7513efc3

SHA256
9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de

SHA512
9ee79af2228dacf6294a06a069f3ef4addd897bfcd930d7c78a51062dec60ef611edcb3332f3d8181188b029dbc2635e1e35a8a2f6b8c88cb348f967da8a1b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ba6fda0-2124-4f4b-af41-f600537039ac.vbs

Filesize
703B

MD5
b563575d222d0e9a825d8a27411bfcb0

SHA1
899271fddeb46ab426fc9df1a54dcf5c60cb6db8

SHA256
c25e09d7ec3f634c994d3f556e0383baee6fd1a1690dd28d1f38c9367f9f6c1e

SHA512
90f1d2cc4a660f8cec36d480bde9d55579f8d9aed1b4123dac6949f7309bccbcb40d07d4c88c53ef8063133cc348246ad15c560ae9b1246fde233f0d4b9b2e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ffcb3ba-6b55-4a73-b997-45350c7ca36e.vbs

Filesize
704B

MD5
0d3e252c638cb69db03b8ad142c0049b

SHA1
96842daf13e8873e490a5a352dbe71b84524cb8a

SHA256
cb4c18546f9cda655dd2e89a1aadd0dcfe405b8b9cd0f5363668ef1c2dc2677f

SHA512
75027117b50e5e4a8233a49236e24b1426779de79be25623d397a9cd00d2cd5b07f72795c725ac046cc06e125f7b4726b7f172ebfe750273f096796da79598fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\55981472-0a26-48ff-8852-c41b508c5902.vbs

Filesize
704B

MD5
44bd4dd7f95f0c8ddea084b5777dca62

SHA1
ce6a8541004d631b96319db70c316cba4ec98c50

SHA256
631361b27618b10517e281d13e72195a7e1994fe03e53e35a234fa8b0c50ef8b

SHA512
2dda4666cd51f7b859592bc47da8008f3d486542dfeb05f2a2f29bfa694bc11172c12c10f3d567eaf94a116e622708553e1803c703a73f2c9600824226147380

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c6bd172-818b-4320-b713-3763c4607fc2.vbs

Filesize
703B

MD5
8dbbaaabb0ee4834bc7d8b0d2b607205

SHA1
e1ba4347e4a2820d4b7bbe401f2995ee05aeb130

SHA256
e2b57ffd5ea84e057293478914d9f2c7685bb846ebabe24572e0d2d08313b466

SHA512
2ab043b393dc8f05e1f6979f776a2877c32579f73fc0d2443b065eb58fd1376256a09fb5c41ad0a4d002ec41fca65e4e6fa56dc447ae9223fc1e5bd79c877fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7328739e-7e43-4043-b9d2-fe8cfe9ac07a.vbs

Filesize
703B

MD5
dee9b4bf230b03159a0c4be1f075dd84

SHA1
2949ce8993b7566492c23179099cbd8e4c34d8b7

SHA256
c49ae56ce6bee47dbf8da4f7b558b81655d3cc47ea5901a5369f5605dfc9fafa

SHA512
896d7e2ccee442f5a50028c43c5c9bc5474b65195dc242652ee19a2cdce448d9de3f82be635541696bca8801e68e3ff40ca3726d6b1ddcc70d4e9c30fa44f2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a0e5f2d-8882-4481-bdf9-2ca4576a6f0b.vbs

Filesize
703B

MD5
62d83a7cd0033c7bd20db452a09ea889

SHA1
f7384af009d0beb17da55a2da9f039e8b9e7a15d

SHA256
3a2cc0d1f3af750328629f43597abdf19bca008c72792cbf3c275194646d0092

SHA512
eff45c7cc68e275ffa59a8bf8f7cc6004ec0686f5fdf97ce34c1222333cfcedf51869b3fe993fa65af4b424814699a3dc0e0a8540776234c6907653023637007

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7e63b5b-851a-4d92-995d-fda1ba55a90d.vbs

Filesize
704B

MD5
5379a53e95bf3cbf892deedf05852366

SHA1
77483698974ca295f0b7f2db37610ef2eaf32f05

SHA256
acef7ca9e33fd82e05afc3a7d8602171a187be86158bc00e508c046ad5b407aa

SHA512
ddc7a11bb4388f06ad3fef817fc71f1e68d2247a8877a5adc28a99d89e6bf9b3a089926151cee60de65ac111d608961c37e685e9e1bda6694bff606d2f54e4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcf5193f-bb29-483b-8677-d06a13b155a4.vbs

Filesize
704B

MD5
959ab2454e9ad6aafbbc85c19d041d14

SHA1
cfdd106858d9c018ca930c300743972614e89c8f

SHA256
074d72b8188798a73df530631f792ae20a587d18bf8daf5daf1bcdd4a49860d9

SHA512
6a7c339da07a5765ffd15bc79d5a5e9e48514832a7001cae7d8a97c2548eeba5ad7ea6e0e4d2caabfc094c6c272e3833e55f8f4a7293c4f59d77506c64685d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf7b4256-af1d-4ba3-88af-b95ea2dda911.vbs

Filesize
704B

MD5
12811bce745f4cfd1c4914ea4e9b6cef

SHA1
75586d42d8cf1008e37f2ab9088c57514126097b

SHA256
e30ebd354fb4d33159df212ad8ec2e5e3c62f22aeaad8b1fe846f973ec9d17d8

SHA512
acc014b803baaa84f27ae9536082c36dd554785d6398edb22514bb7653dbe7e285e7f79b22276e906efcb82465a44fb3cd9296a22aefc224b00524ac78470940

Download Submit
C:\Users\Admin\AppData\Local\Temp\c41b3f96-2f3f-4b35-a4ec-e6e94bec3163.vbs

Filesize
703B

MD5
d9791ea099eb1ec25d25137c34bf44be

SHA1
d8c69298690aa53ad0f1809040f6e723ac25a159

SHA256
542e006f894d28857e3dee75eac14d70b2efb412eb0a21e6957fbfdb5b465476

SHA512
d0adf4aecd3a2aedb3cbb903dcc715d753019bd3996dc7edb76c9d476aa8fa90afc52a8a2335ce63c3ee3f4faf5186c9c0ac0b1160c72657f59cefcccd73ccd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7a94741-c273-4c90-bb7a-82fa886498b8.vbs

Filesize
480B

MD5
8f0e47339c767f4834e39a10a661800a

SHA1
0a06dde15361fb53a4b8e120fddbf4f71af75fbd

SHA256
713d7c08f9d0344da1d02861fd1c1623d07aece28bb43a6dcd262b44e13fea6d

SHA512
5cd02311842dc2bf7665bbfba46392a87dd801c4f2035c41313be87293a620a947f4f342f56982de7657ed47c44eb8eaa03cc429f7d2aebff0ea5f39e0ff6f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\f697392f-44bd-4d7d-b95b-809b98b9357b.vbs

Filesize
704B

MD5
e9fd897133104522c42df5e23ab99ae5

SHA1
6489a5d17e21e013f6c4e208b09f68703918e8b0

SHA256
f2f5ef7829d30a6662c92e5f36d3de057775f80010e4d89b7e92f1e310cecbeb

SHA512
8cdc58c51b16ffecf489a0fdcc2324dd61e8483344a80589f3e61a7edccfd763f8c3068d2e61335840215690e4f229575d0d56d011aea8484a1bdd257566cec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEB4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70725f02ff79db993e4168376e25a0d1

SHA1
b6a8f4134fc21c889147d45e456797e6aec61c84

SHA256
b313221095ad09b4fc036b685f7e22bfb68084956d8f2f83c4a08d4daa2bce7e

SHA512
a817a095ce3e256ac6ef565833ed4290fb29cb2ea9947db8dc789d8afb519fd3e74c13e0315a2ff97e7f17cde5f619bc02992a7a619de2fb4a81733134bed489

Download Submit
C:\Windows\TAPI\OSPPSVC.exe

Filesize
4.9MB

MD5
85693df1b8801b94eaf1e894a1733f7f

SHA1
477e7b24b895043fc9983f395b7472a9e1774bdb

SHA256
95d801713fe42f2653c79ea38db5cd727ecf50d7b4c4a30215b36ea888c4eb03

SHA512
19d18e645f4042af2ab20cd2f4fdbdb7a84172fa6343a8b31cfc89cd86522e540fa08d45e55b9cd429d39b06db94b6c44321714cdd274ef84e0721dda02bfec4

Download Submit
memory/108-292-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/664-368-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/692-262-0x0000000001040000-0x0000000001534000-memory.dmp

Filesize
5.0MB

Download
memory/812-307-0x00000000001E0000-0x00000000006D4000-memory.dmp

Filesize
5.0MB

Download
memory/812-308-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/952-353-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/1604-207-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2208-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2208-10-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2208-248-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-1-0x00000000010C0000-0x00000000015B4000-memory.dmp

Filesize
5.0MB

Download
memory/2208-113-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-100-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2208-14-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2208-16-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2208-2-0x000000001B130000-0x000000001B25E000-memory.dmp

Filesize
1.2MB

Download
memory/2208-15-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/2208-13-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2208-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2208-3-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-9-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/2208-4-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2208-7-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2208-5-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2208-8-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2208-6-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2264-208-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2464-186-0x0000000000960000-0x0000000000E54000-memory.dmp

Filesize
5.0MB

Download
memory/2836-338-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2884-397-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2996-323-0x0000000001030000-0x0000000001524000-memory.dmp

Filesize
5.0MB

Download
memory/3008-277-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download