dcrat | cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Size

4.9MB
MD5

643e28154ca147ff6fc14012107dd0c0
SHA1

8ed3ed51217c70a1e519f9aace5fb2884b1a1c75
SHA256

cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4
SHA512

70e218b3ddc9d92f83a68bf7cfe22737d7cbe0336926a27d72f702fe530c8dcf267f18055525cbd4d8953f7de093ca24a9d6dd6fb9838ad9094434d8e52bf508
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2580	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2668-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
1032	powershell.exe
2116	powershell.exe
1928	powershell.exe
2500	powershell.exe
1116	powershell.exe
1224	powershell.exe
1804	powershell.exe
2860	powershell.exe
996	powershell.exe
2176	powershell.exe
820	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2876	sppsvc.exe
2484	sppsvc.exe
2292	sppsvc.exe
2224	sppsvc.exe
1036	sppsvc.exe
2768	sppsvc.exe
2540	sppsvc.exe
2620	sppsvc.exe
2508	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\6203df4a6bafc7	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX4639.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\1610b97d3ab4a7	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files\Google\Chrome\Application\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX4F32.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX53B7.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX5CA0.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files\Windows Defender\de-DE\24dbde2999530e	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Windows Sidebar\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Windows Sidebar\6203df4a6bafc7	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\6cb0b6c459d5d3	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX5628.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files\Windows Defender\de-DE\WmiPrvSE.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX483D.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\WmiPrvSE.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\6203df4a6bafc7	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Windows\es-ES\wininit.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Windows\es-ES\56085415360792	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Windows\TAPI\RCX4CC1.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Windows\TAPI\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Windows\es-ES\RCX5899.tmp	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File opened for modification	C:\Windows\es-ES\wininit.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
File created	C:\Windows\TAPI\lsass.exe	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
1052	schtasks.exe
2728	schtasks.exe
2176	schtasks.exe
2628	schtasks.exe
2324	schtasks.exe
708	schtasks.exe
2380	schtasks.exe
2244	schtasks.exe
2452	schtasks.exe
2440	schtasks.exe
1548	schtasks.exe
2212	schtasks.exe
1848	schtasks.exe
1936	schtasks.exe
2624	schtasks.exe
1408	schtasks.exe
3004	schtasks.exe
884	schtasks.exe
1532	schtasks.exe
1980	schtasks.exe
1868	schtasks.exe
1856	schtasks.exe
1880	schtasks.exe
2020	schtasks.exe
2376	schtasks.exe
1260	schtasks.exe
944	schtasks.exe
2016	schtasks.exe
3032	schtasks.exe
1676	schtasks.exe
2620	schtasks.exe
2288	schtasks.exe
2484	schtasks.exe
1184	schtasks.exe
2312	schtasks.exe
2868	schtasks.exe
2268	schtasks.exe
540	schtasks.exe
1372	schtasks.exe
2960	schtasks.exe
2972	schtasks.exe
2572	schtasks.exe
2500	schtasks.exe
972	schtasks.exe
2900	schtasks.exe
2448	schtasks.exe
1428	schtasks.exe
1864	schtasks.exe
2956	schtasks.exe
492	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2876	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
1804	powershell.exe
1224	powershell.exe
1116	powershell.exe
1928	powershell.exe
2176	powershell.exe
820	powershell.exe
1032	powershell.exe
2500	powershell.exe
996	powershell.exe
2860	powershell.exe
2116	powershell.exe
1636	powershell.exe
2876	sppsvc.exe
2484	sppsvc.exe
2292	sppsvc.exe
2224	sppsvc.exe
1036	sppsvc.exe
2768	sppsvc.exe
2540	sppsvc.exe
2620	sppsvc.exe
2508	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2876	sppsvc.exe
Token: SeDebugPrivilege	2484	sppsvc.exe
Token: SeDebugPrivilege	2292	sppsvc.exe
Token: SeDebugPrivilege	2224	sppsvc.exe
Token: SeDebugPrivilege	1036	sppsvc.exe
Token: SeDebugPrivilege	2768	sppsvc.exe
Token: SeDebugPrivilege	2540	sppsvc.exe
Token: SeDebugPrivilege	2620	sppsvc.exe
Token: SeDebugPrivilege	2508	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1224	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	84
PID 2668 wrote to memory of 1224	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	84
PID 2668 wrote to memory of 1224	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	84
PID 2668 wrote to memory of 1804	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	85
PID 2668 wrote to memory of 1804	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	85
PID 2668 wrote to memory of 1804	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	85
PID 2668 wrote to memory of 820	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	86
PID 2668 wrote to memory of 820	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	86
PID 2668 wrote to memory of 820	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	86
PID 2668 wrote to memory of 2176	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	88
PID 2668 wrote to memory of 2176	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	88
PID 2668 wrote to memory of 2176	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	88
PID 2668 wrote to memory of 1636	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	89
PID 2668 wrote to memory of 1636	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	89
PID 2668 wrote to memory of 1636	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	89
PID 2668 wrote to memory of 1032	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	90
PID 2668 wrote to memory of 1032	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	90
PID 2668 wrote to memory of 1032	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	90
PID 2668 wrote to memory of 2116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	91
PID 2668 wrote to memory of 2116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	91
PID 2668 wrote to memory of 2116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	91
PID 2668 wrote to memory of 1928	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	92
PID 2668 wrote to memory of 1928	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	92
PID 2668 wrote to memory of 1928	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	92
PID 2668 wrote to memory of 2500	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	93
PID 2668 wrote to memory of 2500	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	93
PID 2668 wrote to memory of 2500	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	93
PID 2668 wrote to memory of 996	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	94
PID 2668 wrote to memory of 996	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	94
PID 2668 wrote to memory of 996	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	94
PID 2668 wrote to memory of 1116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	95
PID 2668 wrote to memory of 1116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	95
PID 2668 wrote to memory of 1116	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	95
PID 2668 wrote to memory of 2860	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	96
PID 2668 wrote to memory of 2860	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	96
PID 2668 wrote to memory of 2860	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	96
PID 2668 wrote to memory of 2068	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	108
PID 2668 wrote to memory of 2068	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	108
PID 2668 wrote to memory of 2068	2668	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe	108
PID 2068 wrote to memory of 1036	2068	cmd.exe	110
PID 2068 wrote to memory of 1036	2068	cmd.exe	110
PID 2068 wrote to memory of 1036	2068	cmd.exe	110
PID 2068 wrote to memory of 2876	2068	cmd.exe	111
PID 2068 wrote to memory of 2876	2068	cmd.exe	111
PID 2068 wrote to memory of 2876	2068	cmd.exe	111
PID 2068 wrote to memory of 2876	2068	cmd.exe	111
PID 2068 wrote to memory of 2876	2068	cmd.exe	111
PID 2876 wrote to memory of 1408	2876	sppsvc.exe	112
PID 2876 wrote to memory of 1408	2876	sppsvc.exe	112
PID 2876 wrote to memory of 1408	2876	sppsvc.exe	112
PID 2876 wrote to memory of 2544	2876	sppsvc.exe	113
PID 2876 wrote to memory of 2544	2876	sppsvc.exe	113
PID 2876 wrote to memory of 2544	2876	sppsvc.exe	113
PID 1408 wrote to memory of 2484	1408	WScript.exe	114
PID 1408 wrote to memory of 2484	1408	WScript.exe	114
PID 1408 wrote to memory of 2484	1408	WScript.exe	114
PID 1408 wrote to memory of 2484	1408	WScript.exe	114
PID 1408 wrote to memory of 2484	1408	WScript.exe	114
PID 2484 wrote to memory of 2228	2484	sppsvc.exe	115
PID 2484 wrote to memory of 2228	2484	sppsvc.exe	115
PID 2484 wrote to memory of 2228	2484	sppsvc.exe	115
PID 2484 wrote to memory of 2676	2484	sppsvc.exe	116
PID 2484 wrote to memory of 2676	2484	sppsvc.exe	116
PID 2484 wrote to memory of 2676	2484	sppsvc.exe	116

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe
"C:\Users\Admin\AppData\Local\Temp\cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n0SniZDXo0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1036
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52af770c-5ca5-4ef0-b8d8-520882b884c4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2484
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\decd77c7-1dc6-4b05-b4fd-f20c0cc4f164.vbs"
        6⤵
        
        PID:2228
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc47ee7c-562d-4c99-ab82-9aafb07a75bf.vbs"
        8⤵
        
        PID:1244
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5f0293-9d8c-42a6-bad8-9c596ff60cd9.vbs"
        10⤵
        
        PID:1316
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4361a1c7-e194-4bec-9795-5df4e8476ed3.vbs"
        12⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0dc94b6-8d71-429b-8095-46fb23c46efd.vbs"
        14⤵
        
        PID:2084
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0ae4d26-64f6-42fb-bcc0-7ab4401c7e99.vbs"
        16⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64db96f0-6c99-4ece-bc6c-82d794474fc5.vbs"
        18⤵
        
        PID:2324
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63196373-4d4c-41d0-8a83-7ab981c37a02.vbs"
        18⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dc5db65-52b3-4199-bd89-30977a54f239.vbs"
        16⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bdbf957-28fd-44f2-a178-9d0536c20a7f.vbs"
        14⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1524e9d6-3feb-45dd-aac0-3ff96300b7a0.vbs"
        12⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9101d14-c5a5-4c8c-b1a3-02c74cb0ed3a.vbs"
        10⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c263e59b-4638-4038-a0f2-73b53ce5b5fe.vbs"
        8⤵
        
        PID:2720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eeb65e8-7ae4-4e5f-a33f-2abd937e71a0.vbs"
        6⤵
        
        PID:2676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\736ee74a-21e5-498e-b545-8d5fd4d1e5ad.vbs"
      4⤵
      PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe

Filesize
4.9MB

MD5
643e28154ca147ff6fc14012107dd0c0

SHA1
8ed3ed51217c70a1e519f9aace5fb2884b1a1c75

SHA256
cbc0b7cde904d6a4e2a3dbc717312b90b09aa1e2895774e28ff4076f964b7ba4

SHA512
70e218b3ddc9d92f83a68bf7cfe22737d7cbe0336926a27d72f702fe530c8dcf267f18055525cbd4d8953f7de093ca24a9d6dd6fb9838ad9094434d8e52bf508

Download Submit
C:\Program Files\Windows Defender\de-DE\RCX4F32.tmp

Filesize
4.9MB

MD5
b10223d1c50c33ff60c11cb986b0418a

SHA1
877cbeb2ff6c9ed1317841e4072e093827028fe9

SHA256
1275de32b53a6ad06e0691708f8763377f61e6560a6319d7745009ebfec2b147

SHA512
df2134fd7f73eca0c0dc4862c112cca9eef32a3f453b82b202c7266a643a6ac46aac2fe841c79505d086ecd3a2ac27593406c55e015bf2b0ae7f3e08eea7e68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f5f0293-9d8c-42a6-bad8-9c596ff60cd9.vbs

Filesize
749B

MD5
7420d8ffffbb702951557c449b95f550

SHA1
6dedc96eddfd416b387311645dc54fce4bf852d5

SHA256
4a7bfaf9716e893a1b33b0283c256071e89368efefe8ed010077de000a52207c

SHA512
337df42f6c7b833b9585b563af39b90c9112f60909aa5e3677244d781a8630c68847c02c689edbab37399dc9b83497a95b8a4e967f9d2d4af477bc2133b05fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4361a1c7-e194-4bec-9795-5df4e8476ed3.vbs

Filesize
749B

MD5
004bf06fd9842f97e5fb25acf5e591ef

SHA1
8ccd65202ef7780a3da2d5e785b1a0deb570f398

SHA256
3cf7b6cc71e3cc520d23a61fc2486645de6485c02285d4ce900f92b6a9d89ade

SHA512
77a1c465d34bb20f9287081bab042021b9b488de072a9c97f13402b181b521ad4829ec9d7c8dbf0c0d9b26e0fa6ca47b0953cc183bf09e66f5292fe54b9a6e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\52af770c-5ca5-4ef0-b8d8-520882b884c4.vbs

Filesize
749B

MD5
872aa76ddea4c44ee5c24aa057d15751

SHA1
30c91fbf204f28e5263bcbb95d281849e3bed11b

SHA256
da31a83c5f4c2bbf80312d7c9db316d9c8b91e207e99c47b9710d63a2d91a61e

SHA512
f5dd3766ebe517d4f846ca4c16106e47a91d49b29f6c6a41b27c6922cefbebc697e1538cd4c990b518908f38fdf46d389207fd89236f8421a2b62487a6084955

Download Submit
C:\Users\Admin\AppData\Local\Temp\64db96f0-6c99-4ece-bc6c-82d794474fc5.vbs

Filesize
749B

MD5
80fc16eeff3f4731951760471cca85b3

SHA1
c83fe428670d0d976e8a1afbddfd0cae2aa6f079

SHA256
b30980c43c143e140d348e60197bd97180b723ecebc5af829b1d0d6ab10c9872

SHA512
7899ff412af924c4a9fc5aba197bcc9297c0e8e67004538aff7aa820b3bf17810a3f66e84c4e9868d158c630babedf3d155e502487fb263c5a2a3b212dd1e756

Download Submit
C:\Users\Admin\AppData\Local\Temp\736ee74a-21e5-498e-b545-8d5fd4d1e5ad.vbs

Filesize
525B

MD5
d40b79e4dabd6b791b1733300b8cb6a4

SHA1
080c09174010b547a2b568bbdd981e98d63b801b

SHA256
2113906d6b0fe2f011a618328412483cdd7de0e4a74dc057b050cf02b6532834

SHA512
eae8c62f60da277bb069f253b0049b13a7cd9842e7aec4608ef56ea986671a44d4c48e59743b5429ac5df7f5f36c456c84049c276211bd1a70f2cb4278c073ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0dc94b6-8d71-429b-8095-46fb23c46efd.vbs

Filesize
749B

MD5
3c61ee2f61527ed7e71519f8ae70891a

SHA1
3ac1cb2a2d1f659c8f88a3c4e67e9f9c5f374e67

SHA256
23cd3ca1038df1356baeff15b6437113519105ce5d95bab75ae3c402f4179cd4

SHA512
85b5915913c251dbb603a338207b1ea2deea1d42cc3ef79a2c5b7ee4e4b5b490f927d5489824604b38fdbadfaa3460de5b76323760c4f3331870715239d00756

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc47ee7c-562d-4c99-ab82-9aafb07a75bf.vbs

Filesize
749B

MD5
84ba5c96e28064a830d453d7005245f8

SHA1
a04ce60e9d2e3756692a82341c0558338771e2f8

SHA256
1a85a277f017bfd120112b28cba07bdc09d421999ea2d5213f601e953de738ac

SHA512
1e42580fee90a7ab3dae914d00e630be4284b0bac42e71109e8eb00f328885a5ac2eebf0f1aec7cddc73a8db9d843837f1aa1f5834b276fc32d0bd33b35d332d

Download Submit
C:\Users\Admin\AppData\Local\Temp\decd77c7-1dc6-4b05-b4fd-f20c0cc4f164.vbs

Filesize
749B

MD5
873bba157874c45560b560ea1b670ca6

SHA1
7030c5b6f09afc38cf03078c4a4dfa3ef69efc93

SHA256
bf033c0345772d24c33a238df399cc657a38be47f6ac1a6bf7af47063e9a93ff

SHA512
2d0497ff00b52e3124df6c17ff0d6edcdac8e3de3a0a65605bf73317b4e8002a66c2c7f4d4a80047091d1de4faa0c3c5306020a1b092f788980f0f788cd0abfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0ae4d26-64f6-42fb-bcc0-7ab4401c7e99.vbs

Filesize
749B

MD5
9b7f78d0e94bab09ea71b6d965be7b2a

SHA1
4f8614c533648d6d4d8104ffbcafc68ededdeb9c

SHA256
c2474b7287bce04677af87aa8d92ae648552f2a3634ef65360ad5ced122125e5

SHA512
14af7c259fa54e1256db21b40261c976a8f27523bf0c10de1db3adc2be8ca4e3b29948bbbd2beee8638d9ba1b9d038404fde5723514468d25d21c23ca42df6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0SniZDXo0.bat

Filesize
238B

MD5
195a6ebd6df47f6cc18cf1dba5a871f8

SHA1
2528116a9259606f04aea2d72c5aa91ebfe14b76

SHA256
9609d003b60febcaacf48647c3480e35028078eda7eec959d204e68099b58c1d

SHA512
2318e76c8797692e3998f23bde7fc9bf738231c6ec62849535a077d79359be33bb6968894433f119c704e6cdeffa3ab9c42d898405f9889d2e5a42123b36fc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A55.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
deaf61b60880a26e03a446de0aa0e7de

SHA1
b44b7d2128e34a181f1fbb129b826d93e26be6de

SHA256
4f3bc51ffb95891bd5d0bab1bfb475e3e8c0bb2b34e0037e537a6d49a999db44

SHA512
fee4ce10312b68d00c77eec4ebc8d085d92283853732987429e1e79b93be0e9f7e769ea31a896e5b55129fc912c1932f57e05540e089d0ee586b6ba86336eb07

Download Submit
memory/1036-299-0x0000000000830000-0x0000000000D24000-memory.dmp

Filesize
5.0MB

Download
memory/1804-186-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1804-184-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2224-284-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/2484-255-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/2540-330-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/2540-329-0x0000000000D90000-0x0000000001284000-memory.dmp

Filesize
5.0MB

Download
memory/2620-345-0x0000000001210000-0x0000000001704000-memory.dmp

Filesize
5.0MB

Download
memory/2668-212-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-0-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2668-14-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2668-12-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2668-1-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/2668-11-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2668-10-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2668-9-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2668-15-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2668-7-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/2668-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2668-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2668-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2668-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2668-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2668-141-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

Filesize
4KB

Download
memory/2668-3-0x000000001B5B0000-0x000000001B6DE000-memory.dmp

Filesize
1.2MB

Download
memory/2668-16-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2668-156-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-2-0x000007FEF63D0000-0x000007FEF6DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2768-314-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/2876-241-0x0000000001130000-0x0000000001624000-memory.dmp

Filesize
5.0MB

Download