dcrat | 551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Size

4.9MB
MD5

97c2fd4f94bc323b64fa0786677e52b8
SHA1

4d0616246b8cd3ac2938e0c01fc3c068fb3251f7
SHA256

551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac
SHA512

785b62a23620b693bd9cdd5392fa9c7b9f979119745418b60b6944b9084f4d830cb1771d1e6abe2b941091cc994eab850b771a92cdd3904472637e0d96fd1eb9
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2080	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2080	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2604-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
376	powershell.exe
1192	powershell.exe
792	powershell.exe
3028	powershell.exe
1088	powershell.exe
668	powershell.exe
3040	powershell.exe
2420	powershell.exe
1028	powershell.exe
1976	powershell.exe
2568	powershell.exe
2900	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2160	dwm.exe
2628	dwm.exe
3028	dwm.exe
2076	dwm.exe
948	dwm.exe
880	dwm.exe
1628	dwm.exe
688	dwm.exe
492	dwm.exe
2320	dwm.exe
2484	dwm.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\56085415360792	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCXBB77.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCF6D.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXD885.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\wininit.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXC00B.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\wininit.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\27d1bcfc3c54e0	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tracing\services.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\TAPI\spoolsv.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\TAPI\f3b6ecef712a24	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\SchCache\WmiPrvSE.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\SchCache\24dbde2999530e	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\tracing\RCXB973.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\Setup\csrss.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\TAPI\RCXC887.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\TAPI\spoolsv.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\SchCache\RCXCA8B.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\tracing\services.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\Setup\RCXB76E.tmp	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\Setup\csrss.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\Setup\886983d96e3d3e	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File created	C:\Windows\tracing\c5b4cb5e9653cc	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
File opened for modification	C:\Windows\SchCache\WmiPrvSE.exe	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2236	schtasks.exe
544	schtasks.exe
2544	schtasks.exe
1264	schtasks.exe
1440	schtasks.exe
2548	schtasks.exe
2140	schtasks.exe
2808	schtasks.exe
1316	schtasks.exe
1248	schtasks.exe
2504	schtasks.exe
2020	schtasks.exe
1396	schtasks.exe
2948	schtasks.exe
1860	schtasks.exe
2876	schtasks.exe
2400	schtasks.exe
1932	schtasks.exe
2060	schtasks.exe
764	schtasks.exe
792	schtasks.exe
1668	schtasks.exe
2304	schtasks.exe
2428	schtasks.exe
2212	schtasks.exe
3020	schtasks.exe
1872	schtasks.exe
2252	schtasks.exe
2684	schtasks.exe
3040	schtasks.exe
2196	schtasks.exe
1140	schtasks.exe
2660	schtasks.exe
2796	schtasks.exe
2356	schtasks.exe
2880	schtasks.exe
1084	schtasks.exe
1784	schtasks.exe
2112	schtasks.exe
1604	schtasks.exe
2816	schtasks.exe
2740	schtasks.exe
1756	schtasks.exe
1920	schtasks.exe
2916	schtasks.exe
644	schtasks.exe
2972	schtasks.exe
2708	schtasks.exe
2088	schtasks.exe
336	schtasks.exe
2664	schtasks.exe
1992	schtasks.exe
952	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
2568	powershell.exe
792	powershell.exe
3028	powershell.exe
1192	powershell.exe
2900	powershell.exe
2420	powershell.exe
1088	powershell.exe
1976	powershell.exe
3040	powershell.exe
1028	powershell.exe
668	powershell.exe
376	powershell.exe
2160	dwm.exe
2628	dwm.exe
3028	dwm.exe
2076	dwm.exe
948	dwm.exe
880	dwm.exe
1628	dwm.exe
688	dwm.exe
492	dwm.exe
2320	dwm.exe
2484	dwm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2160	dwm.exe
Token: SeDebugPrivilege	2628	dwm.exe
Token: SeDebugPrivilege	3028	dwm.exe
Token: SeDebugPrivilege	2076	dwm.exe
Token: SeDebugPrivilege	948	dwm.exe
Token: SeDebugPrivilege	880	dwm.exe
Token: SeDebugPrivilege	1628	dwm.exe
Token: SeDebugPrivilege	688	dwm.exe
Token: SeDebugPrivilege	492	dwm.exe
Token: SeDebugPrivilege	2320	dwm.exe
Token: SeDebugPrivilege	2484	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	86
PID 2604 wrote to memory of 1028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	86
PID 2604 wrote to memory of 1028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	86
PID 2604 wrote to memory of 792	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	87
PID 2604 wrote to memory of 792	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	87
PID 2604 wrote to memory of 792	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	87
PID 2604 wrote to memory of 1976	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	88
PID 2604 wrote to memory of 1976	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	88
PID 2604 wrote to memory of 1976	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	88
PID 2604 wrote to memory of 3028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	89
PID 2604 wrote to memory of 3028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	89
PID 2604 wrote to memory of 3028	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	89
PID 2604 wrote to memory of 1088	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	90
PID 2604 wrote to memory of 1088	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	90
PID 2604 wrote to memory of 1088	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	90
PID 2604 wrote to memory of 668	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	91
PID 2604 wrote to memory of 668	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	91
PID 2604 wrote to memory of 668	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	91
PID 2604 wrote to memory of 2568	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	92
PID 2604 wrote to memory of 2568	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	92
PID 2604 wrote to memory of 2568	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	92
PID 2604 wrote to memory of 2900	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	93
PID 2604 wrote to memory of 2900	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	93
PID 2604 wrote to memory of 2900	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	93
PID 2604 wrote to memory of 3040	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	94
PID 2604 wrote to memory of 3040	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	94
PID 2604 wrote to memory of 3040	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	94
PID 2604 wrote to memory of 376	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	95
PID 2604 wrote to memory of 376	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	95
PID 2604 wrote to memory of 376	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	95
PID 2604 wrote to memory of 2420	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	96
PID 2604 wrote to memory of 2420	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	96
PID 2604 wrote to memory of 2420	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	96
PID 2604 wrote to memory of 1192	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	97
PID 2604 wrote to memory of 1192	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	97
PID 2604 wrote to memory of 1192	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	97
PID 2604 wrote to memory of 2160	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	110
PID 2604 wrote to memory of 2160	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	110
PID 2604 wrote to memory of 2160	2604	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe	110
PID 2160 wrote to memory of 2792	2160	dwm.exe	111
PID 2160 wrote to memory of 2792	2160	dwm.exe	111
PID 2160 wrote to memory of 2792	2160	dwm.exe	111
PID 2160 wrote to memory of 2912	2160	dwm.exe	112
PID 2160 wrote to memory of 2912	2160	dwm.exe	112
PID 2160 wrote to memory of 2912	2160	dwm.exe	112
PID 2792 wrote to memory of 2628	2792	WScript.exe	113
PID 2792 wrote to memory of 2628	2792	WScript.exe	113
PID 2792 wrote to memory of 2628	2792	WScript.exe	113
PID 2628 wrote to memory of 2112	2628	dwm.exe	114
PID 2628 wrote to memory of 2112	2628	dwm.exe	114
PID 2628 wrote to memory of 2112	2628	dwm.exe	114
PID 2628 wrote to memory of 2592	2628	dwm.exe	115
PID 2628 wrote to memory of 2592	2628	dwm.exe	115
PID 2628 wrote to memory of 2592	2628	dwm.exe	115
PID 2112 wrote to memory of 3028	2112	WScript.exe	116
PID 2112 wrote to memory of 3028	2112	WScript.exe	116
PID 2112 wrote to memory of 3028	2112	WScript.exe	116
PID 3028 wrote to memory of 2944	3028	dwm.exe	117
PID 3028 wrote to memory of 2944	3028	dwm.exe	117
PID 3028 wrote to memory of 2944	3028	dwm.exe	117
PID 3028 wrote to memory of 2772	3028	dwm.exe	118
PID 3028 wrote to memory of 2772	3028	dwm.exe	118
PID 3028 wrote to memory of 2772	3028	dwm.exe	118
PID 2944 wrote to memory of 2076	2944	WScript.exe	119

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe
"C:\Users\Admin\AppData\Local\Temp\551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Users\Default\Videos\dwm.exe
  "C:\Users\Default\Videos\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2160
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4962d00-09a9-452c-b929-4741c1d55713.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Default\Videos\dwm.exe
      C:\Users\Default\Videos\dwm.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa704925-43d2-441e-937c-f8cd1f42b3bb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6495deb2-4969-43e1-a7b3-63441c0b13bc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016e0c8e-2b8c-4665-bd7b-e2aa02c0e642.vbs"
        9⤵
        
        PID:572
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368c52ee-fbab-4369-996a-63dcfb0a898e.vbs"
        11⤵
        
        PID:2864
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cb7da88-d84f-4c78-8f0b-b39b5a2a6939.vbs"
        13⤵
        
        PID:2156
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95641d63-8d67-47d6-a43b-7364541a9498.vbs"
        15⤵
        
        PID:2532
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e71088-0e0e-4aff-b6b3-5544ed912b1a.vbs"
        17⤵
        
        PID:2056
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\231ef986-b044-4094-9cb5-77dd8ef9c6f5.vbs"
        19⤵
        
        PID:2392
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a5d4fb8-17ed-4a3b-903f-8f36e05363f4.vbs"
        21⤵
        
        PID:1940
        
        C:\Users\Default\Videos\dwm.exe
        
        C:\Users\Default\Videos\dwm.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19d55774-aa3c-48a5-89a2-9a67d130aa9f.vbs"
        23⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e639a502-e0bd-4b0a-9dd9-753669a5504e.vbs"
        23⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9859c835-b6c6-4c08-8591-57aa1d72a83f.vbs"
        21⤵
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\173fd09a-be1a-49f2-a2a6-5ef8ce2afb8f.vbs"
        19⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94519dfa-7498-49b4-b64a-d642411fc6c5.vbs"
        17⤵
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa0f809-f042-47ac-8a81-edd935867f80.vbs"
        15⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f48614fb-b333-4db4-9ad7-54d77c605b88.vbs"
        13⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfd781b3-d3ca-4a18-8c10-e526a52b54bb.vbs"
        11⤵
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6bb02b-d4d3-404a-b7bc-ae908cc2607e.vbs"
        9⤵
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad179ef2-b6e9-4876-9986-f418e580dbc1.vbs"
        7⤵
        
        PID:2772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5db7d5e-f9fa-411d-a208-c7f06f8a039e.vbs"
        5⤵
        
        PID:2592
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4915e316-24c7-45d3-84bc-69bf36e034be.vbs"
    3⤵
    PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RCXD5F5.tmp

Filesize
4.9MB

MD5
2a7e8162bf62ff3c2e8710379c3bb9d6

SHA1
2d5618c20eb366d857284f2fb896f9d2efac9bd7

SHA256
2a509e00fa976cfb798d16daf0ed3dee4064afae3618247d235f084dc9eba45e

SHA512
c467ef1827ed1d496e3e104f9eefd14c64f73e968d45d2fed695270bc964ab5507862fca3193d9b7b90792328112a19b5c17b4a5be6f7adbe9896791bdb95509

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe

Filesize
4.9MB

MD5
97c2fd4f94bc323b64fa0786677e52b8

SHA1
4d0616246b8cd3ac2938e0c01fc3c068fb3251f7

SHA256
551102af60c05577e72365aa652e0febf1f910a1cbc097bf944eeab91e7a8bac

SHA512
785b62a23620b693bd9cdd5392fa9c7b9f979119745418b60b6944b9084f4d830cb1771d1e6abe2b941091cc994eab850b771a92cdd3904472637e0d96fd1eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\016e0c8e-2b8c-4665-bd7b-e2aa02c0e642.vbs

Filesize
707B

MD5
91f03c7801d1dd60db524e2e1b956813

SHA1
e872ca61ebb222cd689fd50693e247078731bd64

SHA256
d47c73de5e284ab392eaa0fe2dfbdfb6b8a4579ef988ed1aff261dc20339482b

SHA512
365e84ded2f4c584ce674108fa309aabe42cc959c2f50eeba73ca61a207914384eea04476f1af5dd55acbd0841d8ffd165434a6106e8b9626862367e53cc0f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\19d55774-aa3c-48a5-89a2-9a67d130aa9f.vbs

Filesize
707B

MD5
f5fb1c5c36350521919cc1d0d232f66c

SHA1
ace8c39f76f30dc51af6c80df4ee33b751f986f1

SHA256
8ddb13e6c87f789650b996f49be04e9e236fe83ea826f54bff53bad92cd34170

SHA512
87cef77ea6bf97de19f7dc8c87d7de4b70cbefac2a66556370cce9761c85981f17be10455ea7877875f7732f2ced38c5ba839684be7848df6e3e0bec65544095

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cb7da88-d84f-4c78-8f0b-b39b5a2a6939.vbs

Filesize
706B

MD5
69f15c88115945439974fd868d3d26db

SHA1
4ea654f9a262b6798c9de5cd64848838a055dca9

SHA256
a5a5a983168d2f490204d65fec108fe555fa2fd33218a7ec8e2b96820316a448

SHA512
e28951a15302d8096850e2a42c07d3089456ec7f26ba51cf9c5fd7cfd99ff085a750f29ef1f974cb00a0cc71a9d279211d6fd6c21e668e7915d1a6557dcc04fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\231ef986-b044-4094-9cb5-77dd8ef9c6f5.vbs

Filesize
706B

MD5
09307578170430dc162f9e7e0d4c29d5

SHA1
9db0375b3fa4f93fc80a8a3fb241f8b34250deb0

SHA256
e465004064e1df7e36cb324ed6e809c9bad27b83f8d1b1d88fd458f38191808b

SHA512
f937c8a438d2f20151bbb5b8ff3e82d3f038cd73510403739a532eb985166cc4a8c514f384a5896172e5868c53707735e3356754a8dcecacc35b8928da4c9e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\368c52ee-fbab-4369-996a-63dcfb0a898e.vbs

Filesize
706B

MD5
6d94a9c72396ffeb16472aad6b963663

SHA1
1943dfc49eacc9ae1ea2158acda3a870cbde957b

SHA256
ffa912adf752fcae8276fc63e06065466653d1a67507a2280d6b1d0c1fd7c4d4

SHA512
b88b9c59dfbd82b9bc4eba08b4988c09a3a693dfe2a5c81a9e36f1f89bed7a9729973f60b8636f71837473ecf2b54b6b6745c1c5474214d1be19f7bf414cf2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\44e71088-0e0e-4aff-b6b3-5544ed912b1a.vbs

Filesize
706B

MD5
3fe1ce61503d88f2fc8fa93970644197

SHA1
83cf33afd79dc700695e106eeb9a2bd7c7a8232c

SHA256
295eb30dea12a62a9031369c5f464bc64ff1919e63d02f0a98ecbcfc0c735936

SHA512
b4156937d6e9876f55891505f29f2d859720efbafd68f3281d3b9f281bb556b2915a80277094810b17b96ffd8f42d94d8f47dee8841d0762f1cd50c88379fd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\4915e316-24c7-45d3-84bc-69bf36e034be.vbs

Filesize
483B

MD5
2c3a74818969cdfb03025543ae58d401

SHA1
0c9ffa6e7fdcc44913f37fe06998690a24457b97

SHA256
6d484a426756e8249d755e8e8823b38c3dc252064e2b115334a410812e811a3b

SHA512
63d49f69e7c476ca176c595bacbbbec60a243311fc113690a53b35e75b7dc5470be7fb0f7d582ae77d7417666bfde2b2d16c2e02466fdb7e44434fafe8cf6342

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a5d4fb8-17ed-4a3b-903f-8f36e05363f4.vbs

Filesize
707B

MD5
7430fcb874770173374bdef9f0466211

SHA1
e55a34b63d5d2053b4fc18cbd3e82883b314d197

SHA256
f619f93aee35027f539fafa9f092ac9bb2c47d7c8b030c9f1c9f7f3fb3989132

SHA512
028beedb5582468b32c7d227933c8c1cb3cc408ad73be2750759ee67d862aeb202146b038dfca6c65f41b2bc9d31bb9ee8656b919ddf5f93df91609f7c0c41f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6495deb2-4969-43e1-a7b3-63441c0b13bc.vbs

Filesize
707B

MD5
d6654dfa04d7c22dd3c7cb4554a85f1c

SHA1
1e0d75605549d08633570041c57d55f29a77e566

SHA256
af65819710f9fbca08016c762441c93a9fe4f81a09e310d637e8b4629e2aecce

SHA512
d74c50846e28f93a963e068d539a79555eea05653fb2c5fd42763deebeeeff1798bf543bd6b3be31ae9b9bd5c61ab229e1021581670e68e02aaf614da9a6b315

Download Submit
C:\Users\Admin\AppData\Local\Temp\95641d63-8d67-47d6-a43b-7364541a9498.vbs

Filesize
707B

MD5
cb1eaf5791cc52aafd93a4a2f2909052

SHA1
fad197b1b6bf20e024211d8dff0e078a7b18e6ba

SHA256
dc3333376c0243f2bc56a856b3ef239d90f5fce6b9c4812581d198d86851aa59

SHA512
92368ac4ba1732d34ac182d4636d81439a913f3ceccb7dff9ea9b65cde40c92e03ce03592cca4071f25ab70304a00b60cb33cea9f3fd9f1eb275fbbba55cd614

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4962d00-09a9-452c-b929-4741c1d55713.vbs

Filesize
707B

MD5
1d041c214c7548cd8d5115e24c091b7c

SHA1
90b4e8922f2a5a99a3d299d3503e8bef06792a44

SHA256
d3148544f7fc510c4ec2a5d26ec588958de027ac91a632575c905f701bca8886

SHA512
0cb553566753571811f354f3306d8f8937292431e648723965d01ae1ff0ba8573d8a1243b2d3ab44c2e02d1cb3e60369cd46f5da2f1405049472e23651d53a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3fc9d1b69621479c44ec6496a02740ca962dd8e.exe

Filesize
960KB

MD5
ae7e7ce38b1a2244959e3208cd4d82c8

SHA1
a403bd5905628e899be59062e341c1e96ed07f01

SHA256
982503630482356b51d29ae0f676c324b59c39997d04b25617f720e3c8f1964a

SHA512
3c5580df9245a46bc02f67820b6940d70148ed22958a3ab7f3b63a525ae9a55b4acb0b109e5bc794fabe20b5191dbe1111fe209616f95e789b818965eae00d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa704925-43d2-441e-937c-f8cd1f42b3bb.vbs

Filesize
707B

MD5
10eafb17d88213b205652c1190b82052

SHA1
6c07b4cf27a842fbdedbdb6432f886d40e62f657

SHA256
b3959a4ae3ee76bd2f80d39fb627cb44b14aefa96162da1d1015cf03e031a0a2

SHA512
203535a2d9cbba25fbc41bd4770e9de5d6643c977408719414b66ecc33f6c4ec41030b749a0b0af48b7cf092e98979d4f8ca165621e5992ee3cc9ddf590e3aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF029.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XP7D401REQ3ZBSU5TDK4.temp

Filesize
7KB

MD5
c11a7170eaa68c825c0daa4e9c831f59

SHA1
f019de327b0df58858646cc7298efdf3bb5baa5e

SHA256
4f5ee79bcab43dd66dae3a502bb5a762744a529cc6a15425c6ecbdcd13035718

SHA512
45312fcb29341238e57a1fea3772335338099ec9f18bf96fe74ff4a04617522cd66f6cc1afa9031dfaf8c5f5d1c0052846ac98b32eda2666de7b4263e7ca052e

Download Submit
C:\Users\Public\Recorded TV\RCXD3F1.tmp

Filesize
4.9MB

MD5
29a28a5a158d7c793ae6db1afce73988

SHA1
b7f7d84777053d1c4de01baf498bda035ec1dfba

SHA256
d926bf87cbcae0f75306e8d08a1ade7089c4039bca44ba9bea741079c0ce7028

SHA512
2706f2a4c7b6281113ca7879e3d374464de8e4d5598e4c64325807c6efa32aa5018fa1e7b4bab099964ba46b3598c87cbfe23be59964e49a879c02f78c624501

Download Submit
memory/688-349-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/880-320-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/948-305-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2076-290-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2160-185-0x0000000000F20000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download
memory/2568-196-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2568-195-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2604-12-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/2604-10-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2604-137-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2604-16-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

Filesize
48KB

Download
memory/2604-15-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2604-1-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/2604-14-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2604-13-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/2604-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2604-152-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2604-197-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-9-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2604-7-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2604-8-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2604-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2604-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2604-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2604-3-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-2-0x000000001B5A0000-0x000000001B6CE000-memory.dmp

Filesize
1.2MB

Download
memory/2628-261-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download