dcrat | 4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Size

4.9MB
MD5

d49f3eca938ef9afc22ab37348e7c3d0
SHA1

bbb92df0748401881fd5d2cddd8022130a735971
SHA256

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351
SHA512

97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2840	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2840	schtasks.exe

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exe4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2932-3-0x000000001BB50000-0x000000001BC7E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
264	powershell.exe
1604	powershell.exe
2796	powershell.exe
1832	powershell.exe
2516	powershell.exe
2588	powershell.exe
1468	powershell.exe
1268	powershell.exe
2200	powershell.exe
2860	powershell.exe
1312	powershell.exe
1464	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
2792	taskhost.exe
2468	taskhost.exe
1712	taskhost.exe
1052	taskhost.exe
1892	taskhost.exe
292	taskhost.exe
1220	taskhost.exe
2516	taskhost.exe
612	taskhost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost.exe4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 29 IoCs

Processes:

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\RCX2A11.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\886983d96e3d3e	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\DVD Maker\csrss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\1610b97d3ab4a7	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\audiodg.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Windows NT\f3b6ecef712a24	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX736.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\b75386f1303e64	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXDAE.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Windows NT\spoolsv.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\audiodg.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX258D.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\42af1c969fbb7b	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\OSPPSVC.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\Windows NT\spoolsv.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\DVD Maker\csrss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files\DVD Maker\886983d96e3d3e	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX280D.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\OSPPSVC.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\lsm.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RCXB8B.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2389.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

Drops file in Windows directory 8 IoCs

Processes:

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

description	ioc	process
File created	C:\Windows\debug\b75386f1303e64	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Windows\PolicyDefinitions\de-DE\smss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Windows\PolicyDefinitions\de-DE\69ddcba757bf72	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Windows\debug\RCX987.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Windows\debug\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCX15DD.tmp	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\smss.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
File created	C:\Windows\debug\taskhost.exe	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1292	schtasks.exe
304	schtasks.exe
1308	schtasks.exe
2124	schtasks.exe
1432	schtasks.exe
2044	schtasks.exe
3020	schtasks.exe
640	schtasks.exe
2488	schtasks.exe
2760	schtasks.exe
2700	schtasks.exe
2904	schtasks.exe
1920	schtasks.exe
1892	schtasks.exe
876	schtasks.exe
1880	schtasks.exe
1816	schtasks.exe
2964	schtasks.exe
2216	schtasks.exe
1708	schtasks.exe
2572	schtasks.exe
1876	schtasks.exe
1356	schtasks.exe
2148	schtasks.exe
776	schtasks.exe
1776	schtasks.exe
1660	schtasks.exe
676	schtasks.exe
2548	schtasks.exe
1732	schtasks.exe
2952	schtasks.exe
2492	schtasks.exe
628	schtasks.exe
2188	schtasks.exe
1584	schtasks.exe
2176	schtasks.exe
2988	schtasks.exe
1192	schtasks.exe
2592	schtasks.exe
2196	schtasks.exe
1940	schtasks.exe
756	schtasks.exe
2172	schtasks.exe
3024	schtasks.exe
2536	schtasks.exe
1744	schtasks.exe
2004	schtasks.exe
1728	schtasks.exe
2464	schtasks.exe
2576	schtasks.exe
2720	schtasks.exe
2888	schtasks.exe
2860	schtasks.exe
2400	schtasks.exe
2052	schtasks.exe
1748	schtasks.exe
1612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	process
2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
2200	powershell.exe
264	powershell.exe
1312	powershell.exe
1268	powershell.exe
1468	powershell.exe
1464	powershell.exe
2588	powershell.exe
1604	powershell.exe
1832	powershell.exe
2860	powershell.exe
2796	powershell.exe
2516	powershell.exe
2792	taskhost.exe
2468	taskhost.exe
1712	taskhost.exe
1052	taskhost.exe
1892	taskhost.exe
292	taskhost.exe
1220	taskhost.exe
2516	taskhost.exe
612	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2792	taskhost.exe
Token: SeDebugPrivilege	2468	taskhost.exe
Token: SeDebugPrivilege	1712	taskhost.exe
Token: SeDebugPrivilege	1052	taskhost.exe
Token: SeDebugPrivilege	1892	taskhost.exe
Token: SeDebugPrivilege	292	taskhost.exe
Token: SeDebugPrivilege	1220	taskhost.exe
Token: SeDebugPrivilege	2516	taskhost.exe
Token: SeDebugPrivilege	612	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	process	target process
PID 2932 wrote to memory of 2588	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2588	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2588	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1468	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1468	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1468	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2860	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2860	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2860	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1268	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1268	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1268	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1312	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1312	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1312	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 264	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 264	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 264	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1604	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1604	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1604	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2200	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2200	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2200	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2516	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2516	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2516	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1832	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1832	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1832	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1464	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1464	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 1464	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2796	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2796	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 2796	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	powershell.exe
PID 2932 wrote to memory of 612	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	cmd.exe
PID 2932 wrote to memory of 612	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	cmd.exe
PID 2932 wrote to memory of 612	2932	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe	cmd.exe
PID 612 wrote to memory of 1528	612	cmd.exe	w32tm.exe
PID 612 wrote to memory of 1528	612	cmd.exe	w32tm.exe
PID 612 wrote to memory of 1528	612	cmd.exe	w32tm.exe
PID 612 wrote to memory of 2792	612	cmd.exe	taskhost.exe
PID 612 wrote to memory of 2792	612	cmd.exe	taskhost.exe
PID 612 wrote to memory of 2792	612	cmd.exe	taskhost.exe
PID 2792 wrote to memory of 1816	2792	taskhost.exe	WScript.exe
PID 2792 wrote to memory of 1816	2792	taskhost.exe	WScript.exe
PID 2792 wrote to memory of 1816	2792	taskhost.exe	WScript.exe
PID 2792 wrote to memory of 2976	2792	taskhost.exe	WScript.exe
PID 2792 wrote to memory of 2976	2792	taskhost.exe	WScript.exe
PID 2792 wrote to memory of 2976	2792	taskhost.exe	WScript.exe
PID 1816 wrote to memory of 2468	1816	WScript.exe	taskhost.exe
PID 1816 wrote to memory of 2468	1816	WScript.exe	taskhost.exe
PID 1816 wrote to memory of 2468	1816	WScript.exe	taskhost.exe
PID 2468 wrote to memory of 2356	2468	taskhost.exe	WScript.exe
PID 2468 wrote to memory of 2356	2468	taskhost.exe	WScript.exe
PID 2468 wrote to memory of 2356	2468	taskhost.exe	WScript.exe
PID 2468 wrote to memory of 2152	2468	taskhost.exe	WScript.exe
PID 2468 wrote to memory of 2152	2468	taskhost.exe	WScript.exe
PID 2468 wrote to memory of 2152	2468	taskhost.exe	WScript.exe
PID 2356 wrote to memory of 1712	2356	WScript.exe	taskhost.exe
PID 2356 wrote to memory of 1712	2356	WScript.exe	taskhost.exe
PID 2356 wrote to memory of 1712	2356	WScript.exe	taskhost.exe
PID 1712 wrote to memory of 2980	1712	taskhost.exe	WScript.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe
"C:\Users\Admin\AppData\Local\Temp\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCs9nEU3LD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1528
- - C:\Program Files (x86)\Windows Sidebar\taskhost.exe
    "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e223e916-f6b4-4d3e-9a30-0e9079fb6e06.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9548de9c-c7e5-4040-bb0c-b44ebd64ca5f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a11b6d-a607-48c7-9c71-2bd03b7308a2.vbs"
        8⤵
        
        PID:2980
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acf85f7-adac-483c-8568-864486881224.vbs"
        10⤵
        
        PID:2808
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0964f964-0609-45f6-9370-076021507b26.vbs"
        12⤵
        
        PID:1992
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b929c9d-eb09-4d41-8c02-8912298fa663.vbs"
        14⤵
        
        PID:2784
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae0642c-65c6-4408-a01a-f637d34bc91f.vbs"
        16⤵
        
        PID:1584
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c8da897-a218-417f-9b43-04c80b85942e.vbs"
        18⤵
        
        PID:2856
        
        C:\Program Files (x86)\Windows Sidebar\taskhost.exe
        
        "C:\Program Files (x86)\Windows Sidebar\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ac1aa4a-fdce-4293-90c4-8b99dcf713eb.vbs"
        20⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a76dedf-8c4f-4854-aafe-11d824d15e54.vbs"
        20⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7ce92d-2487-4161-a568-7c8333ed7778.vbs"
        18⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c02de7c-cc86-4eb8-ab00-69b1e583142e.vbs"
        16⤵
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e180f5c-93a5-433b-a4d8-eb74eaa44126.vbs"
        14⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0827ba8f-a90a-4b4f-9a0c-b47a884450d3.vbs"
        12⤵
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee06a175-c740-4f0c-8d1c-888d86532023.vbs"
        10⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8a877b0-bb5e-412d-84bd-f9e13f70c377.vbs"
        8⤵
        
        PID:2884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f04df5bb-f5a1-4bdb-9de1-9819258dfc42.vbs"
        6⤵
        
        PID:2152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2ad10b8-a4cf-49bc-9e66-d4746b2b818b.vbs"
      4⤵
      PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\debug\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N4" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N4" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N4" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N4" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RCXB8B.tmp

Filesize
4.9MB

MD5
254a5d1d1be01877fc0a1a7e7ea1dee3

SHA1
49941a0035814c407f4caf648bb1fc183dfb083b

SHA256
376aa9698759fb237ac20bb01643c3a0a7e915e8f6d07ea2d0f1e71d96539f38

SHA512
d31fcf3d863ddb9f306688f7fad0b88b4c7cc87d751ee77bb01ba15e24f46159d7092c437ac79afad97a5b7c2dfb075a3ef51edc8f4f379ae845b98273c8c6ed

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\csrss.exe

Filesize
4.9MB

MD5
d49f3eca938ef9afc22ab37348e7c3d0

SHA1
bbb92df0748401881fd5d2cddd8022130a735971

SHA256
4a4ea3bb2eb0b041d94c783c6a8bba539dc5296b2899cacaf93fb66341310351

SHA512
97890bcf4071bee21d6e9f7e891a4cbfcba15e41672646a6122cbc986e404d6aa3b5ddd5af19c1becfd7c9865cda5654a3324470dfc89f517bf13b28b7dede68

Download Submit
C:\Users\Admin\AppData\Local\Temp\0964f964-0609-45f6-9370-076021507b26.vbs

Filesize
727B

MD5
c3e950f69c222d38bcd13d782ae302a4

SHA1
b3d60c38f8c65b4d289738b0d3e1386e97980d9f

SHA256
83d7efcc7ed353ce3d2d4544af42b3696034720e979396c35f16fac6aec7b666

SHA512
2eaef0c4e911e3fda9acb8c4fd1e9a16674775ad6daed24a28ac4dc2b8f8387628dc181468ed4f14fb9fd456900a55f898f3e7d76e42731c56164782ad458d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ac1aa4a-fdce-4293-90c4-8b99dcf713eb.vbs

Filesize
726B

MD5
c63ecda7bd9d8253b63f4f4303a62772

SHA1
814ad2e77fc5348318ecedabead1572a82017037

SHA256
1a3721509ee1f5c1ca21896ea3f3697e25b4a3ea220b9a6856f4fe209f217dfa

SHA512
6079c11ab29bbf9c40d66a2df11bdaddd811a9025901c46fdb3f3f2f477453e86d78687a11f7c57004b6bdb0ef1581e6d73b3856f8d2bf5fc01525bacdd11014

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acf85f7-adac-483c-8568-864486881224.vbs

Filesize
727B

MD5
c883e3390835c6370cf26b4c888b532e

SHA1
f5d1d98566b25d37f354f3a5f27e30d7eacfd0bc

SHA256
76f616bfb065308aed8e681fb035713ed244d8a0d225344f2aee70d4258ccd1d

SHA512
e02ce46a2ebab462e3955c7a2bb2693cebd969597d00deff95e8f2edbd70faa8831fe2c457dffcd3333df65a36cbf9991861bfbfdb2ba722d7d8d858ea02fa33

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ae0642c-65c6-4408-a01a-f637d34bc91f.vbs

Filesize
727B

MD5
96e314ccb09c180f4de6bbbb6f0bb6c0

SHA1
01bb6b88a64fe9cb5c4903ec876101e83e352ec5

SHA256
e1ca58d5c7514db9134a3133c2eaabca172c95202ee09202af0d09feab0e75af

SHA512
93ef83e4af699b752b33be586724c9025da4455bf29708daca755518c765aaab4377acddff9c101bcb6c296ca790dbd1f245d64eb746feb4dea2299c84cfa622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b929c9d-eb09-4d41-8c02-8912298fa663.vbs

Filesize
726B

MD5
4a64ea2a23451ea402cfb19d580805d3

SHA1
fac8303a3c0f9e34707103ab33b1304a2cc26b7a

SHA256
9b7a8274797a99f69b279d68b439c4d31065058a6706c2b9019c3159176bbca9

SHA512
274fa35bed5f6ce50030734dee16079d357e7262093b681b8e30e6fb6f437f2799acb44074c236020514d07c4cb9b40fc8d54e2ba46854edf238f63da31f68de

Download Submit
C:\Users\Admin\AppData\Local\Temp\9548de9c-c7e5-4040-bb0c-b44ebd64ca5f.vbs

Filesize
727B

MD5
dc64f4f02ccc637768684cd83f227cb6

SHA1
f1c19125ba51b663f6e8a2e980953f6bdbdedc9d

SHA256
cc62f6f17349585838f194b1f22fd8d19f03235b6844163b6af26b5ae54ce10d

SHA512
7463427c8ee352daedb6b38350cee3f75468bec5e34e9e8d04cdbd4d27ff2c77a84694be4beeea64c908b8974f17a5d3ed248bb295b0637f4ec798094e4dbda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c8da897-a218-417f-9b43-04c80b85942e.vbs

Filesize
727B

MD5
bd5af400d9cb1f083d10314817d9005f

SHA1
96870defe5382ec40501c2c3e60ef5dfa4cc1cb2

SHA256
7e0b27fe6571aa7553740f5e08fa060c41f490a951c8e96e174d94c8a1c77048

SHA512
753e15a443c2281a45e709e0a18cf26178a6560667db39a913bef027be9c1e6739aa20d535eed34ac3098528c7ad479ef4dba89e62f29010d1055557c8012d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2ad10b8-a4cf-49bc-9e66-d4746b2b818b.vbs

Filesize
503B

MD5
57ffe40992e4859872c8cce4d4828eee

SHA1
8beb2625a0b6e3a380c8302d3b13f5bcc4f21d1d

SHA256
709125f0db517ee08926d1dbb1c0ce2945788b97a4183322827eca25fa2869b5

SHA512
7a15c30d734ad271158872402370af7464d7b304b435200dfd45541fd48d6281e5acc402f3e3356af8629fee54965772ebd4dd5d6c1ef19e3d9e9eda1a12a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e223e916-f6b4-4d3e-9a30-0e9079fb6e06.vbs

Filesize
727B

MD5
fa1c59b41e2e1283ee629d617c4b7a83

SHA1
e5256cfb2920756e3f26f89da5bb723cc0e24622

SHA256
13339d81ee88aaf35214171cda59727dcc5b98660254bea8317709757db97aae

SHA512
4a96cda3b1082b7643184c0620e164fe6de4a44661212a85b6ae471e038f3e5ba6dd34e8fdb04310bc94893d63c7c0b12767bf727a5025bd3131d07c2c8f3c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8a11b6d-a607-48c7-9c71-2bd03b7308a2.vbs

Filesize
727B

MD5
7e904ea8896bc800e0fd7f26cebacc47

SHA1
64d9303acd254c89ea6a211278fba98d735a02fc

SHA256
fb7a577455181c6f14d8e6000b1f6985a18995ca3803e5d5ddb26471eb54fd4e

SHA512
00e9812e7350e69c5efef307aa8de4ee95d9dad9d38455e4f2a0035c98e8455931cfa28764225900cda52fb5e6b76efa971eccbcdd5a612e4f62d54b5e445a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCs9nEU3LD.bat

Filesize
216B

MD5
2dc01ab152e2be59cd8a46d1937fc8df

SHA1
ac3fdc3b2caba09c1229b21ce262b81806ef91f0

SHA256
9e3e8874add78ab349ad2494bb20c9321549d7227aa044ee0e96b78b85eb7498

SHA512
2c6f93bbdcd3e4dc840f39cd6bf96240f9681990da09164d54e20187387f5a380f97367fa3a6087a4cbb93b3e79498ffd7875376196bdf79046948fca812e867

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5428.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92b0550ce6c4345f920ee58be87221dc

SHA1
65c02427f334ddc163bfcbdc9465e236f5385e78

SHA256
14f486bf539769fb828193c4434e39224003d6867e6345af1fdd4c573779ffff

SHA512
6a3bfe456ba010c3824bbf858244f8d8abee12f260ff1955a95da5148df3e4dc3ecd8ac27f5e5d847f2f2756a6125875c870cf901d16bcf72ee45028179e32af

Download Submit
memory/264-211-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/612-363-0x0000000000150000-0x0000000000644000-memory.dmp

Filesize
5.0MB

Download
memory/1052-289-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/1220-333-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/1712-274-0x0000000000F40000-0x0000000001434000-memory.dmp

Filesize
5.0MB

Download
memory/1892-304-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2200-210-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2468-259-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2516-348-0x0000000000DB0000-0x00000000012A4000-memory.dmp

Filesize
5.0MB

Download
memory/2792-245-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/2932-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2932-150-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2932-10-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2932-9-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2932-15-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2932-7-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/2932-195-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-8-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2932-12-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/2932-6-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/2932-142-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2932-5-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2932-4-0x0000000000880000-0x000000000089C000-memory.dmp

Filesize
112KB

Download
memory/2932-13-0x0000000002430000-0x000000000243E000-memory.dmp

Filesize
56KB

Download
memory/2932-3-0x000000001BB50000-0x000000001BC7E000-memory.dmp

Filesize
1.2MB

Download
memory/2932-14-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2932-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-16-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2932-1-0x0000000000070000-0x0000000000564000-memory.dmp

Filesize
5.0MB

Download