dcrat | 3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Size

4.9MB
MD5

2382f8fb2178cff1276f7416428efe5f
SHA1

91516f859638ee108e4c6edb9a2b9a4772e353fc
SHA256

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168
SHA512

253d4ba57120fbcf9aa908c0aedcca230b4e092b144c008e92372fa61c4cb5f327a73d4d740dce8fb041205c4cef31a0758dba5f08fad0dfcd3f1b287a2e0f1c
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2144	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2144	schtasks.exe

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exe3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1520-2-0x000000001B100000-0x000000001B22E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2076	powershell.exe
868	powershell.exe
1588	powershell.exe
560	powershell.exe
2320	powershell.exe
880	powershell.exe
2040	powershell.exe
2196	powershell.exe
2312	powershell.exe
2112	powershell.exe
1160	powershell.exe
1448	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid process

2176 dwm.exe
2840 dwm.exe
1620 dwm.exe
868 dwm.exe
2780 dwm.exe
2404 dwm.exe
344 dwm.exe
2192 dwm.exe
1664 dwm.exe
2244 dwm.exe
1264 dwm.exe
868 dwm.exe

pid	process
2176	dwm.exe
2840	dwm.exe
1620	dwm.exe
868	dwm.exe
2780	dwm.exe
2404	dwm.exe
344	dwm.exe
2192	dwm.exe
1664	dwm.exe
2244	dwm.exe
1264	dwm.exe
868	dwm.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exe3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 8 IoCs

Processes:

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\42af1c969fbb7b	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXCA95.tmp	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Program Files\Mozilla Firefox\csrss.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXD0C0.tmp	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Program Files\Mozilla Firefox\csrss.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Program Files\Mozilla Firefox\886983d96e3d3e	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

Drops file in Windows directory 8 IoCs

Processes:

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

description	ioc	process
File created	C:\Windows\Globalization\OSPPSVC.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Windows\Globalization\1610b97d3ab4a7	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Windows\PLA\System\Idle.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File created	C:\Windows\PLA\System\6ccacd8608530f	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Windows\Globalization\RCXCEBC.tmp	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Windows\Globalization\OSPPSVC.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Windows\PLA\System\RCXD739.tmp	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
File opened for modification	C:\Windows\PLA\System\Idle.exe	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2908	schtasks.exe
1728	schtasks.exe
2768	schtasks.exe
2052	schtasks.exe
2056	schtasks.exe
592	schtasks.exe
2812	schtasks.exe
2676	schtasks.exe
492	schtasks.exe
2252	schtasks.exe
2104	schtasks.exe
2896	schtasks.exe
2708	schtasks.exe
2796	schtasks.exe
2996	schtasks.exe
2260	schtasks.exe
1428	schtasks.exe
1948	schtasks.exe
1048	schtasks.exe
2372	schtasks.exe
528	schtasks.exe
564	schtasks.exe
948	schtasks.exe
2436	schtasks.exe
3020	schtasks.exe
1804	schtasks.exe
1492	schtasks.exe
1600	schtasks.exe
2216	schtasks.exe
2832	schtasks.exe
2280	schtasks.exe
2808	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	process
1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
2112	powershell.exe
1588	powershell.exe
2196	powershell.exe
2076	powershell.exe
880	powershell.exe
2312	powershell.exe
868	powershell.exe
2320	powershell.exe
1160	powershell.exe
560	powershell.exe
2040	powershell.exe
1448	powershell.exe
2176	dwm.exe
2840	dwm.exe
1620	dwm.exe
868	dwm.exe
2780	dwm.exe
2404	dwm.exe
344	dwm.exe
2192	dwm.exe
1664	dwm.exe
2244	dwm.exe
1264	dwm.exe
868	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2176	dwm.exe
Token: SeDebugPrivilege	2840	dwm.exe
Token: SeDebugPrivilege	1620	dwm.exe
Token: SeDebugPrivilege	868	dwm.exe
Token: SeDebugPrivilege	2780	dwm.exe
Token: SeDebugPrivilege	2404	dwm.exe
Token: SeDebugPrivilege	344	dwm.exe
Token: SeDebugPrivilege	2192	dwm.exe
Token: SeDebugPrivilege	1664	dwm.exe
Token: SeDebugPrivilege	2244	dwm.exe
Token: SeDebugPrivilege	1264	dwm.exe
Token: SeDebugPrivilege	868	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exe

description	pid	process	target process
PID 1520 wrote to memory of 2196	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2196	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2196	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2076	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2076	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2076	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2112	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2112	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2112	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2312	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2312	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2312	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1588	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1588	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1588	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 560	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 560	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 560	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2320	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2320	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2320	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 880	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 880	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 880	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 868	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 868	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 868	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2040	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2040	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2040	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1160	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1160	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1160	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1448	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1448	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 1448	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	powershell.exe
PID 1520 wrote to memory of 2176	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	dwm.exe
PID 1520 wrote to memory of 2176	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	dwm.exe
PID 1520 wrote to memory of 2176	1520	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe	dwm.exe
PID 2176 wrote to memory of 1460	2176	dwm.exe	WScript.exe
PID 2176 wrote to memory of 1460	2176	dwm.exe	WScript.exe
PID 2176 wrote to memory of 1460	2176	dwm.exe	WScript.exe
PID 2176 wrote to memory of 2932	2176	dwm.exe	WScript.exe
PID 2176 wrote to memory of 2932	2176	dwm.exe	WScript.exe
PID 2176 wrote to memory of 2932	2176	dwm.exe	WScript.exe
PID 1460 wrote to memory of 2840	1460	WScript.exe	dwm.exe
PID 1460 wrote to memory of 2840	1460	WScript.exe	dwm.exe
PID 1460 wrote to memory of 2840	1460	WScript.exe	dwm.exe
PID 2840 wrote to memory of 2860	2840	dwm.exe	WScript.exe
PID 2840 wrote to memory of 2860	2840	dwm.exe	WScript.exe
PID 2840 wrote to memory of 2860	2840	dwm.exe	WScript.exe
PID 2840 wrote to memory of 1172	2840	dwm.exe	WScript.exe
PID 2840 wrote to memory of 1172	2840	dwm.exe	WScript.exe
PID 2840 wrote to memory of 1172	2840	dwm.exe	WScript.exe
PID 2860 wrote to memory of 1620	2860	WScript.exe	dwm.exe
PID 2860 wrote to memory of 1620	2860	WScript.exe	dwm.exe
PID 2860 wrote to memory of 1620	2860	WScript.exe	dwm.exe
PID 1620 wrote to memory of 2316	1620	dwm.exe	WScript.exe
PID 1620 wrote to memory of 2316	1620	dwm.exe	WScript.exe
PID 1620 wrote to memory of 2316	1620	dwm.exe	WScript.exe
PID 1620 wrote to memory of 2712	1620	dwm.exe	WScript.exe
PID 1620 wrote to memory of 2712	1620	dwm.exe	WScript.exe
PID 1620 wrote to memory of 2712	1620	dwm.exe	WScript.exe
PID 2316 wrote to memory of 868	2316	WScript.exe	dwm.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe
"C:\Users\Admin\AppData\Local\Temp\3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\437d54f9-aa29-4645-9277-4afb4ed98c0b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1a7d70-73bd-4c5d-a6fb-423a2bb09b62.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faf4e194-07ee-4795-aa19-faf2505617c9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e87d97-29b8-41df-8fbd-cfc6bdca3409.vbs"
        9⤵
        
        PID:2300
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad93c40d-e261-467f-b9ba-2a9729fad68a.vbs"
        11⤵
        
        PID:1604
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d888c5eb-accf-4a37-a17a-2ddf9df1bf6b.vbs"
        13⤵
        
        PID:1396
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b6aa3a1-09a5-4277-b9c6-3d46d4b8f022.vbs"
        15⤵
        
        PID:528
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfaa23e0-3380-4b1f-a254-af2384269a5f.vbs"
        17⤵
        
        PID:828
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d23f3a-9c58-4288-886b-131acb0bb0ad.vbs"
        19⤵
        
        PID:1628
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f2dd7d5-f865-4c01-8126-faa22a83fba3.vbs"
        21⤵
        
        PID:872
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dfed9d6-7f0c-4fbf-83f3-8964278c44d1.vbs"
        23⤵
        
        PID:1588
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c126b3d0-1c5c-4dd3-9db4-ab7e0055c688.vbs"
        25⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e9aef9-4259-4ec7-b393-218b68d7ab0a.vbs"
        25⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730528f3-1724-4ba6-ad04-861a9eeb5c4f.vbs"
        23⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5827e03c-3f95-4e9b-a971-bb29ba2dca78.vbs"
        21⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d28a50-c9fb-4405-b027-eaf61f95293c.vbs"
        19⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e49a225d-8f69-4af7-8222-08fe466c3d1d.vbs"
        17⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90a8da2-b65a-4977-9170-23e7b04d47d8.vbs"
        15⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\066151ee-8660-4e9c-bf6a-665c1f74f030.vbs"
        13⤵
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1926dcb8-69dd-4b7c-9d20-5c4f580e2341.vbs"
        11⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec12ee3-04cf-49df-81d4-4a79f4873c08.vbs"
        9⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca3ff2b6-f210-4416-9f28-d0f83fa627e3.vbs"
        7⤵
        
        PID:2712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b262f4f9-6dce-4b0c-9a04-c31ad5c199f6.vbs"
        5⤵
        
        PID:1172
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61fc45d9-8c3e-43ac-bbe7-51f3c546d97e.vbs"
    3⤵
    PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe

Filesize
4.9MB

MD5
c5a15d72819f9c0a208aba57a79c4eef

SHA1
959aa3b2d2762b2a5f66eb1a291cd0eeb9383904

SHA256
733276b7ff650890eeb774a34e2a763f2c1f5aff1c4829aa6eff1c074305925b

SHA512
32bd845cd48341ec35973145938fe78854fd99a40b4c13552504f185fe1ba1ef78be2920f13c90b8507344d6d14b82956fdc594680a63050fbf6ff0d317e480a

Download Submit
C:\Program Files\Mozilla Firefox\csrss.exe

Filesize
4.9MB

MD5
2382f8fb2178cff1276f7416428efe5f

SHA1
91516f859638ee108e4c6edb9a2b9a4772e353fc

SHA256
3b0bfc76e77381bd51ad9646795ba7c7dc46d0f98d9e1f9f56ade8936539f168

SHA512
253d4ba57120fbcf9aa908c0aedcca230b4e092b144c008e92372fa61c4cb5f327a73d4d740dce8fb041205c4cef31a0758dba5f08fad0dfcd3f1b287a2e0f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\29d23f3a-9c58-4288-886b-131acb0bb0ad.vbs

Filesize
751B

MD5
490065993ea6d908ed5c7557fe4e8093

SHA1
912d4003bc8617fbb6cfdd73f2e3aa91f77d7ca9

SHA256
c072c73045819c733ef87588fe26f6758530c53947da2b3b4dd55b9ccc90628b

SHA512
721f9734344013d4efcfbdf6fc132fc7de4fc1c2d5772d354963e386ee7c08060706ae35dadd2f4e53e82eb0f20d65b5b2a41f86006822c72df57a7600716bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b6aa3a1-09a5-4277-b9c6-3d46d4b8f022.vbs

Filesize
750B

MD5
2652b8e2513a70394b7129a0a17ea9a9

SHA1
7b76f901b70e27496f77c67026a70e43e47416ef

SHA256
abacfce29f2a5c2fd40dd3d7913ecdd51ebb0714f51cfad31e9a167e80c271a9

SHA512
2041c3c5bab29728c717ca760c8a7527622d0dc7dfde17ecd8380d40893a003509d36327d5d5cab6391d37c5ae03426f599e1b89d2ab3f312666cbb88d6f97be

Download Submit
C:\Users\Admin\AppData\Local\Temp\437d54f9-aa29-4645-9277-4afb4ed98c0b.vbs

Filesize
751B

MD5
2e7dbe16bfaafed08f464dc882984658

SHA1
f97aa7e9ca3fbccc298449e0fe13948382ca0cb3

SHA256
c765930b90570f3807f4523659859cc19a96ebd526b44a8d81a0ccc3764c9cd5

SHA512
41fa11e141eeb0a9e28e3ae6e381128627bfcf8644155f63be93e96ef007421486c035aeb51fae1afbe991e8118f710d8285c9d83595fc4e10a6a78593a22a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\44e87d97-29b8-41df-8fbd-cfc6bdca3409.vbs

Filesize
750B

MD5
e904421a49c007ccb35777155b43e372

SHA1
0f174f0ca57edcf59735c4a840a633bb2b55f137

SHA256
8b6871ea2ae62d08901ca13a4cbcf40bbe1f492d51949f60f10de1cf5436b5c9

SHA512
b67008cb3aefc2165bc9c91656a398533b23c896bafcefc32c9b9f05a82835dec0e13bf6cda14022b885e72c9474e840d3d1b95887b792b79f22613719afb733

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dfed9d6-7f0c-4fbf-83f3-8964278c44d1.vbs

Filesize
751B

MD5
166d19239d61ce174ed7425ff0b23c75

SHA1
a37fdf284bc5f474682d9d4830480305f25f67b8

SHA256
d3c7b89867735e2570c69c0dcefd553fbae8dd3150e63c895907890e0b14511f

SHA512
92240665538dcebbcfde2685949c0e15e73a2c0b16f8befec0f529b6486653a11f85f0929177199a31e79b380ebddfee4feb7cca284584ff200a3a3ffac3c64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\61fc45d9-8c3e-43ac-bbe7-51f3c546d97e.vbs

Filesize
527B

MD5
b64310aec6b2d6d95712e21ae2cf2851

SHA1
42e89dd5f377d95329fc486a6a34b82f51cd499a

SHA256
e1cb6ee186e3c406853945ed88a057ba0097a57f8c472b8f7edfadd59d245e71

SHA512
ed6010ac887ee76fedc523bf60c8017428356904b827e1e710ce82a592057bbc51cfff473a872edc0f938202515c3f242d642fc5a1141448dc468b89775261f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f2dd7d5-f865-4c01-8126-faa22a83fba3.vbs

Filesize
751B

MD5
9dd671c2977d87a408ba9dbacf2dbe7e

SHA1
8998aa70a900eae143a790261b66c4fef0852eae

SHA256
e1b2249d005c5b0f2cfb5c88a324cf921627a5fe25e54f11b1c73d54fc2142e3

SHA512
d7f3b57b7f61ec0c4d213ab7571017fe7c7b33e5670a6ce95312a85f01bf93abb0f2367d3b01f068221f021c29512c08b9116facd524ed1348b87a98ddf1b3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad93c40d-e261-467f-b9ba-2a9729fad68a.vbs

Filesize
751B

MD5
7f1de6c081abe6f0834bf0981f90797d

SHA1
0c7ee5873d43fa28e83c2a753ee67b19b212ad6c

SHA256
9793aa768d61a2443051b4dea621c9120c2725c5444d4cf29b8cdba61caa975c

SHA512
cad61c781d942f38b47b9d9bc8d13382834254712132c31509827ee00d81327246fa044e10835998c82e6e04f6e9e80b01886b35f870ab41ea4b125e679e1381

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfaa23e0-3380-4b1f-a254-af2384269a5f.vbs

Filesize
751B

MD5
9c712f1190e58716a5577f9e150a1fe5

SHA1
bcdb82649c18c091879f159352950e9ce133191b

SHA256
4aa8420659f7547a737b7c37d4c18148c2b15f86e2a8adb644fed85a4a666204

SHA512
93f738e98e7ee4e0c17c05c104e4aed29c03e83e9ec6795011ff57b18183429b527bbbdc68bbacc227b3e43291735d9f5cd95b8a480bbcfca8d911ac85d1b862

Download Submit
C:\Users\Admin\AppData\Local\Temp\d888c5eb-accf-4a37-a17a-2ddf9df1bf6b.vbs

Filesize
751B

MD5
48e995a86d72e366674fff28fdc7ad51

SHA1
03cfefd7f3350809c6d9dc0a8a03a706b3d373dd

SHA256
8f6299e96e221e6594025e7c1ca9aeced9627d4ddca82ea29f3206fb118537b9

SHA512
c634775511e2b6da0adb1517e83df6ce1584cda876a1af4086d3ea4a05a0ba006296bd1d5551118c5dbe6ef335626ab0797cb59dd2d2296f22361f2e160aeea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\faf4e194-07ee-4795-aa19-faf2505617c9.vbs

Filesize
751B

MD5
79025965361b447e213a60a46ce29dc9

SHA1
a66f3215b102979af3253a5c02a6097f295f26e5

SHA256
b2564e99cb32dcdc33bf6916cd6e5c91d607b2f33c8b3f2e1faf29276e2a87aa

SHA512
93c7e7fcec95fb7bc251a7a4347025a1a01b63a6fcdf44dd589d0e8e8a45070fe14a1482c321db8affdbd46f867696082730afd367e27f9584df07a2c6fd1e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe1a7d70-73bd-4c5d-a6fb-423a2bb09b62.vbs

Filesize
751B

MD5
181bdc2cf01c8772623573ccec330d9c

SHA1
c8022a99361d69c325d6d16c172352ddd760b265

SHA256
28ba0ce26b7a146a5c83d380409d145b6fc0c29b3250d46d3296515147aaeb67

SHA512
2f41eadd84c581e0460964fd182ea631a2073ca67c9707df097dfbe5ddc66d4c76b036153bd6a6fc9b234fa65d35cce32c8fded675841dd2712644203c1a3f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC71.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9380377cb7ee3b0870e1e88eacf491eb

SHA1
d8532c2c202a55dc610fdb4a55300294c56a2c84

SHA256
c93f6944a1e8566541636cb1b62e492d1bf1c837bfed1e610325fdf4b17dd630

SHA512
d628ed98bf688d7188c2abac534ba1dfc8afc8eb3b3456449290830323bee88f69bbeaa3de1704c7094571e74a7400e53acd8f07f8a6ad75336766f175f1ea99

Download Submit
memory/344-275-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/868-351-0x0000000000180000-0x0000000000674000-memory.dmp

Filesize
5.0MB

Download
memory/868-230-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/1264-336-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/1520-15-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1520-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1520-1-0x0000000000C60000-0x0000000001154000-memory.dmp

Filesize
5.0MB

Download
memory/1520-181-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-9-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/1520-7-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/1520-14-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/1520-13-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/1520-10-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/1520-4-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/1520-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/1520-6-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1520-8-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/1520-2-0x000000001B100000-0x000000001B22E000-memory.dmp

Filesize
1.2MB

Download
memory/1520-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1520-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-12-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/1520-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/1620-215-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/1664-305-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/1664-306-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2112-126-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2112-127-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2176-180-0x0000000000D60000-0x0000000001254000-memory.dmp

Filesize
5.0MB

Download
memory/2192-290-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/2244-321-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/2404-260-0x00000000000F0000-0x00000000005E4000-memory.dmp

Filesize
5.0MB

Download
memory/2780-245-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/2840-200-0x0000000000EB0000-0x00000000013A4000-memory.dmp

Filesize
5.0MB

Download