dcrat | cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96

Analysis

max time kernel
117s
max time network
110s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Size

4.9MB
MD5

f605296b4b314f194d7c23f29eb9cd90
SHA1

0c8838372279256fa34fab408e4d0727464f7cfb
SHA256

cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96
SHA512

c63eeb73bc4d4b19d63a4376c8bca1b58aea98578cb619b3f96270ea0dda70f620dce45269a0b4b2a455c362dbf0047e18662d9c65f9f2ac0c8a1a8e57977f1e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2132	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2132	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2420-3-0x000000001B4D0000-0x000000001B5FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1124	powershell.exe
2176	powershell.exe
1816	powershell.exe
832	powershell.exe
1800	powershell.exe
2796	powershell.exe
1956	powershell.exe
852	powershell.exe
652	powershell.exe
1776	powershell.exe
2956	powershell.exe
3032	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2008	audiodg.exe
1556	audiodg.exe
2756	audiodg.exe
2372	audiodg.exe
1128	audiodg.exe
3024	audiodg.exe
2892	audiodg.exe
2052	audiodg.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCXBECE.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCXDF39.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\System.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXC4DA.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXD72A.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\886983d96e3d3e	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\f3b6ecef712a24	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\Windows Media Player\en-US\System.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\csrss.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Internet Explorer\dwm.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\csrss.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXE1BA.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\Windows Mail\en-US\24dbde2999530e	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXDD35.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\dwm.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\Windows Media Player\en-US\27d1bcfc3c54e0	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RCXD044.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RCXCB62.tmp	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File opened for modification	C:\Windows\addins\taskhost.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Windows\addins\taskhost.exe	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
File created	C:\Windows\addins\b75386f1303e64	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
304	schtasks.exe
1948	schtasks.exe
800	schtasks.exe
2772	schtasks.exe
1556	schtasks.exe
888	schtasks.exe
2988	schtasks.exe
2564	schtasks.exe
492	schtasks.exe
2512	schtasks.exe
2200	schtasks.exe
1892	schtasks.exe
2492	schtasks.exe
2860	schtasks.exe
1284	schtasks.exe
2872	schtasks.exe
764	schtasks.exe
1972	schtasks.exe
1168	schtasks.exe
896	schtasks.exe
2844	schtasks.exe
1832	schtasks.exe
1668	schtasks.exe
316	schtasks.exe
3052	schtasks.exe
3032	schtasks.exe
2804	schtasks.exe
2284	schtasks.exe
2684	schtasks.exe
852	schtasks.exe
1608	schtasks.exe
2800	schtasks.exe
1812	schtasks.exe
940	schtasks.exe
760	schtasks.exe
2360	schtasks.exe
1724	schtasks.exe
2460	schtasks.exe
2496	schtasks.exe
2268	schtasks.exe
3064	schtasks.exe
2940	schtasks.exe
1384	schtasks.exe
2600	schtasks.exe
1512	schtasks.exe
1836	schtasks.exe
1552	schtasks.exe
2720	schtasks.exe
2292	schtasks.exe
2272	schtasks.exe
2924	schtasks.exe
1900	schtasks.exe
1800	schtasks.exe
1152	schtasks.exe
2732	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
1124	powershell.exe
2176	powershell.exe
1800	powershell.exe
2956	powershell.exe
652	powershell.exe
1956	powershell.exe
2796	powershell.exe
852	powershell.exe
3032	powershell.exe
1816	powershell.exe
1776	powershell.exe
832	powershell.exe
2008	audiodg.exe
1556	audiodg.exe
2756	audiodg.exe
2372	audiodg.exe
1128	audiodg.exe
3024	audiodg.exe
2892	audiodg.exe
2052	audiodg.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2008	audiodg.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1556	audiodg.exe
Token: SeDebugPrivilege	2756	audiodg.exe
Token: SeDebugPrivilege	2372	audiodg.exe
Token: SeDebugPrivilege	1128	audiodg.exe
Token: SeDebugPrivilege	3024	audiodg.exe
Token: SeDebugPrivilege	2892	audiodg.exe
Token: SeDebugPrivilege	2052	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1124	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	89
PID 2420 wrote to memory of 1124	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	89
PID 2420 wrote to memory of 1124	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	89
PID 2420 wrote to memory of 852	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	90
PID 2420 wrote to memory of 852	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	90
PID 2420 wrote to memory of 852	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	90
PID 2420 wrote to memory of 2176	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	91
PID 2420 wrote to memory of 2176	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	91
PID 2420 wrote to memory of 2176	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	91
PID 2420 wrote to memory of 1816	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	92
PID 2420 wrote to memory of 1816	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	92
PID 2420 wrote to memory of 1816	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	92
PID 2420 wrote to memory of 652	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	93
PID 2420 wrote to memory of 652	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	93
PID 2420 wrote to memory of 652	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	93
PID 2420 wrote to memory of 832	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	94
PID 2420 wrote to memory of 832	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	94
PID 2420 wrote to memory of 832	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	94
PID 2420 wrote to memory of 1800	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	95
PID 2420 wrote to memory of 1800	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	95
PID 2420 wrote to memory of 1800	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	95
PID 2420 wrote to memory of 2796	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	96
PID 2420 wrote to memory of 2796	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	96
PID 2420 wrote to memory of 2796	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	96
PID 2420 wrote to memory of 1956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	97
PID 2420 wrote to memory of 1956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	97
PID 2420 wrote to memory of 1956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	97
PID 2420 wrote to memory of 1776	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	98
PID 2420 wrote to memory of 1776	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	98
PID 2420 wrote to memory of 1776	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	98
PID 2420 wrote to memory of 2956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	99
PID 2420 wrote to memory of 2956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	99
PID 2420 wrote to memory of 2956	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	99
PID 2420 wrote to memory of 3032	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	100
PID 2420 wrote to memory of 3032	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	100
PID 2420 wrote to memory of 3032	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	100
PID 2420 wrote to memory of 2008	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	107
PID 2420 wrote to memory of 2008	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	107
PID 2420 wrote to memory of 2008	2420	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe	107
PID 2008 wrote to memory of 1572	2008	audiodg.exe	114
PID 2008 wrote to memory of 1572	2008	audiodg.exe	114
PID 2008 wrote to memory of 1572	2008	audiodg.exe	114
PID 2008 wrote to memory of 2128	2008	audiodg.exe	115
PID 2008 wrote to memory of 2128	2008	audiodg.exe	115
PID 2008 wrote to memory of 2128	2008	audiodg.exe	115
PID 1572 wrote to memory of 1556	1572	WScript.exe	116
PID 1572 wrote to memory of 1556	1572	WScript.exe	116
PID 1572 wrote to memory of 1556	1572	WScript.exe	116
PID 1556 wrote to memory of 2044	1556	audiodg.exe	117
PID 1556 wrote to memory of 2044	1556	audiodg.exe	117
PID 1556 wrote to memory of 2044	1556	audiodg.exe	117
PID 1556 wrote to memory of 108	1556	audiodg.exe	118
PID 1556 wrote to memory of 108	1556	audiodg.exe	118
PID 1556 wrote to memory of 108	1556	audiodg.exe	118
PID 2044 wrote to memory of 2756	2044	WScript.exe	119
PID 2044 wrote to memory of 2756	2044	WScript.exe	119
PID 2044 wrote to memory of 2756	2044	WScript.exe	119
PID 2756 wrote to memory of 2440	2756	audiodg.exe	120
PID 2756 wrote to memory of 2440	2756	audiodg.exe	120
PID 2756 wrote to memory of 2440	2756	audiodg.exe	120
PID 2756 wrote to memory of 2772	2756	audiodg.exe	121
PID 2756 wrote to memory of 2772	2756	audiodg.exe	121
PID 2756 wrote to memory of 2772	2756	audiodg.exe	121
PID 2440 wrote to memory of 2372	2440	WScript.exe	122

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe
"C:\Users\Admin\AppData\Local\Temp\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Users\Public\audiodg.exe
  "C:\Users\Public\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e61ae190-f9bb-44db-900d-08a9d5ae3c22.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Public\audiodg.exe
      C:\Users\Public\audiodg.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fee91d8d-7820-46eb-bfd6-cf2425004de2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e68a2b5e-a854-4464-a15c-360bb61ca95a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4baf3ee5-df66-4f5f-870a-659ed0295771.vbs"
        9⤵
        
        PID:2444
        
        C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07951532-4b24-4ee9-b84e-8e4fb6f75497.vbs"
        11⤵
        
        PID:1580
        
        C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2501f49a-eb7f-4a03-90d9-7f8ffb5f0e82.vbs"
        13⤵
        
        PID:1740
        
        C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c81beb0-ec4a-4dba-b16e-2fd074865836.vbs"
        15⤵
        
        PID:1536
        
        C:\Users\Public\audiodg.exe
        
        C:\Users\Public\audiodg.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf7b61e-d6d0-4970-94c3-be442883be98.vbs"
        17⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b674234-bf65-4d67-98ad-9b6677e75714.vbs"
        17⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9396ded-f082-466e-a4c9-d91d030ec8e9.vbs"
        15⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b2c809-e97f-4637-98bb-8973193ca8b4.vbs"
        13⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bde1591-5745-489c-ac6c-c77dc51c32bd.vbs"
        11⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\319ff28c-0f26-4070-934e-d4f5d64e3597.vbs"
        9⤵
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f7cba2-401c-4128-8632-b99b75ba8432.vbs"
        7⤵
        
        PID:2772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1371324f-8638-4b7b-b353-8c56848cee5e.vbs"
        5⤵
        
        PID:108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17796b4e-b4d3-4617-889e-5ce4e610bcdf.vbs"
    3⤵
    PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\MSN Websites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96Nc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96Nc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96Nc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96Nc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96N.exe

Filesize
4.9MB

MD5
f605296b4b314f194d7c23f29eb9cd90

SHA1
0c8838372279256fa34fab408e4d0727464f7cfb

SHA256
cccfc00eebc8a50a2318d44d77dadc34cdf7db8b548783351b1e014d30d5ad96

SHA512
c63eeb73bc4d4b19d63a4376c8bca1b58aea98578cb619b3f96270ea0dda70f620dce45269a0b4b2a455c362dbf0047e18662d9c65f9f2ac0c8a1a8e57977f1e

Download Submit
C:\Program Files\Windows Mail\en-US\WmiPrvSE.exe

Filesize
4.9MB

MD5
2a8cc1f9471228fbf58d0993dd008dcc

SHA1
08b5cec8a82dc96ef427e6acda82b6d91d42012d

SHA256
f2cb0ddfd7249423205e714f598343401e8beff3c783dc7e9ca10ab48af52113

SHA512
52425425611d4af0c9b6d0833fd0e1131a97355c70742cb68a5d4975d39671d001a4bb007856b29490f2a1b31300fadf6a75b26e4c94bc309bfc4d6a77b08797

Download Submit
C:\Users\Admin\AppData\Local\Temp\07951532-4b24-4ee9-b84e-8e4fb6f75497.vbs

Filesize
703B

MD5
85e18bd737f71b86710fd970c46364b3

SHA1
4cc8e600bde8555c3dcbc0f97fda8d40a5a38de8

SHA256
7e9b03a3a9792627f1cf05c20335653f222e62b6f34c40c59b5b0d21bb01d0c7

SHA512
4464c39c4e69f7a90b2241f2a9ce048c2a934a8cdc99a197b7e19d1b8c115bf5b8ba2f4b5d5b7ab45fffba59bda65c66b88cbb910977539e87c005ef0ce62172

Download Submit
C:\Users\Admin\AppData\Local\Temp\17796b4e-b4d3-4617-889e-5ce4e610bcdf.vbs

Filesize
479B

MD5
d5acab146db4701b823f878cc077f833

SHA1
170598d63ea48b4112eefa410a202eced95edbdd

SHA256
8218a7a2204bca46c8cdffe60d5188a0f88e56903401a7d87ddbc739653ab2cf

SHA512
f9e88a0c0b97415c9046ce0bdb57f11655cdcb7586ba82f149a043706595e34b781e1b7b16cd25801f00b42cbc5e0d9c9132467041e7b98d5bbe3910d9eac1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2501f49a-eb7f-4a03-90d9-7f8ffb5f0e82.vbs

Filesize
703B

MD5
c52323b359dcc2970bd5e02d9ae9c797

SHA1
3bd12b6087b90dfa3e3325b9b825490f08110b5d

SHA256
d423892dc964d4d65365321f45d947072a26444077a872e4d1f5f27c99cede44

SHA512
72cbeaa663416c2ccc705ed506da0e5e744ee223b2cae64b123efaa276a9aa6a5e2c377e5f4e30931e5a1b1abdf48da235eab662406ab175f935eed787fa8999

Download Submit
C:\Users\Admin\AppData\Local\Temp\4baf3ee5-df66-4f5f-870a-659ed0295771.vbs

Filesize
703B

MD5
fe880aadd97dc6fae9e592484234e68d

SHA1
2e93c5bb0053b8a193bcf4f83e05a925b294eaca

SHA256
1c65e60750772dea6e535f20a6d086c617cdcb7cf3da95e3970931ffd7c3f077

SHA512
e0b1167b4022d4fb9ca6e6144121b260a178f80f0ce6d7a5204dea7eac45920c2aa1b443ee6b424c5d946db46ee41180a440ba62258a50803d6621855a3a9fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bf7b61e-d6d0-4970-94c3-be442883be98.vbs

Filesize
703B

MD5
ebba5d39f1e2c3cc82215173e7481c34

SHA1
2a7e106ede217624c9c751c69bed4c9dedb6dd06

SHA256
4ebd8830518140246632a561a11e00b202014cc96ce4de9a02916a016694165b

SHA512
0fda95224aa320e0ecdbd676d5be501a17775e23a37c4b6eb64a2dc936c7c3bc7bb5ad3311c6e562f8250772550380634e54dbc5263c1a648b23fc27f9a36e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c81beb0-ec4a-4dba-b16e-2fd074865836.vbs

Filesize
703B

MD5
b4cc3da6a5805c1479aef039bebf6d39

SHA1
e5e9db5ee49393292c541b78940558daa5e625e6

SHA256
8b45005287f8c715cc1c9a7c20945c3ea988084e0cdc286d134e0cf70f62cad5

SHA512
5f5380d422e90aa6e9b53fe82d26ecd869858a4e0c910b80e186cd5a52fd1ee2b703eacf7191de1eedfdcff877f2d491e174d3160fabfcfe09d4b135f2498254

Download Submit
C:\Users\Admin\AppData\Local\Temp\e61ae190-f9bb-44db-900d-08a9d5ae3c22.vbs

Filesize
703B

MD5
b128bf6ce8fdcba23c51ece6c5bebbde

SHA1
21ff62da13556449ebacdcbcc9a9b3b70294d76d

SHA256
eeea8df0273ef58db164022822c7ff13a6d5d867e4a89a69ca76305df588c5e6

SHA512
1dbeef9c45311e67c44756117a3f5ccc30d3e6165fa8f1ed231e6cf472575577bcf242c899886fbc2a08db4b8f6ff2091c6e01e790f9bb8e9fa27d1fd9529df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e68a2b5e-a854-4464-a15c-360bb61ca95a.vbs

Filesize
703B

MD5
c368a02650ae05e018f85893b7a0af02

SHA1
c2e4555ef5c8af61d0d89453a3b9dc8e8d27c37f

SHA256
6e07655b991c853102ca61f443a33bb94192a73239444bf4e22ea86aabee29da

SHA512
7b51d1364b3470a84b78169ce0acbbbf5518b21e5ef76283efc411ff921a5aeeba2d43f4cd668f84a59170f2af6ca31721e82856ed8376a7b423ca8362e7fc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\fee91d8d-7820-46eb-bfd6-cf2425004de2.vbs

Filesize
703B

MD5
e43f28eed98adabb2e646119d3361a85

SHA1
d04d86f3f7a68a9e0ce653b80d7748655397596f

SHA256
295d8f525709c5d47fd3c97b09bb9b01628de809edf7d7956d2cf7e098e8544a

SHA512
bb28583d9a519e652ea1403c1f03049e1f7229d315bd1ec4123a0493490db233c4e1293ab1b55fc735aef95bc56bd6baf8bff1f66450c6971af12868bcd2b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8B1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d1d20229ab5442eac2c6b7e7718dd4a4

SHA1
ed61e60a8b80e5443505d531e86eae57f8086bd3

SHA256
9041b301d5e30ee69c3cc45e3937b08b6b3d3848e8ad667ca9cae56a98265db4

SHA512
c24e0de92e6cb905153a7490c57228a9f1514d8119c5956228b088cb591f4dbce73cae948ca9cfb30fc7e5b38a911e640113f97b67c18b9b4eaa91747a8ea66b

Download Submit
memory/1128-315-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/1128-314-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/1556-269-0x0000000000970000-0x0000000000E64000-memory.dmp

Filesize
5.0MB

Download
memory/2008-192-0x0000000000800000-0x0000000000CF4000-memory.dmp

Filesize
5.0MB

Download
memory/2008-255-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2052-361-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/2052-360-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/2176-225-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2372-299-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download
memory/2420-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2420-7-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/2420-1-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download
memory/2420-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2420-193-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-13-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2420-12-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2420-11-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2420-10-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2420-9-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2420-139-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2420-15-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2420-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2420-8-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/2420-6-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2420-5-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2420-16-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2420-3-0x000000001B4D0000-0x000000001B5FE000-memory.dmp

Filesize
1.2MB

Download
memory/2420-154-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2756-284-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download
memory/2892-345-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2892-344-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download
memory/2956-224-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download