dcrat | bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Size

4.9MB
MD5

1c49870cb9f2c55b6b22bd847a95cedb
SHA1

6fb3c646d41e94d57f4f0d01d853c090589514da
SHA256

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922
SHA512

969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8e:+

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2320	schtasks.exe

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1920-3-0x000000001BCF0000-0x000000001BE1E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2592	powershell.exe
2852	powershell.exe
1848	powershell.exe
2712	powershell.exe
1724	powershell.exe
1892	powershell.exe
2584	powershell.exe
2888	powershell.exe
2028	powershell.exe
2764	powershell.exe
2324	powershell.exe
1884	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

pid	process
1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
624	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1860	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3024	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1064	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2016	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2540	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2616	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Drops file in Program Files directory 16 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\de-DE\taskhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Uninstall Information\b75386f1303e64	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\sppsvc.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Mail\de-DE\b75386f1303e64	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Google\CrashReports\0a1fd5f707cd16	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\taskhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXFCE5.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Google\CrashReports\sppsvc.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Uninstall Information\taskhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXF66D.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\1610b97d3ab4a7	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Uninstall Information\taskhost.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXEBCE.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXF246.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Drops file in Windows directory 2 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	process
File created	C:\Windows\winsxs\WmiPrvSE.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\CSC\v2.0.6\System.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2584	schtasks.exe
2280	schtasks.exe
1924	schtasks.exe
1720	schtasks.exe
2548	schtasks.exe
2812	schtasks.exe
1696	schtasks.exe
348	schtasks.exe
1804	schtasks.exe
1096	schtasks.exe
2176	schtasks.exe
352	schtasks.exe
2816	schtasks.exe
2612	schtasks.exe
2588	schtasks.exe
2044	schtasks.exe
1684	schtasks.exe
2008	schtasks.exe
2408	schtasks.exe
2248	schtasks.exe
2780	schtasks.exe
2880	schtasks.exe
1936	schtasks.exe
2832	schtasks.exe
2800	schtasks.exe
2776	schtasks.exe
2772	schtasks.exe
2172	schtasks.exe
236	schtasks.exe
1976	schtasks.exe
1868	schtasks.exe
2204	schtasks.exe
2132	schtasks.exe
2976	schtasks.exe
944	schtasks.exe
1708	schtasks.exe
2116	schtasks.exe
284	schtasks.exe
1960	schtasks.exe
1796	schtasks.exe
2432	schtasks.exe
2712	schtasks.exe
2012	schtasks.exe
2960	schtasks.exe
3000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exepowershell.exepowershell.exepowershell.exepowershell.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

pid	process
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2764	powershell.exe
2028	powershell.exe
2592	powershell.exe
1884	powershell.exe
2712	powershell.exe
2852	powershell.exe
1892	powershell.exe
2584	powershell.exe
1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1848	powershell.exe
2888	powershell.exe
1724	powershell.exe
2324	powershell.exe
1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
624	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1860	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3024	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1064	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2016	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2540	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2616	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	624	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1860	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	3024	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1064	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2016	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2540	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2616	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exe

description	pid	process	target process
PID 1920 wrote to memory of 2592	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2592	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2592	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2028	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2028	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2028	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2764	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2764	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2764	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2324	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2324	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2324	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2888	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2888	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2888	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2584	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2584	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2584	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1884	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1884	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1884	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1892	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1892	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1892	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2852	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2852	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2852	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1724	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1724	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1724	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1848	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1848	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1848	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2712	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2712	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 2712	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	powershell.exe
PID 1920 wrote to memory of 1040	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 1920 wrote to memory of 1040	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 1920 wrote to memory of 1040	1920	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 1040 wrote to memory of 2580	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1040 wrote to memory of 2580	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1040 wrote to memory of 2580	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1040 wrote to memory of 1900	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1040 wrote to memory of 1900	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1040 wrote to memory of 1900	1040	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 2580 wrote to memory of 1684	2580	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 2580 wrote to memory of 1684	2580	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 2580 wrote to memory of 1684	2580	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 1684 wrote to memory of 2004	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1684 wrote to memory of 2004	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1684 wrote to memory of 2004	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1684 wrote to memory of 2260	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1684 wrote to memory of 2260	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1684 wrote to memory of 2260	1684	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 2004 wrote to memory of 3060	2004	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 2004 wrote to memory of 3060	2004	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 2004 wrote to memory of 3060	2004	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
PID 3060 wrote to memory of 1572	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 3060 wrote to memory of 1572	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 3060 wrote to memory of 1572	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 3060 wrote to memory of 1580	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 3060 wrote to memory of 1580	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 3060 wrote to memory of 1580	3060	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	WScript.exe
PID 1572 wrote to memory of 624	1572	WScript.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
"C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50372b4-a578-4800-8ad5-057907911c3e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1684
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a0c804c-2f27-45b6-bd5c-2cb363735272.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fa5b34-53d2-4f15-90fb-dc1ec8cd615f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8bc7d1d-190c-4ee1-ba1f-4b62bb352532.vbs"
        9⤵
        
        PID:2672
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5fd2fc6-6e4d-4b2b-a033-0ebf9c558bac.vbs"
        11⤵
        
        PID:2500
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eca60a39-8a5c-49ef-8f8c-2ec68c2871f5.vbs"
        13⤵
        
        PID:2176
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23c9307c-c6db-43aa-8e8e-1905f24e593e.vbs"
        15⤵
        
        PID:2480
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7347e63b-90e9-4603-949c-651c0df42301.vbs"
        17⤵
        
        PID:2640
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c92a0356-ab16-4b79-9271-57cf9308402a.vbs"
        19⤵
        
        PID:2472
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc285458-1a8d-46d1-a7dd-7cf0c77f4a97.vbs"
        21⤵
        
        PID:2244
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\061c7506-69be-467c-b190-eec9adfa8eed.vbs"
        23⤵
        
        PID:2020
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a10889-8b62-4d2a-8870-8e88c04475dd.vbs"
        25⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cf886ef-3495-46ac-b593-14f29635fd54.vbs"
        25⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5436b239-fa3a-4c1c-995b-403b249c54fd.vbs"
        23⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9861a1a-a0b9-4921-8313-fd9a1ad4f768.vbs"
        21⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46695095-2376-4531-b12a-0d6448ca84d6.vbs"
        19⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb28ccf6-f776-4dc2-bab5-9aecfba195df.vbs"
        17⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5533c1ad-b49d-4ef2-a275-5cfa8b127fcd.vbs"
        15⤵
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107923b2-6613-4b8c-9362-bfe68d0a2428.vbs"
        13⤵
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\165f36f8-fd85-4e7c-806e-950210622520.vbs"
        11⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d45df9a-3960-4638-accd-5e94d60529ab.vbs"
        9⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4088b6a7-3ce2-496a-b9a8-a98e909bf662.vbs"
        7⤵
        
        PID:1580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\346f0352-7a97-4ac5-b2be-ab080561372c.vbs"
        5⤵
        
        PID:2260
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5d62eb4-67cb-47d8-97fa-9a1b9ca9a29d.vbs"
    3⤵
    PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXF44A.tmp

Filesize
4.9MB

MD5
094ba2a85d469f94910b825c756a4776

SHA1
871893c5d7cfd45910441c5f129b71cf74436c6f

SHA256
05f6ebee1c55efee37a10aa4bbf9cb7f470c81f5fd1f26ba573b930bb4eafa9b

SHA512
a2f02cfa7aa936d73234507e3ce7292aec983bf6d837ac11ebda15639c6cef09929209a2d49b27ed1b3fa9bb95aecab7bcba6f4f26999a5f1f16dee204545c46

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe

Filesize
4.9MB

MD5
32d0e843c7281e899a2ae55eb5c819bd

SHA1
2a4f7471dd692ce121b8ee4f7f825ede629d93b4

SHA256
7f6977c6d4007b705ccb61c823906adf0d62f9ce4ba70a7d1eca629e52fb7e52

SHA512
12fb48ee55c532d0738a6a6aa37670ae407b99df9875027b323e6944b34623fe44e90429fd0e80e24149f082eb6f91c7513de335429216cf04337fa479cab334

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Filesize
4.9MB

MD5
1c49870cb9f2c55b6b22bd847a95cedb

SHA1
6fb3c646d41e94d57f4f0d01d853c090589514da

SHA256
bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

SHA512
969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452

Download Submit
C:\Users\Admin\AppData\Local\Temp\061c7506-69be-467c-b190-eec9adfa8eed.vbs

Filesize
807B

MD5
0b13c4f4bbfee716c449c8caaf7b39c6

SHA1
b0f0a280b7f2b9f2130206e7228a0c5d6a515d1f

SHA256
5b05192e0b406ab20a0de8961db237372225451d9971a42e11cbc09260126c62

SHA512
50980fa0baa6bec7aef55704d3289b4ee6dd9819de324c0056e4b4e817b0eb9fa42ea88c496b7117f68b6bd56fa23c1844788153760301e04195602f507fd1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\23c9307c-c6db-43aa-8e8e-1905f24e593e.vbs

Filesize
807B

MD5
229dfd9832edb296f95a6cf27230de60

SHA1
b78bc0f1614cb5089e7ee67964712ed7b31b0f1e

SHA256
1242eaa932abc46f684a5946a562ff1aac3c2b824c00b1d645d3497b73b95f24

SHA512
724e82d761ce61a9abb4cca062ec67b2cd832fc44d12eb2e4e53f5838e6ba2bb417ce3d4f4d5c5ddd66b50f6dbac1b3d90c7e2e2fa6731c0c0e9463c86068ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a0c804c-2f27-45b6-bd5c-2cb363735272.vbs

Filesize
807B

MD5
1b6db1fd4ce7b69200503fd26b5818c8

SHA1
28b59588d2fc176661890546f7dc918e55dba631

SHA256
7ea3634872083de98d87e1e84a3ae0ae9d02b73f84f90ef2409e2ce6cab4aaa6

SHA512
18625a6795e49afbab0e9065c515ed6de2ce0952338b12269f52fd25407348bef486ee50909092837f0cebf9ec2f551ee4fbf5afc8596f74b9666a060798b74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7347e63b-90e9-4603-949c-651c0df42301.vbs

Filesize
807B

MD5
449e14b3e11bd37b9295b5b69479a209

SHA1
174016acb29384bbec8b02be696fe2f67e240e36

SHA256
5c6e8854d9245517e7311f5da2f401405d33aa7bb7a983dbb7c61d0a9bc64c9e

SHA512
0cc83c9aa663398563bc4261a1316eeb1fa42cc02011664b25b004476bcdd23d320d52d222315d5eb975345ebed006b9a8de3f391b3c071cdd84ec003315b170

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5d62eb4-67cb-47d8-97fa-9a1b9ca9a29d.vbs

Filesize
583B

MD5
2f535996ba9039537034cfd71ca7ed77

SHA1
d9ffed571c1e1ceddec2e0019e8584d0b4715091

SHA256
dd943b38b6f1ae704ddefad512ebef8cd8259cc0ac7e62d7251a564f24f0c7c8

SHA512
b62ded41e0734728fd8ce5ef029e6fc83332f8042ab11887377151e129b7ee42303e4adc5d709eeab28fcb263eade4ef17a61db8cb08cc622317ddba1bee6d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\c50372b4-a578-4800-8ad5-057907911c3e.vbs

Filesize
807B

MD5
a5d936601f680fd4966372f27d5c3cfb

SHA1
39c22bc575522c4397187a72f33521a21a36eb15

SHA256
21650c4f65bb9cb9643043a58828dc726d32a02a2d1d97dbafbf7c6ab89f8c90

SHA512
91d794523c349499754721a73011f8779c0e3104cfd2d71efc3ee7bb3c250740b9f8226d34be1d83744c3a6895902e3a8541a15f897b9b87b39323a5bfbea53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8bc7d1d-190c-4ee1-ba1f-4b62bb352532.vbs

Filesize
806B

MD5
887c0c985ed16ae1c4d1151da52a0eb9

SHA1
257ba7a77e7b863237115e1c4374539becd2b851

SHA256
c6d2c39ea42d065aaf3fb74c742074ec1a8689725bbfe12000d388505a77f484

SHA512
e168518eb89a40d47d481e05e9be9a7e00104431eb253f8b265b5c408947b4fad2f820d7bd2f1621b8feaf440efdf2a6b2025f7d61664c64ffab2a157a0be9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\c92a0356-ab16-4b79-9271-57cf9308402a.vbs

Filesize
807B

MD5
e64846bd84d62d08f059e004bd4acbc1

SHA1
9e49379e8727d9dbe127283ba3648813173b40b8

SHA256
78e8d1acb8c05eda560ea096c0aaeb44d22998c4e2b241fc55fcd6456298a646

SHA512
dcf70cf7a832b02d65b898bb9a9eb9fb40d1f2d9b70b5550b6020b96355785610cef60111edd532b0cbb78e657bdf71840a4ea028df44bbb0dd800bfe7cae4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc285458-1a8d-46d1-a7dd-7cf0c77f4a97.vbs

Filesize
807B

MD5
c930726294fd427d8cd5749a11775ca0

SHA1
3c7e578298a76c76ae2e41b6152f19b503919f55

SHA256
45f8eb487c547309364a6e0a4739424705aef410182550b54aa39280386262a7

SHA512
17cab468dbf04a29633948ddd4c5dc2565bee1a55c96076d6d2a49ac1360e2a9196c798908cfed2818d4551413a0b810b7d4d065745052982e046bdb5c7d2aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0fa5b34-53d2-4f15-90fb-dc1ec8cd615f.vbs

Filesize
807B

MD5
853feef5229061da14814f88fc848734

SHA1
3abe589656bf1b973876cd2885db0ac532b2aa4b

SHA256
5790965a2da2fa2b3a1b455dc47a727db5a6ea344444e0c120df77d9000f2280

SHA512
489733decb09c2c6414d64055ce2926b97bb72c9d0d9663a328446fd2929d37a4898f5f2a78f2ee30551f509d71b990e572df08fe2a4722f371118ce86774302

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3a10889-8b62-4d2a-8870-8e88c04475dd.vbs

Filesize
807B

MD5
df967ce087a1d29a1f954f3aadc4350e

SHA1
ff2623cdec9c8aa57faca16d1dcb9beb9e1d1add

SHA256
4382f258a9ec3a3ae3c87418fba8041a70ef1445e3204991fcdf1b022e3aaf03

SHA512
0196ddfa0309c1cd18b1fb063e7eed6835baf4a80a86b85fb11f357175de6d0430bbc36fe5cc12c5b105fa3bb1e78b44748f9b8f8d72516debae5d715de4c442

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5fd2fc6-6e4d-4b2b-a033-0ebf9c558bac.vbs

Filesize
807B

MD5
1a70cc0bf643198e85f737b700dcdf2c

SHA1
c7f6483c40a39c25cbdd7ea1f84b19839ee48266

SHA256
b3114f8ec59d75c7bbcbd630e37f13b604f9c20425f722b9518821e43ad63503

SHA512
d796957a4e5cf4e54624a39fc45fb7c8d436ac903e8034d269ddb704fabb7d7976ddeec63d14e58caf50f02655db63e272cc0a70d910c6d727b9fbf29cf66952

Download Submit
C:\Users\Admin\AppData\Local\Temp\eca60a39-8a5c-49ef-8f8c-2ec68c2871f5.vbs

Filesize
807B

MD5
68baf3e0c9b388d924b964bde0a21e4f

SHA1
c9ad2291889ba63886a634bf8867d4a58b779085

SHA256
bd91b22e59fbc9416b2bf824f663979d9f646cfd0197964c602ec800ab57fb84

SHA512
80d04eeae2c4e4acaf8755464658f0d5e3407e7c686db71679cc1c53f615fb13bbb0b13fd7161a685e6d7c0ada66dfa24f139a4850f2e7cc6f728eef64b21a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp117E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
09139de3fb61563358a30e220f299e52

SHA1
f16e5d21118f332fdf88b05f8676fe764b36c6dc

SHA256
c3c5ceb049a73bb326d6b2405301a4ad49bc243ed1a15a29f6043df66d005cce

SHA512
71e8ff2e1f7601be220794908c14cd929fe2c3b80adcaf97c5f3628e39a16461750df002ddd72011093371029d8153d8ba9135716b1c3e8d8d55ba84814138c7

Download Submit
memory/1040-219-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/1040-165-0x0000000000C00000-0x00000000010F4000-memory.dmp

Filesize
5.0MB

Download
memory/1148-337-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/1684-233-0x0000000001180000-0x0000000001674000-memory.dmp

Filesize
5.0MB

Download
memory/1860-292-0x0000000000830000-0x0000000000D24000-memory.dmp

Filesize
5.0MB

Download
memory/1860-293-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/1920-12-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1920-11-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1920-189-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-1-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/1920-150-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-140-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/1920-16-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1920-15-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/1920-14-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/1920-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-13-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1920-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/1920-3-0x000000001BCF0000-0x000000001BE1E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1920-10-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1920-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1920-8-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1920-5-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1920-7-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/1920-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2028-173-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2060-277-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/2540-366-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2616-381-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/2764-166-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/3024-308-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/3060-248-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download