dcrat | 930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Size

4.9MB
MD5

5103a1bb4e59cbcc9d05cc7905681c9f
SHA1

2ef27ea1ad70d19c214586cf8f44a03853c6fdf1
SHA256

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246
SHA512

fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8s:U

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2820	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2500-3-0x000000001B550000-0x000000001B67E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2792	powershell.exe
2148	powershell.exe
2892	powershell.exe
808	powershell.exe
2832	powershell.exe
2504	powershell.exe
2760	powershell.exe
2216	powershell.exe
3008	powershell.exe
2676	powershell.exe
1880	powershell.exe
2764	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
744	taskhost.exe
2996	taskhost.exe
2636	taskhost.exe
448	taskhost.exe
1744	taskhost.exe
2980	taskhost.exe
2628	taskhost.exe
2668	taskhost.exe
2352	taskhost.exe
2224	taskhost.exe
2980	taskhost.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exetaskhost.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe

Drops file in Program Files directory 24 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\services.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\System.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXE54C.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\System.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\27d1bcfc3c54e0	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Mozilla Firefox\fonts\c5b4cb5e9653cc	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\taskhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXD52F.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXE954.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Journal\Templates\b75386f1303e64	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXEBC5.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Journal\Templates\taskhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\56085415360792	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXD32B.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXE349.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\services.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\886983d96e3d3e	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

Drops file in Windows directory 4 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

description	ioc	Process
File created	C:\Windows\Performance\Idle.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\Performance\Idle.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\Performance\6ccacd8608530f	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\Performance\RCXCEA6.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2764	schtasks.exe
2668	schtasks.exe
1064	schtasks.exe
2160	schtasks.exe
2088	schtasks.exe
1704	schtasks.exe
2852	schtasks.exe
2700	schtasks.exe
2952	schtasks.exe
2572	schtasks.exe
2180	schtasks.exe
2488	schtasks.exe
2036	schtasks.exe
1980	schtasks.exe
1904	schtasks.exe
1532	schtasks.exe
936	schtasks.exe
2732	schtasks.exe
2328	schtasks.exe
2540	schtasks.exe
2316	schtasks.exe
2556	schtasks.exe
2216	schtasks.exe
2908	schtasks.exe
748	schtasks.exe
1060	schtasks.exe
3068	schtasks.exe
2504	schtasks.exe
2628	schtasks.exe
2604	schtasks.exe
2968	schtasks.exe
2032	schtasks.exe
2396	schtasks.exe
1856	schtasks.exe
1640	schtasks.exe
796	schtasks.exe
376	schtasks.exe
2784	schtasks.exe
888	schtasks.exe
2884	schtasks.exe
2664	schtasks.exe
1864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

pid	Process
2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
2504	powershell.exe
2148	powershell.exe
2216	powershell.exe
2792	powershell.exe
2676	powershell.exe
2832	powershell.exe
1880	powershell.exe
2760	powershell.exe
3008	powershell.exe
2764	powershell.exe
2892	powershell.exe
808	powershell.exe
744	taskhost.exe
2996	taskhost.exe
2636	taskhost.exe
448	taskhost.exe
1744	taskhost.exe
2980	taskhost.exe
2628	taskhost.exe
2668	taskhost.exe
2352	taskhost.exe
2980	taskhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	744	taskhost.exe
Token: SeDebugPrivilege	2996	taskhost.exe
Token: SeDebugPrivilege	2636	taskhost.exe
Token: SeDebugPrivilege	448	taskhost.exe
Token: SeDebugPrivilege	1744	taskhost.exe
Token: SeDebugPrivilege	2980	taskhost.exe
Token: SeDebugPrivilege	2628	taskhost.exe
Token: SeDebugPrivilege	2668	taskhost.exe
Token: SeDebugPrivilege	2352	taskhost.exe
Token: SeDebugPrivilege	2980	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.execmd.exetaskhost.exeWScript.exetaskhost.exeWScript.exetaskhost.exe

description	pid	Process	procid_target
PID 2500 wrote to memory of 2792	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	74
PID 2500 wrote to memory of 2792	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	74
PID 2500 wrote to memory of 2792	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	74
PID 2500 wrote to memory of 2504	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	75
PID 2500 wrote to memory of 2504	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	75
PID 2500 wrote to memory of 2504	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	75
PID 2500 wrote to memory of 2760	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	77
PID 2500 wrote to memory of 2760	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	77
PID 2500 wrote to memory of 2760	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	77
PID 2500 wrote to memory of 2216	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	78
PID 2500 wrote to memory of 2216	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	78
PID 2500 wrote to memory of 2216	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	78
PID 2500 wrote to memory of 3008	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	79
PID 2500 wrote to memory of 3008	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	79
PID 2500 wrote to memory of 3008	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	79
PID 2500 wrote to memory of 2764	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	80
PID 2500 wrote to memory of 2764	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	80
PID 2500 wrote to memory of 2764	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	80
PID 2500 wrote to memory of 1880	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	81
PID 2500 wrote to memory of 1880	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	81
PID 2500 wrote to memory of 1880	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	81
PID 2500 wrote to memory of 2676	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	84
PID 2500 wrote to memory of 2676	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	84
PID 2500 wrote to memory of 2676	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	84
PID 2500 wrote to memory of 2832	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	85
PID 2500 wrote to memory of 2832	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	85
PID 2500 wrote to memory of 2832	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	85
PID 2500 wrote to memory of 808	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	87
PID 2500 wrote to memory of 808	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	87
PID 2500 wrote to memory of 808	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	87
PID 2500 wrote to memory of 2148	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	88
PID 2500 wrote to memory of 2148	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	88
PID 2500 wrote to memory of 2148	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	88
PID 2500 wrote to memory of 2892	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	89
PID 2500 wrote to memory of 2892	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	89
PID 2500 wrote to memory of 2892	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	89
PID 2500 wrote to memory of 1068	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	93
PID 2500 wrote to memory of 1068	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	93
PID 2500 wrote to memory of 1068	2500	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	93
PID 1068 wrote to memory of 1744	1068	cmd.exe	100
PID 1068 wrote to memory of 1744	1068	cmd.exe	100
PID 1068 wrote to memory of 1744	1068	cmd.exe	100
PID 1068 wrote to memory of 744	1068	cmd.exe	101
PID 1068 wrote to memory of 744	1068	cmd.exe	101
PID 1068 wrote to memory of 744	1068	cmd.exe	101
PID 744 wrote to memory of 264	744	taskhost.exe	102
PID 744 wrote to memory of 264	744	taskhost.exe	102
PID 744 wrote to memory of 264	744	taskhost.exe	102
PID 744 wrote to memory of 2736	744	taskhost.exe	103
PID 744 wrote to memory of 2736	744	taskhost.exe	103
PID 744 wrote to memory of 2736	744	taskhost.exe	103
PID 264 wrote to memory of 2996	264	WScript.exe	104
PID 264 wrote to memory of 2996	264	WScript.exe	104
PID 264 wrote to memory of 2996	264	WScript.exe	104
PID 2996 wrote to memory of 1892	2996	taskhost.exe	105
PID 2996 wrote to memory of 1892	2996	taskhost.exe	105
PID 2996 wrote to memory of 1892	2996	taskhost.exe	105
PID 2996 wrote to memory of 1904	2996	taskhost.exe	106
PID 2996 wrote to memory of 1904	2996	taskhost.exe	106
PID 2996 wrote to memory of 1904	2996	taskhost.exe	106
PID 1892 wrote to memory of 2636	1892	WScript.exe	107
PID 1892 wrote to memory of 2636	1892	WScript.exe	107
PID 1892 wrote to memory of 2636	1892	WScript.exe	107
PID 2636 wrote to memory of 2664	2636	taskhost.exe	108

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exetaskhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
"C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZ7ZHhiPOX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1744
- - C:\Program Files\Windows Journal\Templates\taskhost.exe
    "C:\Program Files\Windows Journal\Templates\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c15071f2-2553-4143-93ed-1cc06c3c9a4d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2996
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a59ff15-d4a8-4b6c-be18-62357791a181.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e21f904-2c72-498f-9a91-a8782f62a8f3.vbs"
        8⤵
        
        PID:2664
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9899cb40-f64f-44b1-9c95-b349664377a0.vbs"
        10⤵
        
        PID:2316
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41b01c39-9be9-4a89-83c2-4bd4e97b9862.vbs"
        12⤵
        
        PID:2560
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1318676-ea46-442c-87a3-b862b0ca759f.vbs"
        14⤵
        
        PID:1512
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d854631c-3c8c-48f4-8543-08a901dd8c10.vbs"
        16⤵
        
        PID:1992
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735c0725-e514-4baa-a3e7-e4e9e2fefdce.vbs"
        18⤵
        
        PID:3000
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72d4a45c-742e-4ca9-92c6-bc3d8802b41b.vbs"
        20⤵
        
        PID:1560
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc3e33c-d6ff-4ea9-83cf-3a96679ff28b.vbs"
        22⤵
        
        PID:952
        
        C:\Program Files\Windows Journal\Templates\taskhost.exe
        
        "C:\Program Files\Windows Journal\Templates\taskhost.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ad98863-b98c-43a7-9664-e74b183e9e98.vbs"
        24⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1195625-0e43-4805-bfc2-99bc6dcfcf78.vbs"
        24⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\086b9ecd-4898-48ac-8b78-80565dabfd34.vbs"
        22⤵
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f30f02-d8f5-4ed2-8a32-0fe04c81ead9.vbs"
        20⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f43d91-a010-476a-96ee-ce9e27425b46.vbs"
        18⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\044c2d56-2083-44de-aa1b-2eb64663692a.vbs"
        16⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b359fb2c-16cf-4bd0-a2dc-2626e72310ee.vbs"
        14⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edfcc716-1fd7-4f7f-ba61-74fb385c3d48.vbs"
        12⤵
        
        PID:492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\635eb727-5479-40b3-8184-256bed4d0848.vbs"
        10⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e275a96c-a3e1-40e8-bf0c-00b7d377e029.vbs"
        8⤵
        
        PID:1264
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e21e18a4-a39a-4761-b8b1-3b5292df0e59.vbs"
        6⤵
        
        PID:1904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90bf8dd7-a95f-463c-8913-750e3939176d.vbs"
      4⤵
      PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Performance\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe

Filesize
4.9MB

MD5
ed5e88ecf93ceebb84be4898501c018a

SHA1
cb5e7aad9a43b81740bf4b6109fe835b6031bf82

SHA256
29c33ad8775da375a14526af42fee1edbcc3bc810160ba9d83b95d5442d70ee6

SHA512
06a7c72143248788a7b5e9674d20fe4d90c8aea7c90b407251dae3e28932eb16d813693a0c5e3f75da28ba57b0bc5fc3497c2128bc7132be5f539adf3d36a6b1

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe

Filesize
4.9MB

MD5
5103a1bb4e59cbcc9d05cc7905681c9f

SHA1
2ef27ea1ad70d19c214586cf8f44a03853c6fdf1

SHA256
930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246

SHA512
fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a59ff15-d4a8-4b6c-be18-62357791a181.vbs

Filesize
731B

MD5
b058496f1d1e3e198b12994f47afa7c8

SHA1
9d1a4dcfa33a3b8ee5023629f6560fd4178e746d

SHA256
1db7ecf3e6d0b601ba02c274a3ee2961928a7fdcb9ffa3fa27f0041a4fd74a15

SHA512
7a4b1f87b9773f977a2996ce869948caedacaf8fb470f1cc63ba34c55ff52c9a357ead3ff2cdf5140269f4fc2d40597fc6e307b89f53998dfb32a6ee3ca15aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\41b01c39-9be9-4a89-83c2-4bd4e97b9862.vbs

Filesize
731B

MD5
dafbc8ddaee1b5bd5d78c354a4ae8041

SHA1
c5d12d8973b359a6153052c3cf982dfd1b852901

SHA256
6eae8977ae60de0bc03cc6fa3444fe00bacfa0508787a7ddf1d5a9e36875c169

SHA512
abc140d822bc5ee230e85907cf3201d087cc03d8560b20048a771b79cb2055201d15460ab946d53529850d3325619ae96f36cb6c93e6fd1a99e28579e8a4385c

Download Submit
C:\Users\Admin\AppData\Local\Temp\72d4a45c-742e-4ca9-92c6-bc3d8802b41b.vbs

Filesize
731B

MD5
7670944fc73a2bf2bfb75acebf7bf9af

SHA1
f9df8691885fe32c61356cc49cf75f4bb956fd31

SHA256
3b0e8164c5b73138038796bd13e128a802c0503a3321bc2164a35f3acab5f519

SHA512
412c0f18f831abba6366e5d666b93a639999de2a5d71ca838d2a731408d8db64de4aa277aa8744e5e245615c7a283859acb01471fc16cb8b13e6ca9f0fefc838

Download Submit
C:\Users\Admin\AppData\Local\Temp\735c0725-e514-4baa-a3e7-e4e9e2fefdce.vbs

Filesize
731B

MD5
7a98964aa324dd8772f02ad8e73852ce

SHA1
fd43bb3c7331c497cd7ebb829d1922693e84329d

SHA256
b5cba2b11d0b6b77e07247e54064b89cd2d6e95f91d10c039e26d02a73437468

SHA512
321a86772a04a9d7e91cc1f8eadfb95f91c3d2e1ca3c611b3d60bba06a24da4482192435a348830ba5643feeab52806b461b8e779c19101e9b1f58f63f91995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e21f904-2c72-498f-9a91-a8782f62a8f3.vbs

Filesize
731B

MD5
c18da4a2556de291398274ef01aa459a

SHA1
18b461ca376f8e52451157fa02d2d428bc5e1a55

SHA256
43e3abd87061c579b4cb75d6ce34db23209bfa715eec77d8fb2a147a5ca75e26

SHA512
8e5a01bebee54f14a15c538d091337e6c8669e66ba8e49d37fc4347b97f2958904b1d1644a5067a8df0a33fbb67377ebe560992138c5595a8651fa11fc1e83f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\90bf8dd7-a95f-463c-8913-750e3939176d.vbs

Filesize
507B

MD5
8fd9f096f62a4df68b78930275ca7cc8

SHA1
352e2acdc83af3c98428c335aa20b7d3c9e2af60

SHA256
a589f682dbb157d40fc8688c35ced58207f84ac09319a816029e881f9c2d9cc3

SHA512
98a8b9430692e7c1fc5969c1d3ad33c8115037f0c5bc18013933888d8c310837bfc9c1973d4efe6c4186bf24b98dd4363faf17105742e72701b86f2e5a4afad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9899cb40-f64f-44b1-9c95-b349664377a0.vbs

Filesize
730B

MD5
875295ba37d78eacf14e7694ea7e3852

SHA1
c8ca7d4e3578900aff1a2ff730843589ab228e3c

SHA256
2cbcd71641cee2ad8896651590993bb06610a42c53369471369b52fecbbf1813

SHA512
50aa8ee6d1b81151b0fb67d96321608ed3f90bb0aaeacd6de727cc67fc8a0f9009effcf703aee030a51dc8e96437a22877d0219baf553533166c575fd405161f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c15071f2-2553-4143-93ed-1cc06c3c9a4d.vbs

Filesize
730B

MD5
95fb6718338d3c225203df79ad001704

SHA1
a561ec39a9923ccdc5987f261ba34b0e3f3b1c57

SHA256
bacc1f1085ef600b7cab2ae89375945e72d56d37ec137ca4a26b65bab148ec84

SHA512
0897e8661450d74f44c7347026c11000613d26e32eb440243f183131bc27886a167ab9f83ed0d5ab04e38103dc8f390afc32b3be28c2b6f1c16b00159b922d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\d854631c-3c8c-48f4-8543-08a901dd8c10.vbs

Filesize
731B

MD5
bba40dd3b8d82139aed77c20d8616670

SHA1
22e7368346e75350c784041e1f1f9480f6c8d4ca

SHA256
65fe03a67a30a95548a2f63867ece1b3e9520b2a82862d0b4479c34e82359d05

SHA512
1704a85656621fd395261c184e194e35dee5880150f2f8543e6f032236c41948c49c3d6cb4178f69bc4513c1cc06a6b2aae8677dcddac3909d61b43b08e54eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1318676-ea46-442c-87a3-b862b0ca759f.vbs

Filesize
731B

MD5
a01795aa63500f8367d725f8ce8ca920

SHA1
769dd2e92cf23ac700f2770d5576c98d38570318

SHA256
8e2fbd78589bb0654b3beae35a49833efe309edb26b3910dc1469659c58aff2e

SHA512
8c41d11357c69b06bd327d081ef596f67dd4cafd933b3a6ba67409bfbdbb62391623367055f82b9217dfe59143dae57650fdbf08cce5eb6aaed3f329c79efc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZ7ZHhiPOX.bat

Filesize
220B

MD5
ed1bf003477857fb57351fdffb44f85b

SHA1
c6307c68c743865b83d39616d51478392e96ee28

SHA256
e1fbb482210f7ca5b24f7c198ebe39c315945e8bf2dd3b5a134a752d6008abab

SHA512
45ec17d5620e2c913f781e2719a9ad0f205c70a6375562e398d955bda2291e84eb0b63de026a9236769ad0320b39f5f6d0b5d06d724e0edb63624c542fe24e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1729.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
127e5e6b4a72707734befd017290f882

SHA1
6fd154f30e7efb30acd099aa494a8547d36f19c9

SHA256
8ad4dbd605d4fa360badbbe32d6bd1fbbab5172ce6ac38eb8595464341a8dc11

SHA512
c91483424b7430e7ab0c836b3ee3d40d6acd1704d35c3ef4821d02808c260ffe02d3466c57f3ec6fb25ca251ba7e41ebcec100df86bfb40f54c007dfe2944fd8

Download Submit
memory/448-259-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/744-215-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/1744-274-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/2352-333-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download
memory/2500-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2500-1-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/2500-135-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2500-4-0x00000000006A0000-0x00000000006BC000-memory.dmp

Filesize
112KB

Download
memory/2500-5-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2500-176-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2500-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2500-14-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2500-13-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/2500-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2500-3-0x000000001B550000-0x000000001B67E000-memory.dmp

Filesize
1.2MB

Download
memory/2500-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2500-143-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-10-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2500-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2500-8-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2500-7-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/2500-6-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/2500-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-169-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2504-170-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2636-244-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/2668-318-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/2980-289-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2980-349-0x0000000000060000-0x0000000000554000-memory.dmp

Filesize
5.0MB

Download
memory/2996-229-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download