dcrat | 84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Size

4.9MB
MD5

a551b33dc0f7549f006be50fc6507952
SHA1

d3a31a7c16bca75d45a7aa3fdead79a2d0f320e0
SHA256

84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb
SHA512

54b2dc22d820ba70dacc5b76c6522ee85c99c8d3d0512b132d40046c99542e119a34c916b926b140d28c0294012db976c47be7243371cde814266b664193efea
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8W:u

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2820	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3028-3-0x000000001B6A0000-0x000000001B7CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe
2780	powershell.exe
1456	powershell.exe
1772	powershell.exe
2588	powershell.exe
448	powershell.exe
1736	powershell.exe
1260	powershell.exe
2044	powershell.exe
2992	powershell.exe
612	powershell.exe
2460	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1796	taskhost.exe
2372	taskhost.exe
2668	taskhost.exe
2212	taskhost.exe
316	taskhost.exe
2224	taskhost.exe
2156	taskhost.exe
2932	taskhost.exe
1716	taskhost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\DVD Maker\ja-JP\886983d96e3d3e	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXB5B1.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXBEB9.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\56085415360792	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Photo Viewer\dwm.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\taskhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\b75386f1303e64	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\dwm.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\taskhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Media Player\de-DE\System.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Media Player\de-DE\winlogon.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Photo Viewer\6cb0b6c459d5d3	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCXB3AD.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Microsoft Office\dwm.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Media Player\de-DE\27d1bcfc3c54e0	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXBCB6.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\csrss.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\winlogon.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\System.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCXC0BD.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXCA14.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Microsoft Office\6cb0b6c459d5d3	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\5940a34987c991	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\services.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\c5b4cb5e9653cc	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\DVD Maker\ja-JP\csrss.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\wininit.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Media Player\de-DE\cc11b995f2a76d	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Microsoft Office\dwm.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCXC810.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\services.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXAAB3.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\RCXC59F.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\wininit.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCXCC18.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXA7E4.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Windows\Migration\WTR\RCXBAA2.tmp	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Windows\Migration\WTR\dllhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\24dbde2999530e	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Windows\Migration\WTR\dllhost.exe	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
File created	C:\Windows\Migration\WTR\5940a34987c991	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
2860	schtasks.exe
620	schtasks.exe
2988	schtasks.exe
1652	schtasks.exe
2712	schtasks.exe
2612	schtasks.exe
2852	schtasks.exe
596	schtasks.exe
2560	schtasks.exe
964	schtasks.exe
2472	schtasks.exe
1532	schtasks.exe
1308	schtasks.exe
2744	schtasks.exe
2880	schtasks.exe
584	schtasks.exe
3036	schtasks.exe
896	schtasks.exe
1340	schtasks.exe
2540	schtasks.exe
2184	schtasks.exe
2572	schtasks.exe
2632	schtasks.exe
2664	schtasks.exe
2676	schtasks.exe
2200	schtasks.exe
1764	schtasks.exe
2332	schtasks.exe
1208	schtasks.exe
1560	schtasks.exe
1964	schtasks.exe
2260	schtasks.exe
2556	schtasks.exe
1080	schtasks.exe
2220	schtasks.exe
2768	schtasks.exe
1144	schtasks.exe
2324	schtasks.exe
1916	schtasks.exe
2348	schtasks.exe
1740	schtasks.exe
704	schtasks.exe
1692	schtasks.exe
2956	schtasks.exe
1616	schtasks.exe
768	schtasks.exe
2344	schtasks.exe
1392	schtasks.exe
2952	schtasks.exe
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
2588	powershell.exe
2780	powershell.exe
3044	powershell.exe
1736	powershell.exe
1456	powershell.exe
612	powershell.exe
2992	powershell.exe
2460	powershell.exe
1772	powershell.exe
448	powershell.exe
1260	powershell.exe
2044	powershell.exe
1796	taskhost.exe
2372	taskhost.exe
2668	taskhost.exe
2212	taskhost.exe
316	taskhost.exe
2224	taskhost.exe
2156	taskhost.exe
2932	taskhost.exe
1716	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1796	taskhost.exe
Token: SeDebugPrivilege	2372	taskhost.exe
Token: SeDebugPrivilege	2668	taskhost.exe
Token: SeDebugPrivilege	2212	taskhost.exe
Token: SeDebugPrivilege	316	taskhost.exe
Token: SeDebugPrivilege	2224	taskhost.exe
Token: SeDebugPrivilege	2156	taskhost.exe
Token: SeDebugPrivilege	2932	taskhost.exe
Token: SeDebugPrivilege	1716	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2460	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	83
PID 3028 wrote to memory of 2460	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	83
PID 3028 wrote to memory of 2460	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	83
PID 3028 wrote to memory of 1736	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	84
PID 3028 wrote to memory of 1736	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	84
PID 3028 wrote to memory of 1736	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	84
PID 3028 wrote to memory of 1772	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	85
PID 3028 wrote to memory of 1772	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	85
PID 3028 wrote to memory of 1772	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	85
PID 3028 wrote to memory of 1260	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	88
PID 3028 wrote to memory of 1260	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	88
PID 3028 wrote to memory of 1260	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	88
PID 3028 wrote to memory of 2992	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	89
PID 3028 wrote to memory of 2992	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	89
PID 3028 wrote to memory of 2992	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	89
PID 3028 wrote to memory of 2044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	90
PID 3028 wrote to memory of 2044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	90
PID 3028 wrote to memory of 2044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	90
PID 3028 wrote to memory of 448	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	92
PID 3028 wrote to memory of 448	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	92
PID 3028 wrote to memory of 448	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	92
PID 3028 wrote to memory of 2780	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	93
PID 3028 wrote to memory of 2780	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	93
PID 3028 wrote to memory of 2780	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	93
PID 3028 wrote to memory of 3044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	95
PID 3028 wrote to memory of 3044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	95
PID 3028 wrote to memory of 3044	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	95
PID 3028 wrote to memory of 1456	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	96
PID 3028 wrote to memory of 1456	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	96
PID 3028 wrote to memory of 1456	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	96
PID 3028 wrote to memory of 2588	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	98
PID 3028 wrote to memory of 2588	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	98
PID 3028 wrote to memory of 2588	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	98
PID 3028 wrote to memory of 612	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	99
PID 3028 wrote to memory of 612	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	99
PID 3028 wrote to memory of 612	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	99
PID 3028 wrote to memory of 872	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	107
PID 3028 wrote to memory of 872	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	107
PID 3028 wrote to memory of 872	3028	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe	107
PID 872 wrote to memory of 1052	872	cmd.exe	109
PID 872 wrote to memory of 1052	872	cmd.exe	109
PID 872 wrote to memory of 1052	872	cmd.exe	109
PID 872 wrote to memory of 1796	872	cmd.exe	110
PID 872 wrote to memory of 1796	872	cmd.exe	110
PID 872 wrote to memory of 1796	872	cmd.exe	110
PID 1796 wrote to memory of 2892	1796	taskhost.exe	111
PID 1796 wrote to memory of 2892	1796	taskhost.exe	111
PID 1796 wrote to memory of 2892	1796	taskhost.exe	111
PID 1796 wrote to memory of 1360	1796	taskhost.exe	112
PID 1796 wrote to memory of 1360	1796	taskhost.exe	112
PID 1796 wrote to memory of 1360	1796	taskhost.exe	112
PID 2892 wrote to memory of 2372	2892	WScript.exe	113
PID 2892 wrote to memory of 2372	2892	WScript.exe	113
PID 2892 wrote to memory of 2372	2892	WScript.exe	113
PID 2372 wrote to memory of 836	2372	taskhost.exe	114
PID 2372 wrote to memory of 836	2372	taskhost.exe	114
PID 2372 wrote to memory of 836	2372	taskhost.exe	114
PID 2372 wrote to memory of 2084	2372	taskhost.exe	115
PID 2372 wrote to memory of 2084	2372	taskhost.exe	115
PID 2372 wrote to memory of 2084	2372	taskhost.exe	115
PID 836 wrote to memory of 2668	836	WScript.exe	116
PID 836 wrote to memory of 2668	836	WScript.exe	116
PID 836 wrote to memory of 2668	836	WScript.exe	116
PID 2668 wrote to memory of 1584	2668	taskhost.exe	117

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe
"C:\Users\Admin\AppData\Local\Temp\84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZUvtCPP2c.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1052
- - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8aac665-439e-4ac9-abc7-583e77ea510f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2372
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e91e10d-bb93-46a1-8651-b2ac044ee3dc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0558e9b-716d-4d2b-a60f-ea828f4ec090.vbs"
        8⤵
        
        PID:1584
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\523bb1a7-ccea-44eb-b5e1-d21eb0fed097.vbs"
        10⤵
        
        PID:2332
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554264c0-975a-46c0-b2c8-4f13614c7c0d.vbs"
        12⤵
        
        PID:2604
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59615b8e-19c1-4aad-b8d4-2d7d6265988f.vbs"
        14⤵
        
        PID:2892
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10f7575-22fd-44d5-9fd0-26ff480f492f.vbs"
        16⤵
        
        PID:2652
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb8df28-5795-427b-aa35-00da920fba40.vbs"
        18⤵
        
        PID:1492
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7954830e-b1e9-4c3b-9cce-811b1e9d1444.vbs"
        20⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\872b879e-3e2f-4c9b-8df4-3bf6a72282b1.vbs"
        20⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\421e333c-edcb-48d0-a3b5-221a6a924670.vbs"
        18⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c34cba2-6dff-4a5f-815c-e53e97e83452.vbs"
        16⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4732cb1-c491-456c-ba00-f7b99e6c4f77.vbs"
        14⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cece02-007f-4209-b4da-63449f0430e6.vbs"
        12⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c813e049-bfeb-4e77-ad8b-747b5a5faf98.vbs"
        10⤵
        
        PID:496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d7effac-83f6-4dae-85ae-2388d93cf4e6.vbs"
        8⤵
        
        PID:2076
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c1d8f4f-b3b7-47f6-a2cc-7ee38eecbd75.vbs"
        6⤵
        
        PID:2084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\020030cc-2155-4148-b877-be066db30c04.vbs"
      4⤵
      PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\History\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\History\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\History\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCXCC18.tmp

Filesize
4.9MB

MD5
2553297414b4a0034fc67f4cb434f654

SHA1
5d8d72970ccc730a5f0b61a1325cfc4daedcc046

SHA256
effe36f5d80419799f1e62b0d042386b2fd76aabdf25df2810d9a79bf6284c86

SHA512
f306a7768ae51091fc0a45a8d1d870ff4cfac813ee5d942b6e0646634cfeb68566931d60ce79e9d27d435af2ca915cfe9433da58c6e846e2f12b3e797a327674

Download Submit
C:\Program Files (x86)\Windows Mail\en-US\wininit.exe

Filesize
4.9MB

MD5
c9034b2a57edee850617b52e855b11e0

SHA1
4b44d0650138e5620a45422e06fa0298ef19b280

SHA256
fb2d9e5fd5d83687e2d38360c7042aaf0a93759ded8ff714297b761ee3f19f7e

SHA512
d5b4e45a4a86f962b212496494f8f05469cd7c8a1642c85d600e082f9fec72cbd7f53ef2e2febda36342977dce51a60d1b1365674908605c7b62d162abb1b9f5

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe

Filesize
4.9MB

MD5
a551b33dc0f7549f006be50fc6507952

SHA1
d3a31a7c16bca75d45a7aa3fdead79a2d0f320e0

SHA256
84e10303e612ad6ab5759d5e0fc11a123a6014da30dd7320d4c4329f4ca5abbb

SHA512
54b2dc22d820ba70dacc5b76c6522ee85c99c8d3d0512b132d40046c99542e119a34c916b926b140d28c0294012db976c47be7243371cde814266b664193efea

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe

Filesize
4.9MB

MD5
4b8ffae9ee67201195265cb802eee286

SHA1
879e1f9550921a9f1a98f5409de02930f9546750

SHA256
e5c71b32c3eeb539c860ac157f030b2db1ea4e2b4aa4b092996082c1b89db032

SHA512
de2381be1411abd150e9399a48265910170d019a51891733832413f4e1b65d42b5fd6786964dd9386dbb6b2c342eea5dc1bc88a4bc1224cc7f6d7ec51d759e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\taskhost.exe

Filesize
4.9MB

MD5
b7ec301c733dc91a432b30c5f9260cc4

SHA1
d26fe7d022d3a967beb8498ba61310108058cff1

SHA256
fbe8e8609c8893b35782af73c5d2262a234f5a8e17a903b6e3e6302fde4628cb

SHA512
ef0c4987265f24a679d1b1b11bfe5eca46ae21e94093fb7f7ea43d138c1ba7ff58b22732b5ed2292f3bf7ab46a3169452887b0b9ca3f12c30b579aaa1b85c70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\020030cc-2155-4148-b877-be066db30c04.vbs

Filesize
513B

MD5
3bcf1459b48d13943e8dac2315d4b87b

SHA1
9ee98ec08f5122ded44edd556da7a63ac50ba322

SHA256
650859cb090619ebcc281d768cc9e74c259be33e96dcee86cddf47702762247a

SHA512
90f4b40e047c28cccd0e37b77e826499268c8547aaac4acd2232dafdd91abc77bf3e5ef49bc35e66be6af83ed8694862a597771f0618ac6bf5b60f7293419dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e91e10d-bb93-46a1-8651-b2ac044ee3dc.vbs

Filesize
737B

MD5
970ac54fcd17cbf9a0898547fe568189

SHA1
9dd2a79528df44ff95e0d36b9c9c809eb03129e7

SHA256
ec17024232e0d53e0761231e261454b7e2efce10b6b217989f98c29cfe460d29

SHA512
a460bbd978afb85f017ffb7284eb3e5064ef63aa0d5e999c3aa9f68e8d62bd08f0904decf8c6a26b8e51610e1bd750b52c4e81ba32727b5c5503fc4fa2052aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fb8df28-5795-427b-aa35-00da920fba40.vbs

Filesize
737B

MD5
53757ca90dc73fa85d7ae70d78d4c495

SHA1
4fb9d05a422bf8f14300e2abc0c34fe55e65f5de

SHA256
be22137dc9bea06b16c4927647df5590afeacbaa964d44228b2ced3b592d0b2f

SHA512
b80780ecc025e8a68b8962a511c52417d0eb52d0018c726f428291ee2c7d19f1dcbd9d2d577fd6b95c636dbc6460b27fdf511fba99c233dcd0ee4ebb92ae10f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\523bb1a7-ccea-44eb-b5e1-d21eb0fed097.vbs

Filesize
737B

MD5
1034cdaab46ca7baaf8f1c15f5c0749c

SHA1
5fb08a9f0db13d2769d0dfd14ddab57cacb1445c

SHA256
4226560e436acee2ff5a4d4992342ff6ed8a584528c252226edb0c08bfa23490

SHA512
64aff0b32c78deb3956535b8aa2739ecadbf6a29549271f66f3c0f05752b4a5f9c92de33996635813a91ac03f91211c76cf9b2011f5cfe08950a9e91f0b03a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\554264c0-975a-46c0-b2c8-4f13614c7c0d.vbs

Filesize
736B

MD5
d6cffb85afe4a42c3c4362eed94e8266

SHA1
c68d67f2dd35dafda5a609144cb20a42f0bd67b1

SHA256
63aa99dead3a17bc11c42f7d7d8b80ff6565e88841e8bd817e596331939ddfea

SHA512
729e8e87b8386616828b4b317508c2c430129409387f45e0af54e2b8113e0cdf3ea2e71a87434473926b75c229f7ce06b1e844bdf230557590da007add7145d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\59615b8e-19c1-4aad-b8d4-2d7d6265988f.vbs

Filesize
737B

MD5
50f55e9e5dacbef7dc9d674af3e6b7d6

SHA1
af68857d612e0c935f0c9056ccf784b1219b4f0c

SHA256
5d35aa8a77d9bd3bf0492cbd9ce067e79915bfbbb2ffc5e1e91b8c7b1deeca78

SHA512
7c00b01cf2311188bb4dc549ed4077a2f473a52d1e81b27905978f71763131b8f5fa3f28528c9f7a52cdd9703ef0efefc9570063a42486e2689f0460c5b75884

Download Submit
C:\Users\Admin\AppData\Local\Temp\7954830e-b1e9-4c3b-9cce-811b1e9d1444.vbs

Filesize
737B

MD5
00ebc85e4689a78835cb986f5d446f95

SHA1
913bda1766775d3d48a9a1725392d43ffeed704e

SHA256
ca1b120cb1c07c63f5e7b2c8d34f742c26fbf338e0a017de57ed5551d90b04ea

SHA512
ee3be3c873ac5f567b43dd1666437c134c88412ec9b41ed3bb6e5419a36e4e83301e07caec0a8944b2cffd7bff5061a655eed612745d1ca0a1b0159d9a6722e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KZUvtCPP2c.bat

Filesize
226B

MD5
e667a1b387d5bb5a1cc3279a586a3569

SHA1
ebc9cd3f2752affa3a234a5c903f0ac9b3aedd6c

SHA256
0dc9e6cadfb4715421b421b14d50d96779029965167fa218f322b451243d76fd

SHA512
a11c83b17ffc7ea81bfe83d37732977d6c1fe2c1f07ef77f1531c273e01433411cee18e3895df93cc078fd9cf8563437e5b5fe8d8f83bb8b7721e92756ee3862

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0558e9b-716d-4d2b-a60f-ea828f4ec090.vbs

Filesize
737B

MD5
530ada869936e95d635770f5b78d13b3

SHA1
98e6ccaf167207f5fb4094d3006a8371f5a8dd17

SHA256
18ea554e5ad65f14ff79de3aee58734dc34d2dad2568a38c5751b73d43ba664c

SHA512
78e368010705b8b073e360bfd40a69c4604d10694e8c1fe96ed623ce150934d5235d34c78f5f386560bb2ea889768e0652076c32bf3ee8ad0dbfc3c368aced9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8aac665-439e-4ac9-abc7-583e77ea510f.vbs

Filesize
737B

MD5
7aa1f3d53218e197d68e9cd2ea22e398

SHA1
a2acf570e9b34a453bde307ac430b7ce22c8ecb7

SHA256
56563a996fdd7b404607a92f3ce24e7598d934a2ba33473383300f4ec5884b9b

SHA512
9b3a394ed75cb71c8d645b15b6cef57f91379e18524e0cff7a04323a098d398087e540d54514032dc3d7e2df774ad5f8268e799336437b4c18e88bd6a7ee5e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\d10f7575-22fd-44d5-9fd0-26ff480f492f.vbs

Filesize
737B

MD5
be99c9e0a54007918d1852e73e13a341

SHA1
77ce9b3faafe87f12e9337d6a19b72521a72a3bf

SHA256
0389b6cb69eb34d4dc19178f07df0cfad030024c41a1dc9e7174e53c32260482

SHA512
6fe9aaffa0179d268d15c3fab1bb0698632ad082f18f53b59f134551d588963684c9f65493962e804f20e819ab827465c4eb6a9c541df1ed2762e6dbafb08520

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF8B1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f48257496947bb02b2caaa327e8ba3cb

SHA1
1e4afe013401d5030743d79f4ddf616df123d844

SHA256
98d804f180ab8e95eef4fb7a31b3a4b8e4ced3c1b9babded253764a5fdeb2b10

SHA512
6c174aef1fd794a6f9bf1427ddafba4b17bcb4a53daa6b5f27c6c4592f52a7c69479cda7faba9595000a09e58df4d64677997371c7c4416893ab05654fe8acfd

Download Submit
memory/316-301-0x0000000000A80000-0x0000000000F74000-memory.dmp

Filesize
5.0MB

Download
memory/316-302-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1716-363-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/1796-240-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2156-332-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/2156-333-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2212-285-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download
memory/2212-286-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/2224-317-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2372-254-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download
memory/2588-181-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2588-179-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2668-269-0x0000000000880000-0x0000000000D74000-memory.dmp

Filesize
5.0MB

Download
memory/2668-270-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2932-348-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/3028-11-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/3028-10-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/3028-134-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/3028-147-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-15-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/3028-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/3028-13-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/3028-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/3028-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/3028-16-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/3028-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3028-8-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/3028-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/3028-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/3028-5-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/3028-4-0x00000000009E0000-0x00000000009FC000-memory.dmp

Filesize
112KB

Download
memory/3028-180-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-3-0x000000001B6A0000-0x000000001B7CE000-memory.dmp

Filesize
1.2MB

Download
memory/3028-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-1-0x0000000000CB0000-0x00000000011A4000-memory.dmp

Filesize
5.0MB

Download