dcrat | 2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Size

4.9MB
MD5

8be8a5d36bb940a1d6b70d3277ca420a
SHA1

50e6780f3711ab913e56e1f159d34ef4e29e9bea
SHA256

2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f
SHA512

f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8X:v

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2304	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2304	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1728-2-0x000000001B370000-0x000000001B49E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
608	powershell.exe
2524	powershell.exe
956	powershell.exe
2060	powershell.exe
316	powershell.exe
2828	powershell.exe
3024	powershell.exe
2588	powershell.exe
1092	powershell.exe
1928	powershell.exe
992	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2088	winlogon.exe
348	winlogon.exe
920	winlogon.exe
2856	winlogon.exe
2228	winlogon.exe
1268	winlogon.exe
1524	winlogon.exe
2360	winlogon.exe
1732	winlogon.exe
2372	winlogon.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXDAC0.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\cc11b995f2a76d	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCXD36D.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\dllhost.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\5940a34987c991	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\cc11b995f2a76d	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXDF45.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\es-ES\RCXC8CE.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\ehome\es-ES\services.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\fr-FR\RCXE35B.tmp	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File opened for modification	C:\Windows\fr-FR\csrss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\ehome\es-ES\services.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\ehome\es-ES\c5b4cb5e9653cc	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\fr-FR\csrss.exe	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
File created	C:\Windows\fr-FR\886983d96e3d3e	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1944	schtasks.exe
1608	schtasks.exe
3028	schtasks.exe
1744	schtasks.exe
2724	schtasks.exe
2764	schtasks.exe
840	schtasks.exe
852	schtasks.exe
1784	schtasks.exe
2004	schtasks.exe
2248	schtasks.exe
1660	schtasks.exe
2184	schtasks.exe
2636	schtasks.exe
1692	schtasks.exe
2940	schtasks.exe
1668	schtasks.exe
2496	schtasks.exe
3040	schtasks.exe
2892	schtasks.exe
2700	schtasks.exe
548	schtasks.exe
3008	schtasks.exe
904	schtasks.exe
2760	schtasks.exe
768	schtasks.exe
1292	schtasks.exe
1920	schtasks.exe
1524	schtasks.exe
1952	schtasks.exe
2872	schtasks.exe
2276	schtasks.exe
2368	schtasks.exe
2348	schtasks.exe
1644	schtasks.exe
1780	schtasks.exe
1620	schtasks.exe
2744	schtasks.exe
1808	schtasks.exe
672	schtasks.exe
844	schtasks.exe
832	schtasks.exe
700	schtasks.exe
2808	schtasks.exe
2212	schtasks.exe
1560	schtasks.exe
2328	schtasks.exe
2848	schtasks.exe
2956	schtasks.exe
2232	schtasks.exe
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
2524	powershell.exe
688	powershell.exe
1092	powershell.exe
956	powershell.exe
3024	powershell.exe
2588	powershell.exe
608	powershell.exe
992	powershell.exe
1928	powershell.exe
2060	powershell.exe
316	powershell.exe
2828	powershell.exe
2088	winlogon.exe
348	winlogon.exe
920	winlogon.exe
2856	winlogon.exe
2228	winlogon.exe
1268	winlogon.exe
1524	winlogon.exe
2360	winlogon.exe
1732	winlogon.exe
2372	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2088	winlogon.exe
Token: SeDebugPrivilege	348	winlogon.exe
Token: SeDebugPrivilege	920	winlogon.exe
Token: SeDebugPrivilege	2856	winlogon.exe
Token: SeDebugPrivilege	2228	winlogon.exe
Token: SeDebugPrivilege	1268	winlogon.exe
Token: SeDebugPrivilege	1524	winlogon.exe
Token: SeDebugPrivilege	2360	winlogon.exe
Token: SeDebugPrivilege	1732	winlogon.exe
Token: SeDebugPrivilege	2372	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 688	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	84
PID 1728 wrote to memory of 688	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	84
PID 1728 wrote to memory of 688	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	84
PID 1728 wrote to memory of 608	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	85
PID 1728 wrote to memory of 608	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	85
PID 1728 wrote to memory of 608	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	85
PID 1728 wrote to memory of 316	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	86
PID 1728 wrote to memory of 316	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	86
PID 1728 wrote to memory of 316	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	86
PID 1728 wrote to memory of 2828	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	87
PID 1728 wrote to memory of 2828	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	87
PID 1728 wrote to memory of 2828	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	87
PID 1728 wrote to memory of 2524	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	88
PID 1728 wrote to memory of 2524	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	88
PID 1728 wrote to memory of 2524	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	88
PID 1728 wrote to memory of 3024	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	89
PID 1728 wrote to memory of 3024	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	89
PID 1728 wrote to memory of 3024	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	89
PID 1728 wrote to memory of 2588	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	90
PID 1728 wrote to memory of 2588	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	90
PID 1728 wrote to memory of 2588	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	90
PID 1728 wrote to memory of 1092	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	91
PID 1728 wrote to memory of 1092	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	91
PID 1728 wrote to memory of 1092	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	91
PID 1728 wrote to memory of 1928	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	92
PID 1728 wrote to memory of 1928	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	92
PID 1728 wrote to memory of 1928	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	92
PID 1728 wrote to memory of 956	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	93
PID 1728 wrote to memory of 956	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	93
PID 1728 wrote to memory of 956	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	93
PID 1728 wrote to memory of 992	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	94
PID 1728 wrote to memory of 992	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	94
PID 1728 wrote to memory of 992	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	94
PID 1728 wrote to memory of 2060	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	95
PID 1728 wrote to memory of 2060	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	95
PID 1728 wrote to memory of 2060	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	95
PID 1728 wrote to memory of 2088	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	108
PID 1728 wrote to memory of 2088	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	108
PID 1728 wrote to memory of 2088	1728	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe	108
PID 2088 wrote to memory of 2488	2088	winlogon.exe	109
PID 2088 wrote to memory of 2488	2088	winlogon.exe	109
PID 2088 wrote to memory of 2488	2088	winlogon.exe	109
PID 2088 wrote to memory of 2076	2088	winlogon.exe	110
PID 2088 wrote to memory of 2076	2088	winlogon.exe	110
PID 2088 wrote to memory of 2076	2088	winlogon.exe	110
PID 2488 wrote to memory of 348	2488	WScript.exe	111
PID 2488 wrote to memory of 348	2488	WScript.exe	111
PID 2488 wrote to memory of 348	2488	WScript.exe	111
PID 348 wrote to memory of 2364	348	winlogon.exe	112
PID 348 wrote to memory of 2364	348	winlogon.exe	112
PID 348 wrote to memory of 2364	348	winlogon.exe	112
PID 348 wrote to memory of 2148	348	winlogon.exe	113
PID 348 wrote to memory of 2148	348	winlogon.exe	113
PID 348 wrote to memory of 2148	348	winlogon.exe	113
PID 2364 wrote to memory of 920	2364	WScript.exe	114
PID 2364 wrote to memory of 920	2364	WScript.exe	114
PID 2364 wrote to memory of 920	2364	WScript.exe	114
PID 920 wrote to memory of 3056	920	winlogon.exe	115
PID 920 wrote to memory of 3056	920	winlogon.exe	115
PID 920 wrote to memory of 3056	920	winlogon.exe	115
PID 920 wrote to memory of 2588	920	winlogon.exe	116
PID 920 wrote to memory of 2588	920	winlogon.exe	116
PID 920 wrote to memory of 2588	920	winlogon.exe	116
PID 3056 wrote to memory of 2856	3056	WScript.exe	117

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe
"C:\Users\Admin\AppData\Local\Temp\2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32694463-3c77-4713-bff6-4b2437c367b2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
      "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:348
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2480fc59-941a-409a-83c9-0b508332ea23.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\525c3f46-8b95-4dd4-b29a-acf36bf2309f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cedb92f-15d2-49a2-8fbd-167b88c98323.vbs"
        9⤵
        
        PID:2472
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d716d8-2f4c-4ca3-b5b7-5b41adff8e8c.vbs"
        11⤵
        
        PID:2440
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7516530e-5d98-4999-a8a9-edfa8335f300.vbs"
        13⤵
        
        PID:2296
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0811af2f-535f-4756-b2ce-21d5389efa87.vbs"
        15⤵
        
        PID:908
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19b4f46f-49d0-473d-9819-887b4b0bebc5.vbs"
        17⤵
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08a50b28-7757-4000-b017-6bb74ded2482.vbs"
        19⤵
        
        PID:1228
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88aba13e-126f-4ad4-b3f2-1ac22e6448b9.vbs"
        21⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd2a657-9419-4e6d-b43b-c414eb60910c.vbs"
        21⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b93542-f080-49b7-bec0-a3c1ae0dd17d.vbs"
        19⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55244006-d2d4-4edc-8bda-ba95b818507f.vbs"
        17⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af45214-42a5-44b6-b40c-45712de06c06.vbs"
        15⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2206234f-cd6a-4b86-a396-e1168939e461.vbs"
        13⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\214b87ae-2f26-4473-a3bf-a36b3a730e84.vbs"
        11⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a0b7d01-f31a-4938-bb2f-d4083d2e34a7.vbs"
        9⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\696ae8c3-0ed9-4c90-b61b-249b82ecd7a5.vbs"
        7⤵
        
        PID:2588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb6a09f5-23b7-4ef6-b84f-8e4d36bc2e15.vbs"
        5⤵
        
        PID:2148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26bb4f5c-2ae1-47fd-9615-6d6961ab9877.vbs"
    3⤵
    PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe

Filesize
4.9MB

MD5
8be8a5d36bb940a1d6b70d3277ca420a

SHA1
50e6780f3711ab913e56e1f159d34ef4e29e9bea

SHA256
2103ddb95fd9d29dcf0f532ae9baa5593b7ed02d27682ec0b727e3e4d9061c8f

SHA512
f02563d80839cf345cc8d360419c38f231f9055408afed0fe8da8f25b0b362fcb5640e5d0b7ee580d7c6df095c90923b74f45a532916245ce0314337f2a052b5

Download Submit
C:\Users\Admin\AppData\Local\RCXE55F.tmp

Filesize
4.9MB

MD5
e37d382e749dfe460209ef6d2fa1e441

SHA1
aa62fdbbc6b4be583f6839e304d2121050a6030c

SHA256
54ae8302b04463a6ffe2521e95d1e707e10b22a3fefd12f9b86710aaf6bcac69

SHA512
5deb23ba5243dcde78dbcc532859abf70c5e7fd7a9bca46328511d4894e5def0f59a5d066470f2e285b1b24d39195f287a8bc26f0ca5d61be32aa0fb502d6e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0811af2f-535f-4756-b2ce-21d5389efa87.vbs

Filesize
751B

MD5
c8a8a9ecd18839f4d1770da25463ff07

SHA1
6639f81fbcaff4a55c90abafbf891b3a00cfe187

SHA256
d04a2285b48bca1bce453201d39610118b99232ab8e1f059c701d2d1bdfcc037

SHA512
2bb693cd199d1ed94bcb99bc8532b7f00176ebdf7a6e2d36ce8d4ae9eb4e5dd4675b7e6eb11000bb2a37bc45501e48050182d5205f4230d724530837fb932cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\08a50b28-7757-4000-b017-6bb74ded2482.vbs

Filesize
751B

MD5
2aa83ce478a4004bf92e063d4c090e22

SHA1
b69e5f018d1c5cc645bcacdedb9a10dba24d4e5b

SHA256
a8f5159e51cec2f6288e971d1db816a6ba3c5ef0a630560557dcf5f30ee830c6

SHA512
ee5d025a63096494e0242f5f9d2bb2e4013cdc35efb4825d5968ab371a8e64238ef9023940dfb88aaf8ea09caac4af49cb8f8ad13749bcd43995df8822a8fd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\19b4f46f-49d0-473d-9819-887b4b0bebc5.vbs

Filesize
751B

MD5
ed03c4cbb33bed46efbbbc33b2b28d08

SHA1
7f16041f5d8208b2bee98dd4140377dcb0579e1d

SHA256
10a70516b03db478921988ca7ee49b49ce89b54a4e23f644b7707845f8f67abb

SHA512
99314c5b63dbb6773322cd8d8893b6afd6a653287a56cbff55e4d2739d2bdaf132b9cfd8a652ead95388804b1974b21adcdb342cb95db38e44e48b4614671a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\2480fc59-941a-409a-83c9-0b508332ea23.vbs

Filesize
750B

MD5
b4f82c5f915a22283d91172fd86b6111

SHA1
4ba9e1a2b050fe70f9f9d0b19b236f7f5b91f142

SHA256
b97790d2d66db22063e96b29ff23b6f7230a57b39057c87f5a52f44949d8faf9

SHA512
16d6e38f3f9adb3394fa1bd45a1948513614d91dc09da76fabe9234638786c9734f7742a9343eb272220544c349981f6c70d7f8f136e470d561c6c700f13dcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\26bb4f5c-2ae1-47fd-9615-6d6961ab9877.vbs

Filesize
527B

MD5
3c00e9a6169310122637fd70b8d25d7f

SHA1
930f6cfc80a8e9816818756e8d5065bf480d8fd7

SHA256
2a7455102d4fe82962de532cdcfdda043ef49861c862faa69068942b77a4a676

SHA512
0340b8d6b51e2586a449a345cbe9ce46321ec968f6c4b1f39c6118e73ee03170412e78b1eb234a992c72bf8fdb1cc1983232dacfd1375f461361850cdbec3f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\32694463-3c77-4713-bff6-4b2437c367b2.vbs

Filesize
751B

MD5
96424e48a515a465e5a34bc4fd6d43bb

SHA1
e221a84e853988394a6b509f42cb919fb9582160

SHA256
3565551e0efe481d1eaee3684d9d52eef453bf37aedbfadfab687441fc910dc2

SHA512
1a9687b88e1a5904bef422c8e46c0c6c87ba7615533bc3b5dc777f610ffe98bf924c52268d63197c72f41afc3596c412fb8a3d1f6fbb20325f548f782c0594b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\525c3f46-8b95-4dd4-b29a-acf36bf2309f.vbs

Filesize
750B

MD5
3fc0e7c1024b6b25f61c6556b804f40c

SHA1
3920d89de5408e15de8494e3e229aa06197a15a5

SHA256
7d048a19d6bd28db19505b586527ca4f5a40c10fbc66afcc9efe59a2f93cd9fe

SHA512
cd96aecb0ac79e1357afb5f7bbd8819aaa3598e9221c90f984277c9cd5806c55e6b0303a62d8a9b9721828107bccc24ccb847f0628d27904071c572a3bac87bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7516530e-5d98-4999-a8a9-edfa8335f300.vbs

Filesize
751B

MD5
728a1d0f60dcaebb0c8f10f66d6d14dd

SHA1
0cd58c9e92bb166c73b1489aeaa017bcc6c9a906

SHA256
895e7fe431c69c77f7ba48258b254d1f288e30c9a076887206ee2f610b5c8b74

SHA512
4052e2ae0560de4bc2bb197f4ac5fec043589013e85e4481f5e6fc5c3609537b5a9eb178bcbd04726d5139e85204764efb307286d2c1f82f5910feaf74ed7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\88aba13e-126f-4ad4-b3f2-1ac22e6448b9.vbs

Filesize
751B

MD5
9bb23e52b7d8278dd057bb17c40683de

SHA1
36022248ee58a581d8ff8aa69c05176f1722eb5d

SHA256
911f1f22cfc272060f4413a4ecb745b27f26030f97728351be7d6b11c83247f6

SHA512
7342d8f876509eedaab61dfee4c2db0e6d08d996792eefd9b2c5cc49811c6bca2498859eb9b342e1dd03c92ccbc3b34dea2577d89cacbc732f7979fa366df9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cedb92f-15d2-49a2-8fbd-167b88c98323.vbs

Filesize
751B

MD5
b73844d1b932f5d64e4f5ebab6396256

SHA1
e6204bf7b81bec849484a0c87c3deb8f7047da5c

SHA256
2191f68e51f44c23fa229265d92b567cf5d6d2bb275fec792603974e2d083e35

SHA512
5645d8a8df7d495517c4877722843053da867a0afd9f681ea54900c21cf45ebd15f9c4424cfbb34e61daa2c694068a1e5adaf871a33e513d652b026ddbf9e6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d716d8-2f4c-4ca3-b5b7-5b41adff8e8c.vbs

Filesize
751B

MD5
4df28ce2834a6e42a45ee751a84278af

SHA1
56d9c7798ea127e3e773ac0be0d84018921daff8

SHA256
e5dbf5ff777a7cb4fd90ddb440c90fe28a3ade0f7cd4f911c0f566a9f52935ba

SHA512
68092e8fe679885045316bf8dc2e74feed5d0be090410d4f1552d7db883fb33a036764f17616c5672f0ad41c052816d65aff52885418b003f70fd08935e3dee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD62.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3956cc0faf2d29a1fbeb70df213cbfc6

SHA1
bed312bf41171ac926a6b635f8b05191e8271e48

SHA256
bfdf4a67eab095f2857fe5847733210ff9a7f4b288d8ea3f6991fa26bc430fab

SHA512
611601ee47747d536abe245517362747748d566df0363e0affb9d1b0ea57e02100aa327ac348b40cfc6148d484c4da2c6ae744116bb8ef7d088bd700eb1f1b26

Download Submit
memory/348-248-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/920-263-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/956-218-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1092-186-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1268-307-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/1524-323-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1524-322-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download
memory/1728-7-0x0000000000D00000-0x0000000000D16000-memory.dmp

Filesize
88KB

Download
memory/1728-8-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1728-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x0000000000EB0000-0x00000000013A4000-memory.dmp

Filesize
5.0MB

Download
memory/1728-3-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-14-0x000000001AB70000-0x000000001AB78000-memory.dmp

Filesize
32KB

Download
memory/1728-13-0x000000001AB60000-0x000000001AB6E000-memory.dmp

Filesize
56KB

Download
memory/1728-12-0x000000001AB50000-0x000000001AB5E000-memory.dmp

Filesize
56KB

Download
memory/1728-11-0x000000001AB40000-0x000000001AB4A000-memory.dmp

Filesize
40KB

Download
memory/1728-10-0x000000001AB30000-0x000000001AB42000-memory.dmp

Filesize
72KB

Download
memory/1728-9-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/1728-145-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-2-0x000000001B370000-0x000000001B49E000-memory.dmp

Filesize
1.2MB

Download
memory/1728-187-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-6-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/1728-15-0x000000001AF50000-0x000000001AF58000-memory.dmp

Filesize
32KB

Download
memory/1728-5-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/1728-16-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/1728-135-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/1728-4-0x0000000000CE0000-0x0000000000CFC000-memory.dmp

Filesize
112KB

Download
memory/1732-352-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/1732-353-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2088-234-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/2088-171-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2372-368-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2856-278-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download