dcrat | eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Size

4.9MB
MD5

f954807077449b5cc1d07ed866dc8e06
SHA1

af066d14f43a45603e8de65123f8816989b392d7
SHA256

eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274
SHA512

df0cdb0771fcb063f1e539b01aae5d19c9019dc8aef972180c60682eeeb4d17f1e55198b457978f793fc8bf13e28922f9745be480132598c819ec102e6360f75
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2092	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2092	schtasks.exe	31

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1644-3-0x000000001B410000-0x000000001B53E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1924	powershell.exe
1892	powershell.exe
1556	powershell.exe
2372	powershell.exe
1288	powershell.exe
760	powershell.exe
2304	powershell.exe
2052	powershell.exe
2320	powershell.exe
2324	powershell.exe
2348	powershell.exe
1588	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
828	OSPPSVC.exe
2328	OSPPSVC.exe
1512	OSPPSVC.exe
3048	OSPPSVC.exe
1744	OSPPSVC.exe
2888	OSPPSVC.exe
2076	OSPPSVC.exe
1380	OSPPSVC.exe
2868	OSPPSVC.exe
2900	OSPPSVC.exe
1272	OSPPSVC.exe
1620	OSPPSVC.exe
1744	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXD29D.tmp	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Program Files\7-Zip\RCXDD2D.tmp	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Program Files\7-Zip\smss.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsm.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files\7-Zip\smss.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files\7-Zip\69ddcba757bf72	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\101b941d020240	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\cc11b995f2a76d	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsm.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCXD712.tmp	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ehome\es-ES\RCXE53D.tmp	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Windows\ehome\es-ES\OSPPSVC.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Windows\PLA\OSPPSVC.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Windows\PLA\1610b97d3ab4a7	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Windows\ehome\es-ES\OSPPSVC.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File created	C:\Windows\ehome\es-ES\1610b97d3ab4a7	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Windows\PLA\RCXD916.tmp	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
File opened for modification	C:\Windows\PLA\OSPPSVC.exe	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe
2984	schtasks.exe
2796	schtasks.exe
1764	schtasks.exe
3052	schtasks.exe
1920	schtasks.exe
2780	schtasks.exe
2952	schtasks.exe
2696	schtasks.exe
2832	schtasks.exe
3012	schtasks.exe
2128	schtasks.exe
2460	schtasks.exe
2436	schtasks.exe
2296	schtasks.exe
1236	schtasks.exe
2776	schtasks.exe
2728	schtasks.exe
2912	schtasks.exe
2472	schtasks.exe
2992	schtasks.exe
2188	schtasks.exe
448	schtasks.exe
2640	schtasks.exe
2276	schtasks.exe
1380	schtasks.exe
2268	schtasks.exe
1292	schtasks.exe
2076	schtasks.exe
2716	schtasks.exe
2232	schtasks.exe
2620	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
1588	powershell.exe
2320	powershell.exe
2372	powershell.exe
1288	powershell.exe
2052	powershell.exe
2324	powershell.exe
1892	powershell.exe
1924	powershell.exe
2304	powershell.exe
1556	powershell.exe
2348	powershell.exe
760	powershell.exe
828	OSPPSVC.exe
2328	OSPPSVC.exe
1512	OSPPSVC.exe
3048	OSPPSVC.exe
1744	OSPPSVC.exe
2888	OSPPSVC.exe
2076	OSPPSVC.exe
1380	OSPPSVC.exe
2868	OSPPSVC.exe
2900	OSPPSVC.exe
1272	OSPPSVC.exe
1620	OSPPSVC.exe
1744	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	828	OSPPSVC.exe
Token: SeDebugPrivilege	2328	OSPPSVC.exe
Token: SeDebugPrivilege	1512	OSPPSVC.exe
Token: SeDebugPrivilege	3048	OSPPSVC.exe
Token: SeDebugPrivilege	1744	OSPPSVC.exe
Token: SeDebugPrivilege	2888	OSPPSVC.exe
Token: SeDebugPrivilege	2076	OSPPSVC.exe
Token: SeDebugPrivilege	1380	OSPPSVC.exe
Token: SeDebugPrivilege	2868	OSPPSVC.exe
Token: SeDebugPrivilege	2900	OSPPSVC.exe
Token: SeDebugPrivilege	1272	OSPPSVC.exe
Token: SeDebugPrivilege	1620	OSPPSVC.exe
Token: SeDebugPrivilege	1744	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2372	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	66
PID 1644 wrote to memory of 2372	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	66
PID 1644 wrote to memory of 2372	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	66
PID 1644 wrote to memory of 1288	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	67
PID 1644 wrote to memory of 1288	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	67
PID 1644 wrote to memory of 1288	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	67
PID 1644 wrote to memory of 1556	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	69
PID 1644 wrote to memory of 1556	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	69
PID 1644 wrote to memory of 1556	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	69
PID 1644 wrote to memory of 1588	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	71
PID 1644 wrote to memory of 1588	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	71
PID 1644 wrote to memory of 1588	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	71
PID 1644 wrote to memory of 2320	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	72
PID 1644 wrote to memory of 2320	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	72
PID 1644 wrote to memory of 2320	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	72
PID 1644 wrote to memory of 2348	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	73
PID 1644 wrote to memory of 2348	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	73
PID 1644 wrote to memory of 2348	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	73
PID 1644 wrote to memory of 1892	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	74
PID 1644 wrote to memory of 1892	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	74
PID 1644 wrote to memory of 1892	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	74
PID 1644 wrote to memory of 2324	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	75
PID 1644 wrote to memory of 2324	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	75
PID 1644 wrote to memory of 2324	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	75
PID 1644 wrote to memory of 1924	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	76
PID 1644 wrote to memory of 1924	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	76
PID 1644 wrote to memory of 1924	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	76
PID 1644 wrote to memory of 2052	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	77
PID 1644 wrote to memory of 2052	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	77
PID 1644 wrote to memory of 2052	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	77
PID 1644 wrote to memory of 2304	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	78
PID 1644 wrote to memory of 2304	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	78
PID 1644 wrote to memory of 2304	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	78
PID 1644 wrote to memory of 760	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	79
PID 1644 wrote to memory of 760	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	79
PID 1644 wrote to memory of 760	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	79
PID 1644 wrote to memory of 1648	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	90
PID 1644 wrote to memory of 1648	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	90
PID 1644 wrote to memory of 1648	1644	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe	90
PID 1648 wrote to memory of 1564	1648	cmd.exe	92
PID 1648 wrote to memory of 1564	1648	cmd.exe	92
PID 1648 wrote to memory of 1564	1648	cmd.exe	92
PID 1648 wrote to memory of 828	1648	cmd.exe	93
PID 1648 wrote to memory of 828	1648	cmd.exe	93
PID 1648 wrote to memory of 828	1648	cmd.exe	93
PID 828 wrote to memory of 948	828	OSPPSVC.exe	94
PID 828 wrote to memory of 948	828	OSPPSVC.exe	94
PID 828 wrote to memory of 948	828	OSPPSVC.exe	94
PID 828 wrote to memory of 2312	828	OSPPSVC.exe	95
PID 828 wrote to memory of 2312	828	OSPPSVC.exe	95
PID 828 wrote to memory of 2312	828	OSPPSVC.exe	95
PID 948 wrote to memory of 2328	948	WScript.exe	96
PID 948 wrote to memory of 2328	948	WScript.exe	96
PID 948 wrote to memory of 2328	948	WScript.exe	96
PID 2328 wrote to memory of 2276	2328	OSPPSVC.exe	97
PID 2328 wrote to memory of 2276	2328	OSPPSVC.exe	97
PID 2328 wrote to memory of 2276	2328	OSPPSVC.exe	97
PID 2328 wrote to memory of 2352	2328	OSPPSVC.exe	98
PID 2328 wrote to memory of 2352	2328	OSPPSVC.exe	98
PID 2328 wrote to memory of 2352	2328	OSPPSVC.exe	98
PID 2276 wrote to memory of 1512	2276	WScript.exe	99
PID 2276 wrote to memory of 1512	2276	WScript.exe	99
PID 2276 wrote to memory of 1512	2276	WScript.exe	99
PID 1512 wrote to memory of 2372	1512	OSPPSVC.exe	100

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe
"C:\Users\Admin\AppData\Local\Temp\eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wjwRC6iq4t.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1564
- - C:\Windows\ehome\es-ES\OSPPSVC.exe
    "C:\Windows\ehome\es-ES\OSPPSVC.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0303f130-4070-4233-bb08-88d3288f90a6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7c1f1e-1aa8-4b0b-ac76-f2ccbd0915de.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe00f6de-b3c5-4466-835a-44a4bd1f5604.vbs"
        8⤵
        
        PID:2372
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e805816f-0f4b-4341-9c18-932a4e561494.vbs"
        10⤵
        
        PID:2228
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8fcaaf8-52c4-43ef-bc00-1b6cbaf733d6.vbs"
        12⤵
        
        PID:2116
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd132d18-f40e-46f6-9d90-c46806bfbec5.vbs"
        14⤵
        
        PID:1000
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d401bd1a-2405-4d12-938d-c083b1b42cc6.vbs"
        16⤵
        
        PID:2616
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a76c4ffa-c917-4bde-a718-1ec7eeebbbc7.vbs"
        18⤵
        
        PID:3056
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bd186b6-c1a6-4591-ad5e-566c14813234.vbs"
        20⤵
        
        PID:2380
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032fffbb-7b28-448f-8084-941ae248ac32.vbs"
        22⤵
        
        PID:2080
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29924ab-f8c6-4956-a8c8-107087f85abf.vbs"
        24⤵
        
        PID:2784
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ede8d2ae-72df-4c4a-a434-62bd1fba766d.vbs"
        26⤵
        
        PID:3012
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        
        C:\Windows\ehome\es-ES\OSPPSVC.exe
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6050956b-1518-4fed-8e5f-0d0b7cc38a66.vbs"
        28⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc51287-14ec-4353-b1c8-c22ccccfdeed.vbs"
        28⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8e5060-4470-494b-afec-c9b8ca07a665.vbs"
        26⤵
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cfad2c3-916e-4950-b2eb-c9e9fd3b22ff.vbs"
        24⤵
        
        PID:684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab76787-619b-4cb5-9576-665c5fcc7f2c.vbs"
        22⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfacee3a-38fa-4126-b1b2-30c641c1e423.vbs"
        20⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c433b7-3874-4f5e-90b7-608f2fd23046.vbs"
        18⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d062b7f-1fd5-4e32-b1c8-4bc121896a5d.vbs"
        16⤵
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74f42062-74e4-4a0c-8407-5181699ffee8.vbs"
        14⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7863196b-b01c-431b-a068-b000e66f326f.vbs"
        12⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f867635-3115-43f6-88d8-0b8fb88954b1.vbs"
        10⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74f1a57d-25dc-44e7-93ec-c959766182ad.vbs"
        8⤵
        
        PID:1720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9707f819-3552-4ec6-830b-703c42013ecc.vbs"
        6⤵
        
        PID:2352
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a94d9697-c223-4a2e-a102-944cfd4aa0f1.vbs"
      4⤵
      PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\PLA\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274e" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274e" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0303f130-4070-4233-bb08-88d3288f90a6.vbs

Filesize
709B

MD5
29f0bbd6d1fd1ce2189160f065232896

SHA1
4b9d3c1a55c77400bcc1bde4211f784384afbf79

SHA256
dc66aa90729e5037712796e99cbcad378364f3805d1bb8326178e9e64512dadd

SHA512
f94edf2cdb140e56700c4bd08610716b20d7ceef9974a729c0a1a6cf96fb43bcb0d650c693c60515dfe3795165e82de18e137688dcc108f760482c9b5f39b22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\032fffbb-7b28-448f-8084-941ae248ac32.vbs

Filesize
710B

MD5
1608b12eb759ec24f6dc67792967ae67

SHA1
08734bde46b0f463881f92965580b07f425051cb

SHA256
5080dc116f41834e0a32f7c1ca15cdced02de9d6879b9c96913cccff25d0f3f1

SHA512
94ad96d154afdfb703954f1f6b0bb271a75ac74221197d240a8ff58c4ada2c52e20ddf9b01743e4d48e4aec12c37a32687dd91bac4ae6462d7f08167a26e060e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bd186b6-c1a6-4591-ad5e-566c14813234.vbs

Filesize
710B

MD5
8b64cc48da94ef53cc90bfbca5723091

SHA1
63a90f066b1699af102992e2f33607284c9bf6ec

SHA256
17854e97ebb5d55e5a37d856b65852948b76f89a78116dffea185d92fbfd76dc

SHA512
77dd0544a625d05f3846f725d1da98eba68095392c14ceffce0bda7925c6ac68f41290a331b4b06f07f64cba916816ec74b6687c601b147f0a30cc8aa0d8a6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a7c1f1e-1aa8-4b0b-ac76-f2ccbd0915de.vbs

Filesize
710B

MD5
b350810ada0fefebba4e81d846cf7920

SHA1
0a7e9a28fc34001b993578b7e23a565f13f4669c

SHA256
d35e6098dbf54d6a7146c412acca64ba7784f912aeae7db559d5046b06dbcbd9

SHA512
cdaff7380683a5a8e5d68cd05da1197c88351523b2d3c10ac523455b82b16806ae2755990383fa41818863b5e9fd738d21af047492e3a5ced0fcf02305c9e9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76c4ffa-c917-4bde-a718-1ec7eeebbbc7.vbs

Filesize
710B

MD5
b237f7ee954739f6d88e58076b88ad2d

SHA1
69ce1f017d13e8d5f975532615553472238b48d2

SHA256
ec2b8dcdf0f76c190cf43b9690d78ccc72eb7ecce85dede37902f71dd140cc5b

SHA512
cca9dc2f75fad826a1b7e8fcfc0cc12ce939c22b428cc47312cdb670a222db96031db3a53315e95919b61240a03bc72bf6fb1457b4b6ae179334370f7ed27134

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8fcaaf8-52c4-43ef-bc00-1b6cbaf733d6.vbs

Filesize
710B

MD5
305fd1a2baa594c031c9b063ec940c3a

SHA1
f031b2c198f57f679bb56a8d06f0c70b5317d820

SHA256
5bc0479eb74d193048d43fd012f648e846dba3e87610ed0d416669a265593e12

SHA512
b13def019c268fd6df38effcfcf679ddde226eb8842cad5a33ebd441beaa079cfe1464e571408e4f171a5759ceee3262329ca27c49a809dee144d57a29425cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a94d9697-c223-4a2e-a102-944cfd4aa0f1.vbs

Filesize
486B

MD5
e45f5cb3f9c4a5503663b1d9e5367371

SHA1
2e3675305de9a9279cf3029967ba3fa22ee67a75

SHA256
01d413b288e607a8cf87ba47dccb7c24b8d7920e3e7d49a004dbe8aa5afac320

SHA512
0f06065a0c5237c6b38e9623dabb4df3389730a28f42054cb139f9872b67ae7adec489bc9d4ae96a758fd9adaf1dd5535fa2eda992ef935bf5d8c50ebbfbced9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b29924ab-f8c6-4956-a8c8-107087f85abf.vbs

Filesize
710B

MD5
941ab379d0ecf42ea3533e927dfe17cb

SHA1
861204efe4d81ff6b8a5e9dffc4d4a896f83a648

SHA256
26f6e917e6d2bbdc7fbfcb58db2ec6d699adaf0c56ba3d81291f7e86a989646c

SHA512
bd690ba91aaa21dcc1e47f21f064ac231efded447c6b4d6a4a424e8317d5d69e264d7d428dcc2497de5b62352d6631039b906cdb6cf787b48c54a9b5c17faf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5b3963bbf66df5e1cbde1527123bc653ef1faee.exe

Filesize
4.9MB

MD5
a600db2f888387c42965ff650a623467

SHA1
94126d5de6f454b813ad45b3d570f22b3f1ac9ea

SHA256
633c7cff1506b8b064ad5ec52f432591233786726ff72b3507a5dab44ce65e8e

SHA512
ba013da249331d7b2a9c4b53988ca9a3a43c70c4a575833062be16247853dba5acda916e7a0adb7e2dad3f6fea201a3be01cb284022cb6f0542b25762dd09306

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd132d18-f40e-46f6-9d90-c46806bfbec5.vbs

Filesize
710B

MD5
a4db221718ee1face1458f0fbdb9c7c9

SHA1
0cfef0f89ed35603b2f8ff13922f815194157b97

SHA256
9609e0eefc91007426353a6d374a9f0f606d75e31cac3d74c567b52731fc73f0

SHA512
9bdd2d253cbfe755acfc9281847c2e400325f8786df0828e4692d4c85ac5dfcc717a2122b3390b6c2bc371399ea43cd1198533d5e1bec3bbb88d3ae56d18b08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d401bd1a-2405-4d12-938d-c083b1b42cc6.vbs

Filesize
710B

MD5
58d5d83fbb73d08579900ca8c74f2133

SHA1
986ad607bd4d8c6d7fb70a8aa70273c12c75ffc8

SHA256
1d89147f9e5fa66dabe91672f77b52945a1d17c241687b97943deeef90875770

SHA512
54d2810665c126ed4744a4542e77f6a503ea07b6ad2ec700fba969a14fc7680cdca4bf2baa304c1ec276af49fc63f69e81d0f480180b63f542c467eb83f895a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e805816f-0f4b-4341-9c18-932a4e561494.vbs

Filesize
710B

MD5
04b6133ffb1dd8367b47d9d3e4e82498

SHA1
545e0d8268943808642c48dc86cbd43aed5c2189

SHA256
fa4a4e64ae1e30fabc60655fba727c4f05d1528b43a4b3476c2d2bb597035f83

SHA512
93a3c27d58a16a44f37b40a737418043e8ff5cf55ff0d2aedd4f01b4abb13ece8bd62d219f1baa3782be0a1961613b960c1b2d9832509c54b368763f7d62d8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ede8d2ae-72df-4c4a-a434-62bd1fba766d.vbs

Filesize
710B

MD5
cd63948b4fc2846670883ed7855a05ed

SHA1
7eb934d7bedff54a80ce8ff06b6a373feb7af538

SHA256
2eb69774b04650f3ba77b22718a5b7ee33b54e7c823be3cb1c46092c093e1002

SHA512
978d06704d0589e2852aae95058f036516882b6e1ba843800889aac2d67b0c0c8a94c52d2ca3e89c21e6f0c783c818cea6afdcaa261f2037626d4a33c51b8885

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe00f6de-b3c5-4466-835a-44a4bd1f5604.vbs

Filesize
710B

MD5
961c7251c82a1911a1351531af914872

SHA1
14e6e4c331f8163cfb4de18ceb5e5a5d4869c74a

SHA256
a9f9792ec60a1d0db3ad07fd20ece4d7767af3430e1bbd3e3e5f2e00b25fcd43

SHA512
1b9ffecdc17c6e499f5299e1530918d19932061bb7644b18be3d88389ec280a949192e490920f649aa868d934700a4cdbdd3d423ab6ad58776aa90d1be4e4c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjwRC6iq4t.bat

Filesize
199B

MD5
23c76459c88c3dbcac789e2f5be897b3

SHA1
3d87aedc30fbccea701472aba53406b308b76cf8

SHA256
bbda4f3972595f89c3a036b8176121777b918975158acbd68590ac18350b1824

SHA512
cc44a6b7562bddc443ac0631fc3c7117ed3db901ccd5b09e5dd9c71303adc4b23533c86955bdd3b2e248c9408bdc4654f850de419198ba482e5e4065c2cd305d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c02c1e94300598781624bca4cb061465

SHA1
fba3b528869a77d297a2ee4d0b630aa79b73db4b

SHA256
827b529ed59bf79edcfdbfcaa43d62253e429f07b290a13d9fa5f69a8f48bc51

SHA512
db9620ba629f60ea1d215b220fc5eac42159b916e913bb93dbae179c585a55dff48fdf115e93799992aa5ae1303590906b0fdafe0f11420512e77dc171a70eb7

Download Submit
C:\Windows\PLA\OSPPSVC.exe

Filesize
4.9MB

MD5
f954807077449b5cc1d07ed866dc8e06

SHA1
af066d14f43a45603e8de65123f8816989b392d7

SHA256
eceb9868a4a69e49933d729c6ae015e2c569818ff44dfe41b4341c28c42e9274

SHA512
df0cdb0771fcb063f1e539b01aae5d19c9019dc8aef972180c60682eeeb4d17f1e55198b457978f793fc8bf13e28922f9745be480132598c819ec102e6360f75

Download Submit
memory/828-191-0x0000000000B10000-0x0000000001004000-memory.dmp

Filesize
5.0MB

Download
memory/1380-296-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1512-221-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1512-220-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/1588-144-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1644-6-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/1644-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1644-1-0x00000000003B0000-0x00000000008A4000-memory.dmp

Filesize
5.0MB

Download
memory/1644-16-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/1644-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1644-7-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/1644-142-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1644-10-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1644-15-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1644-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1644-14-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/1644-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1644-8-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1644-9-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/1644-3-0x000000001B410000-0x000000001B53E000-memory.dmp

Filesize
1.2MB

Download
memory/1644-12-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/1644-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1644-13-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/1744-251-0x0000000000250000-0x0000000000744000-memory.dmp

Filesize
5.0MB

Download
memory/2076-281-0x0000000000E50000-0x0000000001344000-memory.dmp

Filesize
5.0MB

Download
memory/2320-143-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2328-205-0x00000000011F0000-0x00000000016E4000-memory.dmp

Filesize
5.0MB

Download
memory/2868-311-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2888-266-0x0000000000930000-0x0000000000E24000-memory.dmp

Filesize
5.0MB

Download
memory/2900-326-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download
memory/2900-327-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/3048-236-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download