dcrat | 9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Size

4.9MB
MD5

4da9ed14404a53268904e7dd6959f52b
SHA1

c3d798fd07decc8136c52523428d02610fad42c4
SHA256

9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764
SHA512

cba29b2cce4fa6211409fea7103d12f7ab4408e9c1916c77c2de44106a52a1d34eab1c73331768e5e8d49127b8bdd54d08a8ab4889a11fc80b03db11ce7fa284
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx87:j

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2404	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2404	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2432-2-0x000000001B490000-0x000000001B5BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
704	powershell.exe
2232	powershell.exe
2836	powershell.exe
1700	powershell.exe
408	powershell.exe
1576	powershell.exe
2968	powershell.exe
1816	powershell.exe
2400	powershell.exe
856	powershell.exe
1552	powershell.exe
1980	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2620	winlogon.exe
2148	winlogon.exe
1616	winlogon.exe
340	winlogon.exe
1984	winlogon.exe
2812	winlogon.exe
408	winlogon.exe
2372	winlogon.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX67EF.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\RCX6FFE.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\audiodg.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\6203df4a6bafc7	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\audiodg.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\lsass.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\RCX6167.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\MSBuild\OSPPSVC.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX7CEF.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\b75386f1303e64	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\42af1c969fbb7b	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\886983d96e3d3e	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\lsass.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\MSBuild\1610b97d3ab4a7	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files\MSBuild\RCX657E.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files\MSBuild\OSPPSVC.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX7677.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Windows\L2Schemas\e4d1914201aad4	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Windows\Branding\ShellBrd\OSPPSVC.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Windows\Branding\ShellBrd\1610b97d3ab4a7	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Windows\L2Schemas\RCX5A9F.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCX7202.tmp	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File opened for modification	C:\Windows\Branding\ShellBrd\OSPPSVC.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
File created	C:\Windows\L2Schemas\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2132	schtasks.exe
444	schtasks.exe
1968	schtasks.exe
1976	schtasks.exe
1828	schtasks.exe
884	schtasks.exe
2840	schtasks.exe
672	schtasks.exe
2688	schtasks.exe
2108	schtasks.exe
844	schtasks.exe
340	schtasks.exe
1644	schtasks.exe
2416	schtasks.exe
1156	schtasks.exe
1164	schtasks.exe
2412	schtasks.exe
2876	schtasks.exe
1980	schtasks.exe
1356	schtasks.exe
2296	schtasks.exe
1832	schtasks.exe
1352	schtasks.exe
2964	schtasks.exe
2836	schtasks.exe
2624	schtasks.exe
792	schtasks.exe
584	schtasks.exe
2380	schtasks.exe
2984	schtasks.exe
1308	schtasks.exe
1800	schtasks.exe
1864	schtasks.exe
2952	schtasks.exe
2552	schtasks.exe
1316	schtasks.exe
1932	schtasks.exe
776	schtasks.exe
2992	schtasks.exe
2224	schtasks.exe
1492	schtasks.exe
1972	schtasks.exe
320	schtasks.exe
1720	schtasks.exe
1988	schtasks.exe
316	schtasks.exe
2148	schtasks.exe
1948	schtasks.exe
1232	schtasks.exe
2456	schtasks.exe
2528	schtasks.exe
2184	schtasks.exe
1544	schtasks.exe
2464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
856	powershell.exe
1980	powershell.exe
408	powershell.exe
2968	powershell.exe
2400	powershell.exe
1552	powershell.exe
2232	powershell.exe
2836	powershell.exe
1816	powershell.exe
1576	powershell.exe
1700	powershell.exe
704	powershell.exe
2620	winlogon.exe
2148	winlogon.exe
1616	winlogon.exe
340	winlogon.exe
1984	winlogon.exe
2812	winlogon.exe
408	winlogon.exe
2372	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2620	winlogon.exe
Token: SeDebugPrivilege	2148	winlogon.exe
Token: SeDebugPrivilege	1616	winlogon.exe
Token: SeDebugPrivilege	340	winlogon.exe
Token: SeDebugPrivilege	1984	winlogon.exe
Token: SeDebugPrivilege	2812	winlogon.exe
Token: SeDebugPrivilege	408	winlogon.exe
Token: SeDebugPrivilege	2372	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 408	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 2432 wrote to memory of 408	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 2432 wrote to memory of 408	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	86
PID 2432 wrote to memory of 1576	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 2432 wrote to memory of 1576	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 2432 wrote to memory of 1576	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	87
PID 2432 wrote to memory of 1816	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 2432 wrote to memory of 1816	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 2432 wrote to memory of 1816	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	88
PID 2432 wrote to memory of 2968	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	90
PID 2432 wrote to memory of 2968	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	90
PID 2432 wrote to memory of 2968	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	90
PID 2432 wrote to memory of 704	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	93
PID 2432 wrote to memory of 704	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	93
PID 2432 wrote to memory of 704	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	93
PID 2432 wrote to memory of 2400	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	95
PID 2432 wrote to memory of 2400	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	95
PID 2432 wrote to memory of 2400	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	95
PID 2432 wrote to memory of 856	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	96
PID 2432 wrote to memory of 856	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	96
PID 2432 wrote to memory of 856	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	96
PID 2432 wrote to memory of 1980	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 2432 wrote to memory of 1980	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 2432 wrote to memory of 1980	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	97
PID 2432 wrote to memory of 2232	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	98
PID 2432 wrote to memory of 2232	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	98
PID 2432 wrote to memory of 2232	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	98
PID 2432 wrote to memory of 2836	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	100
PID 2432 wrote to memory of 2836	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	100
PID 2432 wrote to memory of 2836	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	100
PID 2432 wrote to memory of 1552	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	101
PID 2432 wrote to memory of 1552	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	101
PID 2432 wrote to memory of 1552	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	101
PID 2432 wrote to memory of 1700	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	103
PID 2432 wrote to memory of 1700	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	103
PID 2432 wrote to memory of 1700	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	103
PID 2432 wrote to memory of 2440	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	110
PID 2432 wrote to memory of 2440	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	110
PID 2432 wrote to memory of 2440	2432	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe	110
PID 2440 wrote to memory of 3068	2440	cmd.exe	112
PID 2440 wrote to memory of 3068	2440	cmd.exe	112
PID 2440 wrote to memory of 3068	2440	cmd.exe	112
PID 2440 wrote to memory of 2620	2440	cmd.exe	113
PID 2440 wrote to memory of 2620	2440	cmd.exe	113
PID 2440 wrote to memory of 2620	2440	cmd.exe	113
PID 2620 wrote to memory of 1792	2620	winlogon.exe	114
PID 2620 wrote to memory of 1792	2620	winlogon.exe	114
PID 2620 wrote to memory of 1792	2620	winlogon.exe	114
PID 2620 wrote to memory of 2264	2620	winlogon.exe	115
PID 2620 wrote to memory of 2264	2620	winlogon.exe	115
PID 2620 wrote to memory of 2264	2620	winlogon.exe	115
PID 1792 wrote to memory of 2148	1792	WScript.exe	117
PID 1792 wrote to memory of 2148	1792	WScript.exe	117
PID 1792 wrote to memory of 2148	1792	WScript.exe	117
PID 2148 wrote to memory of 1032	2148	winlogon.exe	118
PID 2148 wrote to memory of 1032	2148	winlogon.exe	118
PID 2148 wrote to memory of 1032	2148	winlogon.exe	118
PID 2148 wrote to memory of 2416	2148	winlogon.exe	119
PID 2148 wrote to memory of 2416	2148	winlogon.exe	119
PID 2148 wrote to memory of 2416	2148	winlogon.exe	119
PID 1032 wrote to memory of 1616	1032	WScript.exe	120
PID 1032 wrote to memory of 1616	1032	WScript.exe	120
PID 1032 wrote to memory of 1616	1032	WScript.exe	120
PID 1616 wrote to memory of 700	1616	winlogon.exe	121

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe
"C:\Users\Admin\AppData\Local\Temp\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eSMsDQCmtw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3068
- - C:\Users\Admin\Music\winlogon.exe
    "C:\Users\Admin\Music\winlogon.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2620
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bb5b5e7-1fed-4d50-ac5d-447775af3949.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2148
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3e51d4-6fa0-48a6-870f-da2b84f4689e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd7d3d1c-44fb-4d7a-be1f-390e0a9c1cb4.vbs"
        8⤵
        
        PID:700
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a06fb48-e55c-42cf-a47d-9a47418bdc9b.vbs"
        10⤵
        
        PID:2704
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a864ae-fc81-4ca8-b731-8dcbce8f9eea.vbs"
        12⤵
        
        PID:1316
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24133028-3b46-4a04-9133-6510886a9fa8.vbs"
        14⤵
        
        PID:764
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98d90cf6-ff02-4813-9876-0bb2a99cef4e.vbs"
        16⤵
        
        PID:2004
        
        C:\Users\Admin\Music\winlogon.exe
        
        C:\Users\Admin\Music\winlogon.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a020d9b1-b7b2-4f1c-a352-0cc8f4145f9f.vbs"
        18⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8928840f-a73e-4adb-a25f-7c53c3aef8dc.vbs"
        18⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb57244a-0ba0-4647-88cc-2ea0f9d1044e.vbs"
        16⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc5ee835-8af9-4172-b74c-05913d15256e.vbs"
        14⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c1540a-6675-41da-b54f-1a0c32768c95.vbs"
        12⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f79d31e3-2b67-4c4b-abd5-7e1c630d900e.vbs"
        10⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e56029-c7bf-4182-be07-ea558e77be99.vbs"
        8⤵
        
        PID:1276
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c952e804-e06d-49a5-a9e7-ddef4e8de445.vbs"
        6⤵
        
        PID:2416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eeed317-492b-4843-b3da-431bc8a7b900.vbs"
      4⤵
      PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f7649" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764" /sc ONLOGON /tr "'C:\Windows\L2Schemas\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f7649" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0bb5b5e7-1fed-4d50-ac5d-447775af3949.vbs

Filesize
709B

MD5
821b5a4d69a03f4900ec563ca7f25301

SHA1
901158b1b0da89b7ec5c5904291128eddb722708

SHA256
636fb130a1e1b8f8df54270300ece6e6462a53f866e5655833a1eadfbb4b20f9

SHA512
472e627ab90c132568daf8aff62401f2965df1d3f04bc13dcf68faa80b9c7ec8983fb3d2d51ce2bffca9a90c1d05fba4e492405552b94ca837b5aa320fb1aed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\24133028-3b46-4a04-9133-6510886a9fa8.vbs

Filesize
709B

MD5
8155bebd2c188d37a68083210ee8d52c

SHA1
64cd245ee2d43001094cdf46c5c3b718838db8c9

SHA256
f4aa416e4f50e2db9fcc4f1ae174ff574c79a2f3933d5dc3ca72a1ef17834071

SHA512
3ca54e8ecaf1d1ad33b6826d3b5edcd4465699554019865c57fd9bf8d70e3ec04c98a1492d32739fb99020b80269f5405ce19464ce8525a190b0c506a1bbe7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\43a864ae-fc81-4ca8-b731-8dcbce8f9eea.vbs

Filesize
709B

MD5
33f3658a2626b3a49f2d46206114d8d3

SHA1
fceee7468d9d1c461f0f83cdc7ff43037ead4952

SHA256
c79a8f94aed08e340e5b180e36d428a2298b4d58eafab46dd0eab3ae6705c648

SHA512
bc02342fe9c7c993a316ccc889f045e4b7d88f6ab49353bed74a1fddfd0e70a5ab9590c4e4ff5266950043df83a75743c59b93b582bd30db69c425102082213c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eeed317-492b-4843-b3da-431bc8a7b900.vbs

Filesize
485B

MD5
af9a7dae8df0a025faa12470f6ef5cfd

SHA1
d0ef25263530f76d9e2515d2c75a2b856a13f828

SHA256
1f5c085b19d0b63eeeb6b64731da00d867abe6a9caeb45df9414ad7e3fd784dc

SHA512
87ec7d30d4739a37085a5984ad18247d5070ddb9861cfdf39d57e947d3d71738cd6831dfcf31676c7af81313b72fd246bd62547210fa588e22da09d9db5ab7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\64d4e8ccf489ae3286332e24d7cacae58b7aad22.exe

Filesize
4.9MB

MD5
1c2f1c8f1f10d0c9c3992c594c1a6c06

SHA1
0d977747eecc99337a9c01d1a05a631de1b1c9b6

SHA256
630e6103e6af6e567251d6f48226133ba25efa5c042a88016924576139a351a1

SHA512
ef163cf1ee4a8065b490782d50ac658f2c8b027043f5c88202840d7d610dacd9574377871c8bf8b7e7262e70c824eb420dcdb48e6c7c219ad192d7e55ca32d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a06fb48-e55c-42cf-a47d-9a47418bdc9b.vbs

Filesize
708B

MD5
f382dfd0c5691c1f569c1262daf41e32

SHA1
88731a210cd6b65293f00068390cc3e4c082f3a5

SHA256
5a84a86fbadc2b0fa6a7ee91cbbb915f48e8222b9a4ac83042f83cc686a393c5

SHA512
7470a9711b4d356fd8c12e584f3c8181ecd0bcee67fad7f3bd338ccc2734c80633f4f513be56b175333ed6ff1d6909918df7093b3acd060e0a00075c19f7453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98d90cf6-ff02-4813-9876-0bb2a99cef4e.vbs

Filesize
708B

MD5
c20589891a6cbd7686b74c5f905dcdbf

SHA1
8484dd0914048e2d4ff610e1d9282040075b3a8a

SHA256
0f513100250e3fade393bfd6beae49820f47bc841e2ac61a146c5b86d382dee7

SHA512
5e238cd49fc78b6a6c8d6e8e35bbd1271dd5d17e7d84b30055cbbd26c266b8c0b69ff0fa1e7b9668bc4e48964b1c721a45cd015a27a807d2c6d82d088e8ac3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a020d9b1-b7b2-4f1c-a352-0cc8f4145f9f.vbs

Filesize
709B

MD5
573b33f8b3662de5c3fcc19df6361820

SHA1
80798bd278985b296072467e41ccf57e48bb205c

SHA256
aef9c242c93ffd8b7c5b44ca287ab0e88dc7306f5a865ff9065f59b4978f899d

SHA512
a8901029c2ad1acba81753c2de32466dbb20e76d5c5b9687e0fc81df002894b56b71679c129572333b31d18bc13c92f89cb313ccc22ffa9b86e57e2944c58779

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd3e51d4-6fa0-48a6-870f-da2b84f4689e.vbs

Filesize
709B

MD5
97dcb8f8c8ccc60924bab86b3642bc14

SHA1
ad49e21d9404b5616b768eda2298ba347e133524

SHA256
564d3a008d8c7cfc8a4f2d4d403b4ed32744fdb47c37a34db3ebcce065b48172

SHA512
d0096fe893fb3254e48eefa006fbd22aeb198b6c0d88a46572ccc071d68056a1b0bdc1a0b4958d1c2515ef1678065f2c52993f83e206c0b9174e7f79a6301b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7d3d1c-44fb-4d7a-be1f-390e0a9c1cb4.vbs

Filesize
709B

MD5
9d1641d97b877ec589f741b4b3d34b3b

SHA1
014d2322d1ca6ba20dbb08cb09892efb40fa78f1

SHA256
dd3406b58bbc6554273b89a51627f014578b37a16ed4c809c84331dfe8c9715f

SHA512
6cf967f14bde00f9938dad0efa71c437194ddebe29dd8c31feb83d69e1fb400a6e0c33d51374618c5313b2625e58dcbed0c6ecf5df98eb461bd05ddc9dfbb68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSMsDQCmtw.bat

Filesize
198B

MD5
29c59cad62692cc20877e2d1053e0287

SHA1
b1d5a0cbf4aeaa7f22f0e6857a7cb21ca247e089

SHA256
080f3e7a8fd669f46b5eeef1efe3157447c5fcbbd2e93e41ad305b80f9241698

SHA512
6f5789e68dc7785f1c5ec54211db8a2ccb940f5f3086ebb479cce0cee8e747358f2ac8f36587f70710625980880238a1d847f158050104bd9a104be410573d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0A9.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
71d2e0320b95c0a30fba0fc1c5849be8

SHA1
f92b373ab7e91379385596f2de98fe12f863d468

SHA256
a852f14472b5f33eff86f4a44f3f079a4fa55ff110b43476aa8622730a6f7d23

SHA512
53b47054451b372a6858faabdef7f13d77e2690e7b933cc944c22ce07a39291d723578f389ab1decad65a87220ced21304c5a7c3f0cd32473e37cdfbe9b35516

Download Submit
C:\Users\Default\wininit.exe

Filesize
4.9MB

MD5
4da9ed14404a53268904e7dd6959f52b

SHA1
c3d798fd07decc8136c52523428d02610fad42c4

SHA256
9aaa74c410a6e97b930a65c1f088598ceab8054b9bc1928b31a4a57a1e98f764

SHA512
cba29b2cce4fa6211409fea7103d12f7ab4408e9c1916c77c2de44106a52a1d34eab1c73331768e5e8d49127b8bdd54d08a8ab4889a11fc80b03db11ce7fa284

Download Submit
memory/340-298-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/408-343-0x0000000000E90000-0x0000000001384000-memory.dmp

Filesize
5.0MB

Download
memory/856-194-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/856-199-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2148-269-0x0000000001230000-0x0000000001724000-memory.dmp

Filesize
5.0MB

Download
memory/2372-358-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/2432-11-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2432-16-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/2432-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2432-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2432-14-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2432-1-0x00000000000E0000-0x00000000005D4000-memory.dmp

Filesize
5.0MB

Download
memory/2432-188-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-13-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2432-12-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/2432-3-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-154-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-10-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/2432-9-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2432-8-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2432-7-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2432-6-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/2432-2-0x000000001B490000-0x000000001B5BE000-memory.dmp

Filesize
1.2MB

Download
memory/2432-147-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/2432-4-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2620-255-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download
memory/2620-254-0x0000000000AB0000-0x0000000000FA4000-memory.dmp

Filesize
5.0MB

Download
memory/2812-328-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2812-327-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download