dcrat | 5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Size

4.9MB
MD5

e5419ae77552fe04bb2ec920efdb2552
SHA1

1d374f0185758eedc26360c4bf3b13b97c4534e2
SHA256

5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac
SHA512

8479cf2f4949dd52080a4d4ad364a6f904c3ecc9675b0f2f313075e3a5ab7088fa2cde86568ea21422eccf5475f767229d054c7944a45ed6cf0619a943f6d49e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2664	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2496-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
2236	powershell.exe
1708	powershell.exe
2596	powershell.exe
956	powershell.exe
2772	powershell.exe
2776	powershell.exe
3012	powershell.exe
2700	powershell.exe
2460	powershell.exe
2636	powershell.exe
2220	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2552	Idle.exe
2256	Idle.exe
2592	Idle.exe
2700	Idle.exe
2752	Idle.exe
2524	Idle.exe
2952	Idle.exe
1644	Idle.exe
2360	Idle.exe
1856	Idle.exe
2648	Idle.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\explorer.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXD3DE.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b75386f1303e64	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Uninstall Information\7a0fd90576e088	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXC277.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXCD65.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\886983d96e3d3e	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXC8F0.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\explorer.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\0a1fd5f707cd16	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\5940a34987c991	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXCB61.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\it-IT\smss.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Windows\Branding\Basebrd\it-IT\69ddcba757bf72	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Windows\twain_32\explorer.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File created	C:\Windows\twain_32\7a0fd90576e088	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\RCXD5E1.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\smss.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Windows\twain_32\RCXD9E9.tmp	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
File opened for modification	C:\Windows\twain_32\explorer.exe	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
648	schtasks.exe
1860	schtasks.exe
444	schtasks.exe
1704	schtasks.exe
2600	schtasks.exe
852	schtasks.exe
2176	schtasks.exe
1724	schtasks.exe
1392	schtasks.exe
1856	schtasks.exe
2016	schtasks.exe
2888	schtasks.exe
3016	schtasks.exe
1636	schtasks.exe
2456	schtasks.exe
960	schtasks.exe
2804	schtasks.exe
2796	schtasks.exe
2752	schtasks.exe
2124	schtasks.exe
2432	schtasks.exe
2316	schtasks.exe
788	schtasks.exe
2012	schtasks.exe
2616	schtasks.exe
2172	schtasks.exe
2820	schtasks.exe
2024	schtasks.exe
3020	schtasks.exe
1540	schtasks.exe
1464	schtasks.exe
684	schtasks.exe
1148	schtasks.exe
2764	schtasks.exe
336	schtasks.exe
1072	schtasks.exe
2624	schtasks.exe
2568	schtasks.exe
1964	schtasks.exe
1604	schtasks.exe
2784	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
2776	powershell.exe
2220	powershell.exe
2636	powershell.exe
956	powershell.exe
2236	powershell.exe
2700	powershell.exe
1708	powershell.exe
2460	powershell.exe
3012	powershell.exe
2872	powershell.exe
2596	powershell.exe
2772	powershell.exe
2552	Idle.exe
2256	Idle.exe
2592	Idle.exe
2700	Idle.exe
2752	Idle.exe
2524	Idle.exe
2952	Idle.exe
1644	Idle.exe
2360	Idle.exe
1856	Idle.exe
2648	Idle.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2552	Idle.exe
Token: SeDebugPrivilege	2256	Idle.exe
Token: SeDebugPrivilege	2592	Idle.exe
Token: SeDebugPrivilege	2700	Idle.exe
Token: SeDebugPrivilege	2752	Idle.exe
Token: SeDebugPrivilege	2524	Idle.exe
Token: SeDebugPrivilege	2952	Idle.exe
Token: SeDebugPrivilege	1644	Idle.exe
Token: SeDebugPrivilege	2360	Idle.exe
Token: SeDebugPrivilege	1856	Idle.exe
Token: SeDebugPrivilege	2648	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2772	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	74
PID 2496 wrote to memory of 2772	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	74
PID 2496 wrote to memory of 2772	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	74
PID 2496 wrote to memory of 956	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	75
PID 2496 wrote to memory of 956	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	75
PID 2496 wrote to memory of 956	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	75
PID 2496 wrote to memory of 2220	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	76
PID 2496 wrote to memory of 2220	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	76
PID 2496 wrote to memory of 2220	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	76
PID 2496 wrote to memory of 2636	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	77
PID 2496 wrote to memory of 2636	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	77
PID 2496 wrote to memory of 2636	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	77
PID 2496 wrote to memory of 2596	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	78
PID 2496 wrote to memory of 2596	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	78
PID 2496 wrote to memory of 2596	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	78
PID 2496 wrote to memory of 2776	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	79
PID 2496 wrote to memory of 2776	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	79
PID 2496 wrote to memory of 2776	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	79
PID 2496 wrote to memory of 3012	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	80
PID 2496 wrote to memory of 3012	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	80
PID 2496 wrote to memory of 3012	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	80
PID 2496 wrote to memory of 2700	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	81
PID 2496 wrote to memory of 2700	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	81
PID 2496 wrote to memory of 2700	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	81
PID 2496 wrote to memory of 2872	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	82
PID 2496 wrote to memory of 2872	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	82
PID 2496 wrote to memory of 2872	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	82
PID 2496 wrote to memory of 2460	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	83
PID 2496 wrote to memory of 2460	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	83
PID 2496 wrote to memory of 2460	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	83
PID 2496 wrote to memory of 2236	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	84
PID 2496 wrote to memory of 2236	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	84
PID 2496 wrote to memory of 2236	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	84
PID 2496 wrote to memory of 1708	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	85
PID 2496 wrote to memory of 1708	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	85
PID 2496 wrote to memory of 1708	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	85
PID 2496 wrote to memory of 1632	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	98
PID 2496 wrote to memory of 1632	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	98
PID 2496 wrote to memory of 1632	2496	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe	98
PID 1632 wrote to memory of 392	1632	cmd.exe	100
PID 1632 wrote to memory of 392	1632	cmd.exe	100
PID 1632 wrote to memory of 392	1632	cmd.exe	100
PID 1632 wrote to memory of 2552	1632	cmd.exe	101
PID 1632 wrote to memory of 2552	1632	cmd.exe	101
PID 1632 wrote to memory of 2552	1632	cmd.exe	101
PID 2552 wrote to memory of 2780	2552	Idle.exe	102
PID 2552 wrote to memory of 2780	2552	Idle.exe	102
PID 2552 wrote to memory of 2780	2552	Idle.exe	102
PID 2552 wrote to memory of 2732	2552	Idle.exe	103
PID 2552 wrote to memory of 2732	2552	Idle.exe	103
PID 2552 wrote to memory of 2732	2552	Idle.exe	103
PID 2780 wrote to memory of 2256	2780	WScript.exe	104
PID 2780 wrote to memory of 2256	2780	WScript.exe	104
PID 2780 wrote to memory of 2256	2780	WScript.exe	104
PID 2256 wrote to memory of 1148	2256	Idle.exe	105
PID 2256 wrote to memory of 1148	2256	Idle.exe	105
PID 2256 wrote to memory of 1148	2256	Idle.exe	105
PID 2256 wrote to memory of 2904	2256	Idle.exe	106
PID 2256 wrote to memory of 2904	2256	Idle.exe	106
PID 2256 wrote to memory of 2904	2256	Idle.exe	106
PID 1148 wrote to memory of 2592	1148	WScript.exe	107
PID 1148 wrote to memory of 2592	1148	WScript.exe	107
PID 1148 wrote to memory of 2592	1148	WScript.exe	107
PID 2592 wrote to memory of 1732	2592	Idle.exe	108

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
"C:\Users\Admin\AppData\Local\Temp\5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nao4r3B8HE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:392
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85f41633-9bae-4f52-9101-7988e3ca5674.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2256
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ea742d8-75b8-49c7-9cb6-3ab93db563e1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ad16db3-b062-48c0-9bed-0644731e619c.vbs"
        8⤵
        
        PID:1732
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e7f18a8-728c-4232-a1b8-0cd1b17e3f5d.vbs"
        10⤵
        
        PID:1880
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee412ce-17f0-430b-9477-d5a7baea14f6.vbs"
        12⤵
        
        PID:3052
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb5bbe1f-2144-4368-beb2-51393946b9de.vbs"
        14⤵
        
        PID:1808
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa4dd24-8cdf-4e2a-9e22-517188d1205e.vbs"
        16⤵
        
        PID:2384
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d98d18a-e0cf-4c9f-887c-6b16a0de3ac9.vbs"
        18⤵
        
        PID:444
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e434b1-a62b-4edc-8d91-c493f93261f1.vbs"
        20⤵
        
        PID:1300
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0a3342-a768-4939-871d-8f35543e3dd2.vbs"
        22⤵
        
        PID:992
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8c34b2-45b6-498e-9247-7d6aef20f64b.vbs"
        24⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0301f1b-7ee1-4833-9547-2aa3f1d69612.vbs"
        24⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84f09fb6-aebe-42d7-bc1f-497319bad11d.vbs"
        22⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3965b61c-36fc-4dea-9582-02655ba7ce5f.vbs"
        20⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e153671-6293-4d01-843c-bfc3d3b1b92b.vbs"
        18⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\354595af-116a-4b0d-95e6-3b4c85339b44.vbs"
        16⤵
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1492078a-afd1-4894-9a10-ace1b47dd1a6.vbs"
        14⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1566000a-0cc7-4d7b-8891-a3c11765a0e8.vbs"
        12⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07acf5af-57f2-4f6c-96ae-54f9f04a7162.vbs"
        10⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35369fef-1572-4c39-9c35-fda099340851.vbs"
        8⤵
        
        PID:2960
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10d211b6-dff6-4f4c-bfa8-8be247edb7f1.vbs"
        6⤵
        
        PID:2904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cd27701-2c33-409b-99d3-8af1f809aeac.vbs"
      4⤵
      PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXD3DE.tmp

Filesize
4.9MB

MD5
0f122bb83be4ff453e16ea298c426799

SHA1
c00768f3a226a908391d00eff03eb3bee65c45ab

SHA256
74b4251af737017c6a4a803f3f068e6139e7693951b2434bfba4cfc7a6f10a96

SHA512
ac8291390678c77f928a72b1c872c1a38a37657827ad7619263d8e2e831c1b662aa5c133d844aa186467726dac4a0a680c664a73b7dce5a266e6589404f3b584

Download Submit
C:\Program Files (x86)\Uninstall Information\explorer.exe

Filesize
4.9MB

MD5
e5419ae77552fe04bb2ec920efdb2552

SHA1
1d374f0185758eedc26360c4bf3b13b97c4534e2

SHA256
5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac

SHA512
8479cf2f4949dd52080a4d4ad364a6f904c3ecc9675b0f2f313075e3a5ab7088fa2cde86568ea21422eccf5475f767229d054c7944a45ed6cf0619a943f6d49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\09e434b1-a62b-4edc-8d91-c493f93261f1.vbs

Filesize
760B

MD5
61330146d587e5b49fdbb63c25347cf9

SHA1
757e8b8409d32227354096242088e4c669419f84

SHA256
3a9acb2d350f04bb5ed51a55b2fcbded06a3b6749b1166989dc491c36a99b02b

SHA512
e5545d2c5a57dc7f0ff5f609b9ee1c3143dcac96be61d80813d1c3508e1a718e844f0d48ccd5ef61a8d05b1e166c852c789b8c5ac84f3bb32c6eeb888b33de8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ea742d8-75b8-49c7-9cb6-3ab93db563e1.vbs

Filesize
760B

MD5
db5c093365e82080d9a1aba6bb439e36

SHA1
b347423790cea4618149a9abf7206e044408801d

SHA256
1bda2dcb6e6473840a593efc9c690d76dcaceaeadecd106256a4d8d50c738dc8

SHA512
f4afc1a4bcf9b3ba7146f0e46f27282cabe667f65ec0efc25459e67b845737b9225c193f57ec768abf8537022f60f95af417a46058a0bb31c0cbd134969fcb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e7f18a8-728c-4232-a1b8-0cd1b17e3f5d.vbs

Filesize
760B

MD5
54044d9a6beae9dcb045b5525f30d515

SHA1
196307234543124e8aac50a66fa45bb06531ed15

SHA256
28b8c67efdce28f002ec01e59ff0ebb14ec075760aba87fdfe66f68c85fb84d0

SHA512
d6b1c631dd63daadd845ca8600312c7febfa6a11159e6e450225403834ad3f9279acccda2ac6bbabcd42b377ddb52a25d079e032d4e914ebbce3667919403648

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fa4dd24-8cdf-4e2a-9e22-517188d1205e.vbs

Filesize
760B

MD5
2975b4342258de0de2963523a3639ff5

SHA1
32163594e4119d3d0313aa6c91b938988c2f8af6

SHA256
1ebdb4387db958b362613248eca2139d90cd33c10e2bc0a70f98557fdd5072b8

SHA512
d25c2afb230d8cc244188ab923b7117e982a70a73a528325f4119526f64a0d4884ff356d5fe79efa661e1a92665dfa6be979c8fb7360fc0e34e68ca2aa8f73e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee412ce-17f0-430b-9477-d5a7baea14f6.vbs

Filesize
760B

MD5
16a94ffab9ab31232ce793bc01e7b4eb

SHA1
086cb34580db35944197760c2c57c4e64e7edc1c

SHA256
fccc44a27bc82399a60042ea6e08a06e7de2d44f330611cd5826e69753a97694

SHA512
ab2b44248ecb6223e2bac788d813ee28dac415b5135f1ac0046087ab10eccdebbf687435066fc11491325af0af3acc414d20c23c91f0147d1521cdd33350692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ad16db3-b062-48c0-9bed-0644731e619c.vbs

Filesize
760B

MD5
087f6a5e5333bd396d20ef9294dae6e9

SHA1
cf9473e9bfaa7300033b915cf89ffa123982d02a

SHA256
69a622a0e1df2677e5c58b171e653dcb9e3790956dd234664056b48dc8263dd6

SHA512
efd903919884180220add749871db02e03c7881e2eec07f474d2a0ff6959d71f0f70c605ef116edaac3c164fe79b676343f204c4e0ac2d5196f753b91fc7a085

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d98d18a-e0cf-4c9f-887c-6b16a0de3ac9.vbs

Filesize
760B

MD5
c988e50875583632318a9935194b53e2

SHA1
11f122fed2214431b7debdc4d9064c895fb38689

SHA256
150b79ea554df20c7a52a1fbb7c1d040e124a0cbf84238be6211b88c2fce58b9

SHA512
1d717bd035056a2322c4595db6c96fafc1a50fb9dce4626a9286a60ea33c81291d0e6171189c0ffe7fd39353688fb53ec2dad5bf4836de98d774c757349971df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f8c34b2-45b6-498e-9247-7d6aef20f64b.vbs

Filesize
760B

MD5
14f5842bbd7e2bcd81ecfd5681720912

SHA1
c184710c637ceead87dfbad26325a9fef9660a97

SHA256
d49b844dc3a4f6d834f429b6a233cb852fd34bbc6305d8a9d2ad11543496a44f

SHA512
351f34f9fb9db2353300e27b813593d54b2a3989446ecacdde31c576c077791d7e75e204a5023db900b97df0d41ca9ee851fd3a0a7b0d9c79e7fb83204750a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cd27701-2c33-409b-99d3-8af1f809aeac.vbs

Filesize
536B

MD5
536bf1c781912d06c7d3fc106a9f8454

SHA1
ccdcb4fcc9102a906004dbb3610b7da7a77a5507

SHA256
576ee8d8db7916343a3a8ac9f666a2a5653b017ef76f1e920a1e71222afbf071

SHA512
8922a71d723c9eaefae5ba02c933c7ae27c7ad1e542ad5086290b1114dc691c84f25f26118eafbc65770d8e012276f4061eca12b6e817d33b98db9e31fbfa63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\85f41633-9bae-4f52-9101-7988e3ca5674.vbs

Filesize
760B

MD5
bc4da5c04bdd36289652146436f86ac1

SHA1
8695d94a23132838eb0b297eb72949b1e50deb6d

SHA256
f4d9d59abf3e42bb14e9cdcafbc81b7da8878b86d502eba3eb26bb8d56e1714b

SHA512
2e9a84587ee3828b5050af055e57bdcd3bcd9259cf2e399bd8ef680b08777de4b8ef133bff281062df5a12ac9e0ee4fa0f6f122b2629efff8a9df8a245a6dcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f0a3342-a768-4939-871d-8f35543e3dd2.vbs

Filesize
760B

MD5
b4c7093954ab5d6db4e49eebc34ea368

SHA1
72da175f4e43ff4fa767fffb4c038dd23ee7ed41

SHA256
073aa0c1251bbac7c752afa3a263d32b94119d06a9df0339412c9f1837395bc6

SHA512
dfa20fbf981d2cf3de7a80f482f994b0574e9b95f75b5db998628282abb462e8db96a5099cba50f8673253a7624168739223b9cca67b7457fddf352b5383795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nao4r3B8HE.bat

Filesize
249B

MD5
fce89637a1c22c49ebc43327068ed13a

SHA1
4bf3e0e63a5dc13f89d7c4335c822cd14412eb30

SHA256
da0745473b0ecae5806e782e762d1149941a9707ed5650551724d754d4f7c4da

SHA512
2afd1a477d27730d877560ae20f9e95e4fd45f3cc03022f075da3cab07974ce257ee029ac86ba3846feb17043c8f1e8bd39de07150879e1a429a4dd82955769e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb5bbe1f-2144-4368-beb2-51393946b9de.vbs

Filesize
760B

MD5
3ba421ae7c5328a15f3b13bb38fd3cd2

SHA1
b384cb136e849a638a827336f9019cbb189d0cee

SHA256
b8d1840c4b54712182b4b50d6f797c3e00c31bb3ce24a09226e8c44e3760a8b6

SHA512
1af337009d4b457e52e7598e4fd040445e1f1c5772a3fefcc11ec5bcc202d0b52dd6a0ef404541c8d95812040c585d41989cb4209969df8104a5bc7783fdf587

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp474.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGCWOJKCANFWDYVUNO5T.temp

Filesize
7KB

MD5
3b22393dcaa8d1fa633a4a7b15fcf988

SHA1
7971f03ccd6266c7ccc87045d0cab699c947bebb

SHA256
2861e75110a6197c2453a9805883c2f65ec633186641d991a6ed8e6a92545a97

SHA512
8739d65706b98918c63f678f05d5fe8729b46c197d58a8d13706f782a7fd059766d2ce36067125816746503303617ad83e11f994b9e9b22e3aadcd7ce9545e84

Download Submit
C:\Users\Default\AppData\Roaming\RCXCF69.tmp

Filesize
4.9MB

MD5
5421ea1127dd5d2deca96f8c9cb2124d

SHA1
18373a79defe7e1c1e6c8dd76a799b6123286fbe

SHA256
1bd3b06b510534dc76b5fff2085bff3c88acbccc7109a6f7965aaca5ee4480bc

SHA512
114cec8d9e298c241569d42a66930be66521ed50414e4c4b8d69c2593b41dcbb66bea800c31a4b0936c15bfbf24482a2c0764be506ba613c49a498468800d406

Download Submit
memory/2220-182-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2236-180-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2360-332-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/2496-6-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2496-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-183-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-15-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2496-14-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2496-9-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2496-13-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2496-12-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2496-11-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2496-10-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2496-1-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/2496-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2496-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp

Filesize
1.2MB

Download
memory/2496-7-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/2496-8-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2496-145-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2496-16-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2496-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2496-4-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/2524-289-0x000000001B330000-0x000000001B342000-memory.dmp

Filesize
72KB

Download
memory/2524-288-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/2552-217-0x0000000000940000-0x0000000000E34000-memory.dmp

Filesize
5.0MB

Download
memory/2592-245-0x00000000010C0000-0x00000000015B4000-memory.dmp

Filesize
5.0MB

Download
memory/2648-361-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download