dcrat | b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

Resubmissions

25-09-2024 18:20

240925-wy2v4atbmg 10

25-09-2024 18:14

240925-wvqcwsshpe 10

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Size

4.9MB
MD5

5a9fb15e8fc1d8162c861ca1544f38f0
SHA1

a7606e286eb27a1a5e95693c594de5c65c5d7aa1
SHA256

b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a
SHA512

a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	332	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	332	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2548-2-0x000000001B490000-0x000000001B5BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
1672	powershell.exe
3056	powershell.exe
2328	powershell.exe
2036	powershell.exe
1628	powershell.exe
2956	powershell.exe
3024	powershell.exe
1712	powershell.exe
1288	powershell.exe
288	powershell.exe
2912	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
592	dwm.exe
692	dwm.exe
1256	dwm.exe
1580	dwm.exe
1260	dwm.exe
300	dwm.exe
2964	dwm.exe
1592	dwm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\it-IT\6203df4a6bafc7	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXBFD9.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Common Files\Services\b75386f1303e64	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Media Player\it-IT\6cb0b6c459d5d3	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE0C1.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Uninstall Information\lsass.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\42af1c969fbb7b	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Common Files\Services\taskhost.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Uninstall Information\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXC856.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD140.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCAC7.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXD344.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXD5B5.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\dwm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Uninstall Information\6b21b2042cab95	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\explorer.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\taskhost.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\audiodg.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\audiodg.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Windows Media Player\it-IT\dwm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXBB54.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Uninstall Information\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\RCXE2C5.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\886983d96e3d3e	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXD7B8.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Google\Temp\explorer.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files (x86)\Google\Temp\7a0fd90576e088	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\101b941d020240	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\cc11b995f2a76d	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDA29.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\dwm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\RCXBDD5.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\PLA\Rules\RCXDC2D.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\PLA\Rules\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Vss\RCXDE31.tmp	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\Vss\System.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\6cb0b6c459d5d3	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\PLA\Rules\winlogon.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\PLA\Rules\cc11b995f2a76d	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Vss\System.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File created	C:\Windows\Vss\27d1bcfc3c54e0	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\dwm.exe	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
2924	schtasks.exe
2980	schtasks.exe
2668	schtasks.exe
1968	schtasks.exe
2308	schtasks.exe
2988	schtasks.exe
2604	schtasks.exe
1808	schtasks.exe
1680	schtasks.exe
2580	schtasks.exe
592	schtasks.exe
2040	schtasks.exe
848	schtasks.exe
820	schtasks.exe
2860	schtasks.exe
2764	schtasks.exe
1056	schtasks.exe
692	schtasks.exe
1740	schtasks.exe
2876	schtasks.exe
2344	schtasks.exe
2636	schtasks.exe
1928	schtasks.exe
896	schtasks.exe
2292	schtasks.exe
2012	schtasks.exe
2284	schtasks.exe
1312	schtasks.exe
1520	schtasks.exe
2024	schtasks.exe
2180	schtasks.exe
2776	schtasks.exe
2848	schtasks.exe
2928	schtasks.exe
2192	schtasks.exe
1728	schtasks.exe
2744	schtasks.exe
1724	schtasks.exe
1456	schtasks.exe
864	schtasks.exe
1020	schtasks.exe
2500	schtasks.exe
1392	schtasks.exe
1580	schtasks.exe
2316	schtasks.exe
1752	schtasks.exe
552	schtasks.exe
2116	schtasks.exe
1888	schtasks.exe
1716	schtasks.exe
2432	schtasks.exe
944	schtasks.exe
1340	schtasks.exe
792	schtasks.exe
1596	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
2328	powershell.exe
1712	powershell.exe
288	powershell.exe
2956	powershell.exe
1672	powershell.exe
2036	powershell.exe
2912	powershell.exe
1968	powershell.exe
3024	powershell.exe
3056	powershell.exe
1628	powershell.exe
1288	powershell.exe
592	dwm.exe
692	dwm.exe
1256	dwm.exe
1580	dwm.exe
1260	dwm.exe
300	dwm.exe
2964	dwm.exe
1592	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	592	dwm.exe
Token: SeDebugPrivilege	692	dwm.exe
Token: SeDebugPrivilege	1256	dwm.exe
Token: SeDebugPrivilege	1580	dwm.exe
Token: SeDebugPrivilege	1260	dwm.exe
Token: SeDebugPrivilege	300	dwm.exe
Token: SeDebugPrivilege	2964	dwm.exe
Token: SeDebugPrivilege	1592	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2956	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	89
PID 2548 wrote to memory of 2956	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	89
PID 2548 wrote to memory of 2956	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	89
PID 2548 wrote to memory of 3024	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	90
PID 2548 wrote to memory of 3024	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	90
PID 2548 wrote to memory of 3024	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	90
PID 2548 wrote to memory of 1712	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	91
PID 2548 wrote to memory of 1712	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	91
PID 2548 wrote to memory of 1712	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	91
PID 2548 wrote to memory of 1288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	92
PID 2548 wrote to memory of 1288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	92
PID 2548 wrote to memory of 1288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	92
PID 2548 wrote to memory of 288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	93
PID 2548 wrote to memory of 288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	93
PID 2548 wrote to memory of 288	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	93
PID 2548 wrote to memory of 1968	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	94
PID 2548 wrote to memory of 1968	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	94
PID 2548 wrote to memory of 1968	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	94
PID 2548 wrote to memory of 1672	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	95
PID 2548 wrote to memory of 1672	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	95
PID 2548 wrote to memory of 1672	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	95
PID 2548 wrote to memory of 3056	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	96
PID 2548 wrote to memory of 3056	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	96
PID 2548 wrote to memory of 3056	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	96
PID 2548 wrote to memory of 2328	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	97
PID 2548 wrote to memory of 2328	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	97
PID 2548 wrote to memory of 2328	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	97
PID 2548 wrote to memory of 2912	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	98
PID 2548 wrote to memory of 2912	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	98
PID 2548 wrote to memory of 2912	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	98
PID 2548 wrote to memory of 2036	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	99
PID 2548 wrote to memory of 2036	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	99
PID 2548 wrote to memory of 2036	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	99
PID 2548 wrote to memory of 1628	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	100
PID 2548 wrote to memory of 1628	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	100
PID 2548 wrote to memory of 1628	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	100
PID 2548 wrote to memory of 592	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	113
PID 2548 wrote to memory of 592	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	113
PID 2548 wrote to memory of 592	2548	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe	113
PID 592 wrote to memory of 2564	592	dwm.exe	114
PID 592 wrote to memory of 2564	592	dwm.exe	114
PID 592 wrote to memory of 2564	592	dwm.exe	114
PID 592 wrote to memory of 2864	592	dwm.exe	115
PID 592 wrote to memory of 2864	592	dwm.exe	115
PID 592 wrote to memory of 2864	592	dwm.exe	115
PID 2564 wrote to memory of 692	2564	WScript.exe	116
PID 2564 wrote to memory of 692	2564	WScript.exe	116
PID 2564 wrote to memory of 692	2564	WScript.exe	116
PID 692 wrote to memory of 2808	692	dwm.exe	117
PID 692 wrote to memory of 2808	692	dwm.exe	117
PID 692 wrote to memory of 2808	692	dwm.exe	117
PID 692 wrote to memory of 3044	692	dwm.exe	118
PID 692 wrote to memory of 3044	692	dwm.exe	118
PID 692 wrote to memory of 3044	692	dwm.exe	118
PID 2808 wrote to memory of 1256	2808	WScript.exe	119
PID 2808 wrote to memory of 1256	2808	WScript.exe	119
PID 2808 wrote to memory of 1256	2808	WScript.exe	119
PID 1256 wrote to memory of 2880	1256	dwm.exe	120
PID 1256 wrote to memory of 2880	1256	dwm.exe	120
PID 1256 wrote to memory of 2880	1256	dwm.exe	120
PID 1256 wrote to memory of 2632	1256	dwm.exe	121
PID 1256 wrote to memory of 2632	1256	dwm.exe	121
PID 1256 wrote to memory of 2632	1256	dwm.exe	121
PID 2880 wrote to memory of 1580	2880	WScript.exe	122

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe
"C:\Users\Admin\AppData\Local\Temp\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:592
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3feed530-8069-4971-b564-3e675b5a8aed.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6c19709-c4af-4e85-8923-643708b5028f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6b9305-c015-4fef-a6b8-2a3336816616.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c805d1-612b-417b-a506-d536cfdd22db.vbs"
        9⤵
        
        PID:2036
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b41b3b94-ead0-4b9b-908d-40cf531a8964.vbs"
        11⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eeb3c50-cee8-440f-a5a8-c3dca4ec789d.vbs"
        13⤵
        
        PID:1864
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0a1ef51-bf2f-4270-a5c2-8244ff76e4de.vbs"
        15⤵
        
        PID:1928
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5706440a-064b-4c93-b444-dfbed3fd74fd.vbs"
        17⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef89d82-d4ff-4477-93ee-26bd17cd2c97.vbs"
        17⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d698ac0d-f855-4a3c-9256-c2267859a7d7.vbs"
        15⤵
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9fe2d7-e577-4d07-9408-17c6f888e1d4.vbs"
        13⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c96600bd-c5b0-495a-98d3-8968038d445e.vbs"
        11⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79cc3de2-fa53-4690-8c0a-461bdcaf4dea.vbs"
        9⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601141a1-e0f9-43db-ad74-a885a7ff6ced.vbs"
        7⤵
        
        PID:2632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ea018f-a6e9-4376-97bf-1b15aca0dfb2.vbs"
        5⤵
        
        PID:3044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9cdd8ad-6dad-49b0-921c-96e4d7653a3f.vbs"
    3⤵
    PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aNb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3aN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
4.9MB

MD5
54d234cf938d35fa4954cd72119f0124

SHA1
67645641cc5c798b5f61cec48675840c6da8eba0

SHA256
66c51aae1c1264958308a675df2ddb308ca4f986d8965a24eb5a36c6f773dc0e

SHA512
2e7f25c67aacc39c750b9f0985e82970d50bdb1b3e2c1463e89ddb2ce93f6f78fcb1addccf3f800d2ac0c4725319e40bbe7a8bb69478093f8360af1c38da0279

Download Submit
C:\Program Files\Windows Media Player\it-IT\dwm.exe

Filesize
4.9MB

MD5
e4742a73ad2ced2257ea16d745a3e03f

SHA1
1b64568dac975c4106e7b171add3104ceab47865

SHA256
d78e97eaec968575b6e08ae108d2c231f2b08193cd55ce1ebb43a421b865c0ad

SHA512
07a06689ceb5b491c06c66f5250860fa8128d515a82449ff5448c5afe262308d704bfded01edf17dd0803080c7e2fd3d69d013678e677d8177757fc77b22d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d6b9305-c015-4fef-a6b8-2a3336816616.vbs

Filesize
746B

MD5
683f2759a1b595ec202f906242f83b19

SHA1
76f0bab192fac44469c05552838737d619fa166f

SHA256
c82fa48f7c03fe272ea8f97f31c1b7bd0e7c67a02ce6c41a5b0f25d57bb040c3

SHA512
080e3f4169d23cfeee9a6bca6737705a9b8ef1e999af63ce2a7bba38eb9a42c293a5d68a732401e6257ac21d7f93e3fbc098dadad44c0a366679dafc27c88d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3feed530-8069-4971-b564-3e675b5a8aed.vbs

Filesize
745B

MD5
c5b2f940807232c7be7306cb152425c2

SHA1
d282de93e0d6c66430568a04ec708941d6493dda

SHA256
b1ba166ae13786f057f2f61f1175b59ca3764707fdee413cf187cfdc9eb23e52

SHA512
6db2b65aa61ec2b5518cb53409ce6c1611d80ad278958b0ed233f3259e53e18dc3e9b5bc9e91897cd6b6b4d1e784704a3049dc7736fdeb2da8bd1af9653e7508

Download Submit
C:\Users\Admin\AppData\Local\Temp\5706440a-064b-4c93-b444-dfbed3fd74fd.vbs

Filesize
746B

MD5
57f1cc243a2802b99eb5be682aac6b99

SHA1
e4411e29e15018c65899bf8844ce181f11ba4c0f

SHA256
ae32485ff22ab3b61e407a830a6c9b0c48eff44349cd3e83ee7c2225d98d4b4e

SHA512
50eb71835be55a78c7b3c85ea660a055167f5f6e0215f2c3225bd688267cedd85820afef4d6b20556b2099b6a4c541984430f5d6bd04ba5e9d826b7aa1beb96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eeb3c50-cee8-440f-a5a8-c3dca4ec789d.vbs

Filesize
745B

MD5
d82c756f720c9a7e0c2ad55c621cd335

SHA1
eb93392d2fc328b5edfe17a72cca30bf995570af

SHA256
aba3490f27f9356e5c350543901d337b75813da7111800070bdb3170132d5451

SHA512
666d861ee5a377ee7827a7bb67ae30b03f9db16c7e425eccd667884792e0f72b0807e0b22b2a2eb81ab1d4549f564839fd5118aea12b18b1e66078a253b96e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9cdd8ad-6dad-49b0-921c-96e4d7653a3f.vbs

Filesize
522B

MD5
dcef0a906afe2bcf4e3214277f8bac43

SHA1
2323ab33ea18042e5bafd9522911b79115d37568

SHA256
0958e82283dfbe39b85e4cb77d10c9928fbdccda5efc770f50dc63e52fab60df

SHA512
b2f9c0fe42470f599c6f9e9c947dd2ccc64f9182813af9b5ccefbb6ce8f452a5c4db3f7b7eaaba0a13a0c9238771cc513b6082c4889a873142c06a55a1230c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\b41b3b94-ead0-4b9b-908d-40cf531a8964.vbs

Filesize
746B

MD5
8456fcda74f49aaf4778472912994e1b

SHA1
3e56480d87e9930d92fd6952624199bf63121865

SHA256
9edc292dcedd0b3a17a5b949a6aa0c2192b877c672e06146db4ffd99072e125b

SHA512
2ee511018bdf0bcde61db179e3bd400c6d1339f885a055f0ad843b9564972011c4dd284d6a34a9172de55bd4ea5a49540627ddc3f784e4ef763b9eeea61024f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0a1ef51-bf2f-4270-a5c2-8244ff76e4de.vbs

Filesize
746B

MD5
06e4cfc5ea73a5ca62e9004d54829688

SHA1
4ecb344dfa49e0315c04e2712eda82604b0595f8

SHA256
7d299f6d2bb2005ade9709c9102ec6294423b2b854ef8ef27a8a25000c882d57

SHA512
2eeb8b033c67e9c69fce07ff6d89799cec0d3c9defff0789c053fdc6825b0beb0e40980f39a186be7c7fd4f6dd92c8228195404962cddccf193a8ae67eb363fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0c805d1-612b-417b-a506-d536cfdd22db.vbs

Filesize
746B

MD5
db3a50a85446213c85d9e9ee764f11c4

SHA1
0cb943a1b50d57a8dcf765b1eb159de10207b456

SHA256
a821047f7846e4c8d9fabafa93d23fa153f60a993c3f2e68d796bb5e95734d4c

SHA512
e71985cfcbf1058346afbf2e914a969fa5dcfc448a2ae4ab1431b6f9c1f8624504f4245fe32091cd994d95b78c91178aa07595001131dd3e029b34188b2d3912

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6c19709-c4af-4e85-8923-643708b5028f.vbs

Filesize
745B

MD5
c1254cf283e6b9973d2ffabe4d14d257

SHA1
7b944fc5c3b7f8cb8df950d3992f67ab30759029

SHA256
af379367c791818e2e0cb397c8f3446c97b24c8ab51544a33f19995b12f0ffa7

SHA512
770e5c5714d4bbe3c979c96b82b886db2aa927d786e058a4d8a60b73106908514fc1dabb5e2fc13d8294d2f44d4c5bed02af46bb3c6af93ad9c2c54f472febf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF576.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ac11572f0468aa91cd6f3dfabce9b864

SHA1
905220f6a6dd00f1a0e1d968d1e097300fa6e7ef

SHA256
7cc0d8e11428d81a969f92112b1e169efca0f46b50a90d8adebb811a263e0d5e

SHA512
798535c570465865f3b9583ee88e99be46e8017eff8456d27b775f39f0714b9f428d04ef6419f2cc3a83d0a32b56535a8dc625d733db8dd42fa678bae19c2671

Download Submit
C:\Users\Public\Favorites\dllhost.exe

Filesize
4.9MB

MD5
5a9fb15e8fc1d8162c861ca1544f38f0

SHA1
a7606e286eb27a1a5e95693c594de5c65c5d7aa1

SHA256
b8a54c288df398f00afb79dff9b99f4af23dfed13a729a5659b31a6c1dfdcd3a

SHA512
a38b2f9aa766cca9f5f5265107c37dbaa89f4c712d4ea3efcd7b2248428f64a2da268de55e401ad08ff1a8ae85487add3f7b6b656b64ca9b03b82e44cc93cd5d

Download Submit
C:\Windows\Vss\System.exe

Filesize
4.9MB

MD5
23368aff1ce1af2dc57a66e33b49fe9e

SHA1
7d0f8d51915e2eb4823de0ed05e55df370a64e81

SHA256
e3b9d1ff7f642cc2d6f6af9b6690f95978ece5b4a72faefa16b93557969c0d44

SHA512
d5ded0191ca884cf1eeb2d05e7a4378425bd05db70e48f90ae67f69899cc96ee786e23f59091f31d11831e3ca68aee02f45d182eaeda7fe617ff70f38870af44

Download Submit
memory/300-326-0x0000000000E20000-0x0000000001314000-memory.dmp

Filesize
5.0MB

Download
memory/592-250-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/692-267-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/692-266-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download
memory/1260-311-0x0000000000A00000-0x0000000000EF4000-memory.dmp

Filesize
5.0MB

Download
memory/1580-296-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/1592-356-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/2328-215-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2328-209-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2548-16-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/2548-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2548-251-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-152-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2548-10-0x000000001AA60000-0x000000001AA72000-memory.dmp

Filesize
72KB

Download
memory/2548-7-0x000000001AA30000-0x000000001AA46000-memory.dmp

Filesize
88KB

Download
memory/2548-9-0x000000001AA50000-0x000000001AA5A000-memory.dmp

Filesize
40KB

Download
memory/2548-14-0x000000001AE70000-0x000000001AE78000-memory.dmp

Filesize
32KB

Download
memory/2548-160-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-8-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/2548-5-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2548-11-0x000000001AE40000-0x000000001AE4A000-memory.dmp

Filesize
40KB

Download
memory/2548-6-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2548-12-0x000000001AE50000-0x000000001AE5E000-memory.dmp

Filesize
56KB

Download
memory/2548-4-0x0000000000B60000-0x0000000000B7C000-memory.dmp

Filesize
112KB

Download
memory/2548-15-0x000000001AFF0000-0x000000001AFF8000-memory.dmp

Filesize
32KB

Download
memory/2548-3-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-1-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2548-2-0x000000001B490000-0x000000001B5BE000-memory.dmp

Filesize
1.2MB

Download
memory/2548-13-0x000000001AE60000-0x000000001AE6E000-memory.dmp

Filesize
56KB

Download
memory/2964-341-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download