dcrat | 8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Size

4.9MB
MD5

87c0d521f3387245929438143a477b30
SHA1

d427908e35f8a94c83750d923b32c91583091981
SHA256

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93
SHA512

f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2712	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2712	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2996-3-0x000000001B470000-0x000000001B59E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
868	powershell.exe
1156	powershell.exe
1140	powershell.exe
2520	powershell.exe
308	powershell.exe
2460	powershell.exe
1248	powershell.exe
960	powershell.exe
832	powershell.exe
848	powershell.exe
2512	powershell.exe
2592	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2320	smss.exe
1072	smss.exe
2744	smss.exe
864	smss.exe
2544	smss.exe
1328	smss.exe
2956	smss.exe
828	smss.exe
1044	smss.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\27d1bcfc3c54e0	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFB13.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXFD18.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\27d1bcfc3c54e0	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\WmiPrvSE.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dllhost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6ccacd8608530f	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\WmiPrvSE.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\dllhost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXFF1C.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX527.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dllhost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCXFA7.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX1D83.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX16CC.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Internet Explorer\69ddcba757bf72	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\dllhost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\1610b97d3ab4a7	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\5940a34987c991	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Journal\fr-FR\smss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX323.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\24dbde2999530e	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Journal\fr-FR\69ddcba757bf72	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\RCX99C.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\RCX72B.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Migration\WTR\Idle.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXBA0.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Migration\WTR\Idle.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\RemotePackages\RemoteApps\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\RemotePackages\RemoteApps\886983d96e3d3e	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
588	schtasks.exe
2476	schtasks.exe
1260	schtasks.exe
2784	schtasks.exe
1156	schtasks.exe
1292	schtasks.exe
2120	schtasks.exe
2264	schtasks.exe
632	schtasks.exe
1244	schtasks.exe
2868	schtasks.exe
884	schtasks.exe
912	schtasks.exe
2324	schtasks.exe
1044	schtasks.exe
2632	schtasks.exe
2260	schtasks.exe
964	schtasks.exe
1788	schtasks.exe
2572	schtasks.exe
2612	schtasks.exe
1964	schtasks.exe
2156	schtasks.exe
2400	schtasks.exe
1648	schtasks.exe
2916	schtasks.exe
1032	schtasks.exe
1720	schtasks.exe
2508	schtasks.exe
1504	schtasks.exe
2652	schtasks.exe
1660	schtasks.exe
1304	schtasks.exe
1596	schtasks.exe
2496	schtasks.exe
2976	schtasks.exe
1984	schtasks.exe
1376	schtasks.exe
1688	schtasks.exe
2716	schtasks.exe
796	schtasks.exe
2384	schtasks.exe
2060	schtasks.exe
2928	schtasks.exe
2252	schtasks.exe
3016	schtasks.exe
2932	schtasks.exe
864	schtasks.exe
1272	schtasks.exe
1224	schtasks.exe
1644	schtasks.exe
2272	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
2520	powershell.exe
1140	powershell.exe
2592	powershell.exe
2460	powershell.exe
868	powershell.exe
1248	powershell.exe
308	powershell.exe
960	powershell.exe
848	powershell.exe
1156	powershell.exe
832	powershell.exe
2512	powershell.exe
2320	smss.exe
1072	smss.exe
2744	smss.exe
864	smss.exe
2544	smss.exe
1328	smss.exe
2956	smss.exe
828	smss.exe
1044	smss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2320	smss.exe
Token: SeDebugPrivilege	1072	smss.exe
Token: SeDebugPrivilege	2744	smss.exe
Token: SeDebugPrivilege	864	smss.exe
Token: SeDebugPrivilege	2544	smss.exe
Token: SeDebugPrivilege	1328	smss.exe
Token: SeDebugPrivilege	2956	smss.exe
Token: SeDebugPrivilege	828	smss.exe
Token: SeDebugPrivilege	1044	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 832	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	85
PID 2996 wrote to memory of 832	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	85
PID 2996 wrote to memory of 832	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	85
PID 2996 wrote to memory of 2592	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	86
PID 2996 wrote to memory of 2592	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	86
PID 2996 wrote to memory of 2592	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	86
PID 2996 wrote to memory of 2520	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	88
PID 2996 wrote to memory of 2520	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	88
PID 2996 wrote to memory of 2520	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	88
PID 2996 wrote to memory of 1140	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	89
PID 2996 wrote to memory of 1140	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	89
PID 2996 wrote to memory of 1140	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	89
PID 2996 wrote to memory of 2512	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	91
PID 2996 wrote to memory of 2512	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	91
PID 2996 wrote to memory of 2512	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	91
PID 2996 wrote to memory of 1156	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	93
PID 2996 wrote to memory of 1156	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	93
PID 2996 wrote to memory of 1156	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	93
PID 2996 wrote to memory of 868	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	94
PID 2996 wrote to memory of 868	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	94
PID 2996 wrote to memory of 868	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	94
PID 2996 wrote to memory of 960	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	95
PID 2996 wrote to memory of 960	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	95
PID 2996 wrote to memory of 960	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	95
PID 2996 wrote to memory of 1248	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	96
PID 2996 wrote to memory of 1248	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	96
PID 2996 wrote to memory of 1248	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	96
PID 2996 wrote to memory of 848	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	97
PID 2996 wrote to memory of 848	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	97
PID 2996 wrote to memory of 848	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	97
PID 2996 wrote to memory of 2460	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	98
PID 2996 wrote to memory of 2460	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	98
PID 2996 wrote to memory of 2460	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	98
PID 2996 wrote to memory of 308	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	99
PID 2996 wrote to memory of 308	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	99
PID 2996 wrote to memory of 308	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	99
PID 2996 wrote to memory of 2320	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	109
PID 2996 wrote to memory of 2320	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	109
PID 2996 wrote to memory of 2320	2996	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	109
PID 2320 wrote to memory of 1992	2320	smss.exe	110
PID 2320 wrote to memory of 1992	2320	smss.exe	110
PID 2320 wrote to memory of 1992	2320	smss.exe	110
PID 2320 wrote to memory of 1984	2320	smss.exe	111
PID 2320 wrote to memory of 1984	2320	smss.exe	111
PID 2320 wrote to memory of 1984	2320	smss.exe	111
PID 1992 wrote to memory of 1072	1992	WScript.exe	112
PID 1992 wrote to memory of 1072	1992	WScript.exe	112
PID 1992 wrote to memory of 1072	1992	WScript.exe	112
PID 1072 wrote to memory of 1728	1072	smss.exe	113
PID 1072 wrote to memory of 1728	1072	smss.exe	113
PID 1072 wrote to memory of 1728	1072	smss.exe	113
PID 1072 wrote to memory of 1504	1072	smss.exe	114
PID 1072 wrote to memory of 1504	1072	smss.exe	114
PID 1072 wrote to memory of 1504	1072	smss.exe	114
PID 1728 wrote to memory of 2744	1728	WScript.exe	115
PID 1728 wrote to memory of 2744	1728	WScript.exe	115
PID 1728 wrote to memory of 2744	1728	WScript.exe	115
PID 2744 wrote to memory of 308	2744	smss.exe	116
PID 2744 wrote to memory of 308	2744	smss.exe	116
PID 2744 wrote to memory of 308	2744	smss.exe	116
PID 2744 wrote to memory of 1352	2744	smss.exe	117
PID 2744 wrote to memory of 1352	2744	smss.exe	117
PID 2744 wrote to memory of 1352	2744	smss.exe	117
PID 308 wrote to memory of 864	308	WScript.exe	118

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
"C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Program Files\Windows Journal\fr-FR\smss.exe
  "C:\Program Files\Windows Journal\fr-FR\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d9d6f60-e809-4b21-bff0-70ab6e1bbfd4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Program Files\Windows Journal\fr-FR\smss.exe
      "C:\Program Files\Windows Journal\fr-FR\smss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7b4f3f3-2aef-413a-9a39-68a8c813a3f0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ad2f3eb-f6d6-4768-9718-c920133e1e0b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32dac76-5bde-4b4c-a9a7-62d69cb9ba6d.vbs"
        9⤵
        
        PID:2332
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19443296-a71d-4664-a9b0-0db0fe727c01.vbs"
        11⤵
        
        PID:2172
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d63681b8-f402-4ba1-a0ad-1ae17d65ed57.vbs"
        13⤵
        
        PID:1376
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a827278-c301-4f21-a2ec-6de100ed374d.vbs"
        15⤵
        
        PID:1628
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9817ec73-9955-4a35-bd8e-de8d71334ada.vbs"
        17⤵
        
        PID:2880
        
        C:\Program Files\Windows Journal\fr-FR\smss.exe
        
        "C:\Program Files\Windows Journal\fr-FR\smss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d92467-d03f-48ac-86ee-89f078dd4323.vbs"
        19⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5478f1fd-cf13-41f2-96d1-e339883d338e.vbs"
        19⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175c3e2a-bd1b-4ac9-a3b3-f77a1147a4e4.vbs"
        17⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ac7b31-6119-4d83-92cb-43238e17635c.vbs"
        15⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de76079-bb71-4a5b-90b3-9e8921e13daf.vbs"
        13⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f18de75-88b8-4e92-bbf5-832f9dd31049.vbs"
        11⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec48c44-9685-45f6-a17c-f3716ecf5ea3.vbs"
        9⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2916c623-307b-4036-9dab-f09f025cd995.vbs"
        7⤵
        
        PID:1352
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3afcd0d-7a85-44ce-90aa-322d8135e1a8.vbs"
        5⤵
        
        PID:1504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1b387ae-f3d5-4ea4-8279-8d364de93036.vbs"
    3⤵
    PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\wininit.exe

Filesize
4.9MB

MD5
87c0d521f3387245929438143a477b30

SHA1
d427908e35f8a94c83750d923b32c91583091981

SHA256
8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

SHA512
f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29

Download Submit
C:\Program Files (x86)\Windows NT\dllhost.exe

Filesize
4.9MB

MD5
118ee973c1eedacccf45e35de64c33ff

SHA1
2c7e3834257e9681339db2457a84394e91719372

SHA256
c57ea853e9490791fea84e1f985f8d282fcb8267004ccbeb2f081fb80f177a0a

SHA512
0c9f18310d51e8cfebd18b221a1f15ba96ea1f9f0d5d35a7cb864d3a374ea7e8f19b3e83c3fd6ff79a3582591d19321a986dc6eeb7b75120e0ceb3ae8f912ae9

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe

Filesize
4.9MB

MD5
96b9b4413577278674a2bc44e7d9afa8

SHA1
190ec7965d2a6983058b96ca24ffefa10bdc996e

SHA256
969e39078491dde5ddbed2f28405ea8ccbf1723300b75711eb3ab49aba2d1d6c

SHA512
d77449f0c767ff34b72d6daa397dcf7bf3128e0d3076aa6eb27784fafa7dee7e879cedc62885472ebe207b820d303bf4e1b20b9f52d9f1eb07d58d31338c0ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\19443296-a71d-4664-a9b0-0db0fe727c01.vbs

Filesize
723B

MD5
4e922485c4abfcf2c543e8d85b83300e

SHA1
fad9c2e7e6bce0a797bd9354df0eedcdbf2c1415

SHA256
d17745c6fd1150f2a4a8b098a5126a3a457aa02991000ae8b0f5a052a721dc53

SHA512
56addb763e52800dedbbb32c6956aaa79946a5137177ddc2bc6185838ed299be2c8fe41f8cc672a6e7b0ddfd43f9aaac766ffe0650ed6f03453fe8edbd682b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a827278-c301-4f21-a2ec-6de100ed374d.vbs

Filesize
723B

MD5
25915e4088c9cb77c8ea2594669ac3a4

SHA1
53e6254d7aa7c4976293121ab1f222d972f483e9

SHA256
ad28798e59764bba23453ea74d4480782f82d10207431a98635adf38fe45ab91

SHA512
a4ddb1b07dd967f5550ac7f6efbecd3e0859034e65ddc0e152ce412911b4666bdf110937bae0340c8ed68614c39861595a4fa12cb23a8de927af0db148d72073

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d9d6f60-e809-4b21-bff0-70ab6e1bbfd4.vbs

Filesize
723B

MD5
5a3802105a8840805d375f96f41dbea1

SHA1
4959d823b6cadf1a9dcac49df9e2f6b556e84849

SHA256
3a3eaa472fa0d855cbaaeb7936f282cbd33d88ea02d4b2d96dc0585a1ff435ae

SHA512
efea9b3a8c16a2e273f840699af664cd5635adfea7862beb0be078c83ad57db8cc85685c4b391a8801c36b12a9ca000ec86c43d91fb448e3068c1b4da59d5a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ad2f3eb-f6d6-4768-9718-c920133e1e0b.vbs

Filesize
723B

MD5
fc9d97321695dc53b3a9bea8a5193e99

SHA1
8fce120d37d83d05a74b91ac5df426422ea7696c

SHA256
6beef20d4d970bb5a5c130a77d56a12800121795adbb7cb33a4210d93bc467b9

SHA512
67029248b4be91b33a4b234abab2ae7f0e0ea97e105f5ddb80f53d1ad5e81cc32bfb90b1603890013cebc698109f5e68a7babc663fb3a54d9c4433a211836e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9817ec73-9955-4a35-bd8e-de8d71334ada.vbs

Filesize
722B

MD5
987635ca7581b8015542e486596b44ed

SHA1
92aaef911e85c9e37e71b0db36a92f900017cc33

SHA256
96d526bc9ae85a1520439f8f22f96e50e8a3c4b57e344ca3fb111b866e71cf7b

SHA512
32286d536a897419694a7fdb56f3aeb988f8cd991092c4d48c61ead65f979e518ccedd4d6b90c2a509471fdad184bf3890eb40c10734ed2648d90636a4f6bcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a32dac76-5bde-4b4c-a9a7-62d69cb9ba6d.vbs

Filesize
722B

MD5
d80a293d80b806dee607c08143f04a61

SHA1
515fc26701d0c2068bf2813d66d7819397edc6a0

SHA256
e63805db857e0a48405b0da5bb1f7cdad36e26630da10507188f6fe186aa382e

SHA512
31cddd577f28c06940985120d49557bc2fe11b4f5d7cb61141e846335cb333f1e6037da55ac6ee6be8e3f1829b11c4742dbe536982b2650aad3ef765bbfe5e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7b4f3f3-2aef-413a-9a39-68a8c813a3f0.vbs

Filesize
723B

MD5
d5979d252bce10f0841df15272ffda2a

SHA1
c927043f4cf1cc918a095df9f84f0302a1c9b490

SHA256
20e05a944a280d81f29ec717bcd3522c9151c1989eae81be87c3baf7d8797b6a

SHA512
fb8addf005b28edb1077f307acb8e0dbf223112010e2c7b2720655b8bc730ea9180fefa6be54373c83b1f83fe9b25680dd061eed6acf7a3db985979b4068d85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d92467-d03f-48ac-86ee-89f078dd4323.vbs

Filesize
723B

MD5
522d7e40e2222b6e9680c71b03e71e95

SHA1
26bb444c1d55e886ca0ddba311a6047b17179d15

SHA256
7c9f4b91c5ac643d077a6e52b7f8af65d8152eab2290e1b2128fbff6326c3642

SHA512
aa878743bcb064e7656173e42fc2c440b6539eef60aec31648eb1744b72699df61b76c2571b6821eb55008d6c2a1c7ff80f07f6240c15f9e0f9656ee5b76f5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\d63681b8-f402-4ba1-a0ad-1ae17d65ed57.vbs

Filesize
723B

MD5
636e96af01abe96a4250ada39f6bce57

SHA1
ec331fb8f3f75d8ed9b17420460f2143f78a9ac7

SHA256
5d58e682409edef4b4d15bf6e1cca228ad9a52293a3d26caa23eb58d3ff45a63

SHA512
9444abd6c154d4925a3c8b91dcaf127b0ff61b01f7f6ecfccd825697f63ba25106e796b4a0182e224e50cda5be767d738c07211c053a4c210401de7f3b73e770

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1b387ae-f3d5-4ea4-8279-8d364de93036.vbs

Filesize
499B

MD5
1174bbd82b0bce5450f49b4e6b717732

SHA1
c912ae7a0bddb98c53f1fc0713daaaab14532230

SHA256
a6702518982f1ac22905edd27a68c30d54ce5bcd1a8325e5c072bd186c8eba76

SHA512
9e299b195b9cb99634738ed4fcc44165834b26e724cd9a9af21800928e942383a04173277ef976c896ebe60590e0c8989d19a431d7efb5a12b370fb4e67d5162

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31AB.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
340268cc5dccafb2dbfb9801ac8ceef6

SHA1
3af3b095e62d7b1b9ecf363c4b9e907baa42c826

SHA256
e80b228e01ad5c43fc5f39360671df87793db3206d63c1661240bbc9cdc76e51

SHA512
8dce6e13992d9927d7074f4f8d4632ede7c2279ef5af77fe0e782ee452ea77e6311796e01907fcd6ccf28ea54a50dbe718f38968854764e63e91c5c9efc71ce8

Download Submit
C:\Users\Default\Favorites\sppsvc.exe

Filesize
4.9MB

MD5
f1a0332e87d7b34ec2bd23df8b5724a2

SHA1
f6ffc9e3b4519496b2cb83f1a90990ee5ef314c8

SHA256
a23d2621f0907f35adac483dc9f0588a00c736274ddd9964e6985eaab9c8d6e2

SHA512
61a691f414bb49fc4d1022c7af77f9bc56ff4d67d06c9fa2620a08c1a2a806cdf56242014551076c2e39abb18a157366a892e5a1583e10fa60ebb0f2d64c79c0

Download Submit
C:\Windows\Migration\WTR\Idle.exe

Filesize
4.9MB

MD5
bb436d1b545dc7549d3f72e451bbbe1e

SHA1
fa2f813d3f3b68bb1017797f7fff6e1f5be48124

SHA256
7c7e7bf592f5bb550f442775b3a6f1a7a70bda44742210998aeb36bb94464754

SHA512
b57626ca204509f8788366fd7f7908b2bcecfeb786b67739fa7bc54ab0df94d413a34cfa14548d72b61e49ff2fa75c2b8d855411ded4cce82b443b703d46cb5a

Download Submit
memory/864-293-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/864-294-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/1072-263-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1072-262-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download
memory/1328-325-0x0000000000090000-0x0000000000584000-memory.dmp

Filesize
5.0MB

Download
memory/2320-186-0x0000000000300000-0x00000000007F4000-memory.dmp

Filesize
5.0MB

Download
memory/2520-199-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2520-198-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2544-310-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2544-309-0x00000000009F0000-0x0000000000EE4000-memory.dmp

Filesize
5.0MB

Download
memory/2744-278-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/2956-340-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2996-10-0x000000001AF80000-0x000000001AF92000-memory.dmp

Filesize
72KB

Download
memory/2996-8-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2996-14-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

Filesize
32KB

Download
memory/2996-13-0x000000001AFB0000-0x000000001AFBE000-memory.dmp

Filesize
56KB

Download
memory/2996-12-0x000000001AFA0000-0x000000001AFAE000-memory.dmp

Filesize
56KB

Download
memory/2996-11-0x000000001AF90000-0x000000001AF9A000-memory.dmp

Filesize
40KB

Download
memory/2996-16-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/2996-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2996-9-0x000000001AF70000-0x000000001AF7A000-memory.dmp

Filesize
40KB

Download
memory/2996-15-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/2996-7-0x000000001AF40000-0x000000001AF56000-memory.dmp

Filesize
88KB

Download
memory/2996-147-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2996-187-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-6-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/2996-5-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2996-4-0x0000000002350000-0x000000000236C000-memory.dmp

Filesize
112KB

Download
memory/2996-161-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-3-0x000000001B470000-0x000000001B59E000-memory.dmp

Filesize
1.2MB

Download
memory/2996-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download