dcrat | b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Size

4.9MB
MD5

dc0f33684dad2fbdd9801489c2a24150
SHA1

6c2f859577d7f959f4f0056c9f5a6b2c22ef3333
SHA256

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55
SHA512

e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2712	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2496-3-0x000000001B520000-0x000000001B64E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2456	powershell.exe
2940	powershell.exe
2092	powershell.exe
1624	powershell.exe
2044	powershell.exe
2932	powershell.exe
1604	powershell.exe
1296	powershell.exe
992	powershell.exe
2896	powershell.exe
1840	powershell.exe
1100	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
900	Idle.exe
1908	Idle.exe
988	Idle.exe
2344	Idle.exe
1800	Idle.exe
2488	Idle.exe
444	Idle.exe
2496	Idle.exe
2812	Idle.exe
2380	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCXE033.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE8EE.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files\Uninstall Information\WMIADAP.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files\Uninstall Information\75a57c1bdf437c	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCX5DD.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\0a1fd5f707cd16	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCXF64D.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\f3b6ecef712a24	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\6cb0b6c459d5d3	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\69ddcba757bf72	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files\Uninstall Information\WMIADAP.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCXED63.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF449.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\lsm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\ModemLogs\101b941d020240	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\ModemLogs\RCXEB.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\ModemLogs\lsm.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1912	schtasks.exe
2932	schtasks.exe
1696	schtasks.exe
2592	schtasks.exe
2456	schtasks.exe
1976	schtasks.exe
1928	schtasks.exe
612	schtasks.exe
3000	schtasks.exe
540	schtasks.exe
1624	schtasks.exe
1508	schtasks.exe
1612	schtasks.exe
2188	schtasks.exe
1804	schtasks.exe
796	schtasks.exe
1136	schtasks.exe
2348	schtasks.exe
2412	schtasks.exe
1284	schtasks.exe
1188	schtasks.exe
1756	schtasks.exe
2480	schtasks.exe
2220	schtasks.exe
2944	schtasks.exe
880	schtasks.exe
2948	schtasks.exe
2808	schtasks.exe
1428	schtasks.exe
2812	schtasks.exe
316	schtasks.exe
2772	schtasks.exe
3004	schtasks.exe
1680	schtasks.exe
2404	schtasks.exe
596	schtasks.exe
1156	schtasks.exe
2248	schtasks.exe
2140	schtasks.exe
1312	schtasks.exe
2228	schtasks.exe
1932	schtasks.exe
2376	schtasks.exe
1944	schtasks.exe
700	schtasks.exe
2832	schtasks.exe
2740	schtasks.exe
2840	schtasks.exe
2136	schtasks.exe
2516	schtasks.exe
3052	schtasks.exe
2208	schtasks.exe
2100	schtasks.exe
1368	schtasks.exe
1608	schtasks.exe
2092	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
2896	powershell.exe
1840	powershell.exe
1296	powershell.exe
1624	powershell.exe
2044	powershell.exe
1604	powershell.exe
2092	powershell.exe
992	powershell.exe
1100	powershell.exe
2940	powershell.exe
2456	powershell.exe
2932	powershell.exe
900	Idle.exe
1908	Idle.exe
988	Idle.exe
2344	Idle.exe
1800	Idle.exe
2488	Idle.exe
444	Idle.exe
2496	Idle.exe
2812	Idle.exe
2380	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	900	Idle.exe
Token: SeDebugPrivilege	1908	Idle.exe
Token: SeDebugPrivilege	988	Idle.exe
Token: SeDebugPrivilege	2344	Idle.exe
Token: SeDebugPrivilege	1800	Idle.exe
Token: SeDebugPrivilege	2488	Idle.exe
Token: SeDebugPrivilege	444	Idle.exe
Token: SeDebugPrivilege	2496	Idle.exe
Token: SeDebugPrivilege	2812	Idle.exe
Token: SeDebugPrivilege	2380	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2044	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	89
PID 2496 wrote to memory of 2044	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	89
PID 2496 wrote to memory of 2044	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	89
PID 2496 wrote to memory of 2896	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	90
PID 2496 wrote to memory of 2896	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	90
PID 2496 wrote to memory of 2896	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	90
PID 2496 wrote to memory of 1624	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	91
PID 2496 wrote to memory of 1624	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	91
PID 2496 wrote to memory of 1624	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	91
PID 2496 wrote to memory of 2092	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	93
PID 2496 wrote to memory of 2092	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	93
PID 2496 wrote to memory of 2092	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	93
PID 2496 wrote to memory of 1840	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	94
PID 2496 wrote to memory of 1840	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	94
PID 2496 wrote to memory of 1840	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	94
PID 2496 wrote to memory of 2940	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	95
PID 2496 wrote to memory of 2940	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	95
PID 2496 wrote to memory of 2940	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	95
PID 2496 wrote to memory of 2456	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	97
PID 2496 wrote to memory of 2456	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	97
PID 2496 wrote to memory of 2456	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	97
PID 2496 wrote to memory of 992	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	98
PID 2496 wrote to memory of 992	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	98
PID 2496 wrote to memory of 992	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	98
PID 2496 wrote to memory of 1296	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	100
PID 2496 wrote to memory of 1296	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	100
PID 2496 wrote to memory of 1296	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	100
PID 2496 wrote to memory of 1100	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	102
PID 2496 wrote to memory of 1100	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	102
PID 2496 wrote to memory of 1100	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	102
PID 2496 wrote to memory of 1604	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	104
PID 2496 wrote to memory of 1604	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	104
PID 2496 wrote to memory of 1604	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	104
PID 2496 wrote to memory of 2932	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 2496 wrote to memory of 2932	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 2496 wrote to memory of 2932	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 2496 wrote to memory of 900	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	113
PID 2496 wrote to memory of 900	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	113
PID 2496 wrote to memory of 900	2496	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	113
PID 900 wrote to memory of 2376	900	Idle.exe	114
PID 900 wrote to memory of 2376	900	Idle.exe	114
PID 900 wrote to memory of 2376	900	Idle.exe	114
PID 900 wrote to memory of 2960	900	Idle.exe	115
PID 900 wrote to memory of 2960	900	Idle.exe	115
PID 900 wrote to memory of 2960	900	Idle.exe	115
PID 2376 wrote to memory of 1908	2376	WScript.exe	116
PID 2376 wrote to memory of 1908	2376	WScript.exe	116
PID 2376 wrote to memory of 1908	2376	WScript.exe	116
PID 1908 wrote to memory of 1944	1908	Idle.exe	117
PID 1908 wrote to memory of 1944	1908	Idle.exe	117
PID 1908 wrote to memory of 1944	1908	Idle.exe	117
PID 1908 wrote to memory of 3060	1908	Idle.exe	118
PID 1908 wrote to memory of 3060	1908	Idle.exe	118
PID 1908 wrote to memory of 3060	1908	Idle.exe	118
PID 1944 wrote to memory of 988	1944	WScript.exe	119
PID 1944 wrote to memory of 988	1944	WScript.exe	119
PID 1944 wrote to memory of 988	1944	WScript.exe	119
PID 988 wrote to memory of 1540	988	Idle.exe	120
PID 988 wrote to memory of 1540	988	Idle.exe	120
PID 988 wrote to memory of 1540	988	Idle.exe	120
PID 988 wrote to memory of 1248	988	Idle.exe	121
PID 988 wrote to memory of 1248	988	Idle.exe	121
PID 988 wrote to memory of 1248	988	Idle.exe	121
PID 1540 wrote to memory of 2344	1540	WScript.exe	122

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
"C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29451d40-1f24-4b59-ac77-fd1eff584c82.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90fd32f-7a2b-4804-a509-7e2f90d7958a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fea77dfd-33fe-4fe5-94ea-bbe3181536b0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2098ce4d-2659-4401-9322-6d5674b4a921.vbs"
        9⤵
        
        PID:2988
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47cb5db6-eb72-45a9-bf63-2517592f9f23.vbs"
        11⤵
        
        PID:2956
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0df1371d-9e1c-4d15-86db-384e5bded840.vbs"
        13⤵
        
        PID:2240
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d71fa3aa-85d3-4b68-96ca-9883bbf7e185.vbs"
        15⤵
        
        PID:888
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2e48f2e-f4af-4bda-aaef-7497c9808a5d.vbs"
        17⤵
        
        PID:1028
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\182571c7-b62c-4f3e-9362-65c5a35483e0.vbs"
        19⤵
        
        PID:1516
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82cc4b2-2e44-4500-b0ba-c21e1deb6be2.vbs"
        21⤵
        
        PID:2548
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe"
        22⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96f74c66-be9e-4f1e-96b2-26382e02088d.vbs"
        21⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a909c81-f5d9-407b-b2ad-4739d4291d54.vbs"
        19⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9dbb74-2378-4f4f-b652-058596f97da0.vbs"
        17⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e56e26-9daf-481d-aa47-b24105330993.vbs"
        15⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e43381c-3a1e-467c-abd2-14ef35d32b64.vbs"
        13⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597eaef7-75a3-4dae-852e-543f34cf2840.vbs"
        11⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a6502a-1de3-49bc-b5e6-548d0eb160b6.vbs"
        9⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48aa0206-35f4-4da0-8c3e-88e28eae7040.vbs"
        7⤵
        
        PID:1248
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4288b2be-e0c8-4d1c-8b71-17df77bd1c3d.vbs"
        5⤵
        
        PID:3060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\612467ca-4308-422c-985a-9bb275fa632d.vbs"
    3⤵
    PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55Nb" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55Nb" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe

Filesize
2.9MB

MD5
e98d24f87c198fc16c39563d3c0ec861

SHA1
22d999d8cebb74fe01fdc26a542fe2633a273c1c

SHA256
4835758629633d73f5179311b22eba5e424e01edf347f505bea5c4ba13ee2c14

SHA512
64858e140c4e32408d6bd0e04fd49e75a51c010b81ed19b597d1980a652daf7c50660953ff152f6e5fe3222d1a806230c2db43dd6918adb8a9160d4b7e39b75d

Download Submit
C:\Program Files\Uninstall Information\RCXE8EE.tmp

Filesize
4.9MB

MD5
c6832cc8115745f01ad8950fb818a039

SHA1
2d54e07b5568a2f45e2831912536548c5e616b2c

SHA256
cb08a2057b7528b632ca28328b64f4cc3f65ab432d84dd2bcbe2e2c5e7c05f5c

SHA512
3086d5188ad664ef0d2422afd950ed86d724066a253963ec20564f01a39040daa0b1a091ba86277bac9ba0d8a08a8fe74a5db3abe25049f79c2de4df5196aec2

Download Submit
C:\Program Files\Uninstall Information\WMIADAP.exe

Filesize
4.9MB

MD5
dc0f33684dad2fbdd9801489c2a24150

SHA1
6c2f859577d7f959f4f0056c9f5a6b2c22ef3333

SHA256
b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

SHA512
e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650

Download Submit
C:\Users\Admin\AppData\Local\Temp\0df1371d-9e1c-4d15-86db-384e5bded840.vbs

Filesize
756B

MD5
5c7de4556762138cac069be3b88e3332

SHA1
7c0beec3ba7ffeb16509e29d2d26a8f763b685f0

SHA256
6f10a70e17c48ef0627c2f72d790e9f0560067a5a7dd4bd692cc86505c822566

SHA512
7f242b2a765a9bcffb8a5d05ecee84917cc228f2ce57dd247a82dae020942bef45cf4d6a0f51a8c0b9fb185b2c557604f2bf84b495f231c5820474b5da8c0f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\182571c7-b62c-4f3e-9362-65c5a35483e0.vbs

Filesize
756B

MD5
86ecafed8f8485d64468462594ea3590

SHA1
d8a492b435cb4925fef84e8efb217409c3a57327

SHA256
ed8d51d90d6b07264066bdb2211a7602f1afe4337f35d0cdc9ec326b78c6e35e

SHA512
e7e5c927a35716dc6aa5ed61dfe79d54f716e5eedb929e11b19d3d33436e31d901159a8ed6580d71a0d10c5ebf7ca0c38ce90ed1057aa4c9accec358f870d351

Download Submit
C:\Users\Admin\AppData\Local\Temp\2098ce4d-2659-4401-9322-6d5674b4a921.vbs

Filesize
756B

MD5
de8a601985e8fb622f367895613ad4b5

SHA1
4569c84f11fb0701e8e0cc727865cb2847a8255a

SHA256
e6c195e8dded31888a926887c1c875c312721d02ca41ad5308ca2a36ab957c47

SHA512
a2a10f4d194ebd230fe6d9b8e7841db2af1dc7db102a67c0b5f6ba0d1cf5f9a6c84885e50777d6836282add6f677ccf94e718d1727c635207bca6df389a00f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\29451d40-1f24-4b59-ac77-fd1eff584c82.vbs

Filesize
755B

MD5
2a081cfa378d34b2d8355904e8c71ba7

SHA1
15bdf1c8dbabc8146f47bd967ba334054b175c97

SHA256
4a6276cd821035dcdd6d5740d78f9b892c8ea949ac002e7ff1a3330c531e38ac

SHA512
c49f72e82aec51766caf24b06bbf9f4f9157b0d11a595d0b30a8668b6fcc91cc0cb3cd5b7d0f6ca5e3a42db1197260bcc4874351f945dca71a8f3164509c54a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\47cb5db6-eb72-45a9-bf63-2517592f9f23.vbs

Filesize
756B

MD5
bd353cde32391070b1aaaa8751ed25ea

SHA1
3faa18f9a13c48d33516220683dede94765cf146

SHA256
01258274176c36159b3013ad613580da23690e2e20e7cc3418a81e02a7c87819

SHA512
0485d185bb11356955083f36faeff1befb1bec105c9dcbc8435e3cb40a7df0770b02bdd3e3530d2bd85c9aae96dd1d7ec9b6fe2bc7a048070e9aa9c156d878a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\612467ca-4308-422c-985a-9bb275fa632d.vbs

Filesize
532B

MD5
33201022bdafbc78460cd5a8436e1cdf

SHA1
ef437f49bbc10f5d0a18bf7af64750ff92469f5e

SHA256
47d2328abd3a525fc9e189a441db0765343b6b7dea023b597098f7b421cb0714

SHA512
6f2b39a9583fe714eadd4d83c8a951325daa76510e906fadec742e9c9c03b29d45e4fb50f6d80c61a6e473ee3d2c768a33e3fad166e3593aee6f00847a3e2c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c90fd32f-7a2b-4804-a509-7e2f90d7958a.vbs

Filesize
756B

MD5
7d6fe3999bf6a3253300a462b673e930

SHA1
428389e8b2dae032cd6c67fe8a09d57a4c1cbc62

SHA256
5d0c121066b30556d3f5cf9d15cf05662a73541441351f6787407a15c9f15904

SHA512
797cf784b79890d8ca4f8c5cff593062e17045a724919a87437a470ab5303186738d91259a9a6b286fd0864662de96e619829529666fe1c79be2f454df26b0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2e48f2e-f4af-4bda-aaef-7497c9808a5d.vbs

Filesize
756B

MD5
b5d1dbe3f86aa4536b32df78c7935172

SHA1
4f940ad968a65f3d87c1a726c408de079b96d36d

SHA256
9123e3fd482c7f60612a5c30a46a59e3a220f08fb722b15a8ef54c0e59303828

SHA512
3cfe40d89bd5feda7238539308712438499d6b1bd85fa9b2a2a306c0284edec7ba93b9f2cda6f371299c64dd48d7b467815c0be1c926ff4e7c970dfc63508807

Download Submit
C:\Users\Admin\AppData\Local\Temp\d71fa3aa-85d3-4b68-96ca-9883bbf7e185.vbs

Filesize
755B

MD5
1b64885b2d619cd6eeb31fa5abfc0b5d

SHA1
bd1f1886ec2aa002e57501713e5535a328ea04ee

SHA256
87febac4aec4d179b25fa326f591cad1286ccbfd2a122052f95e82253884644b

SHA512
c4daf206497853c7d6b6d16bbe59e117b15f424e782d425c593d2cbc02c10a1b197f69c1e30ce8178f7759d6cc0dfd3f4492c3017545651a821f01b9686521db

Download Submit
C:\Users\Admin\AppData\Local\Temp\e82cc4b2-2e44-4500-b0ba-c21e1deb6be2.vbs

Filesize
756B

MD5
c85b3e0dc2092120b4c7b2b4174c34f0

SHA1
a2f18c0efd3eb0bbcadcdcc70b1726aeb09a782e

SHA256
d6d3a89c708e958baf4486b279151a571651e4d78fd5f16d92618d7dbd6fa893

SHA512
b6c9c4b2a05b60146dfed94834c088296a577fcbb866f6468576f55360290ae0756f11c8c0ff67d5e1eed893e2ca180d575158684edd16d40146d2d2eb0c5b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fea77dfd-33fe-4fe5-94ea-bbe3181536b0.vbs

Filesize
755B

MD5
a397243de8a552b2d53b2d2e7ef4da43

SHA1
9d3607d369c49d09eebf1da10c1a04df58efb33d

SHA256
1e6d34d0eb98c36811764fc14a5e94889aa59b7bf41c671fdb6c116b5e288422

SHA512
1907f9e0f7a6c1f442bb95da621ce82044f8f02b608dcbad5359bca01f2f9bf9d084bfde7a62411af71fa97b856e532a22a5efb255f306c3bc3fbc55a0fa5e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18DE.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e02a774f1b75694f7d9f2c1853e50b1

SHA1
fc61ce670db7fbf51767dd8cc53af64e5f322116

SHA256
bcf0797fcafebee839dfc3f02647c2584397e0529bf1ec912364852f7cf16122

SHA512
b643c638ad3d01bb15d38071924619b2ade63ce913d913fd189a03a88f51987e533a73ce8915bb9a73220ef87fdfec099f2380a299534ddc3a6bd7209fcddd64

Download Submit
C:\Users\Default\taskhost.exe

Filesize
4.9MB

MD5
ca0138918be64a4156edc32cba41c456

SHA1
837d1670af56bd8161cd56abf7af8ed600085000

SHA256
620d9a2a94b9034558b1adfea283d6aed018379893931fc7a060543f209cfb1c

SHA512
a0b01883ffc95a19e92ab6d56ce26e4b2245672610557d3bcef3c9e39e665211d2eb471f3badc11003f192a4d889d0a4614ece920fffe6d74c6315bb0bd154ef

Download Submit
memory/900-204-0x0000000000250000-0x0000000000744000-memory.dmp

Filesize
5.0MB

Download
memory/1800-310-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/1840-203-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1908-266-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/1908-265-0x0000000001100000-0x00000000015F4000-memory.dmp

Filesize
5.0MB

Download
memory/2344-295-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/2488-325-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2496-10-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2496-6-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2496-217-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-13-0x00000000025F0000-0x00000000025FE000-memory.dmp

Filesize
56KB

Download
memory/2496-12-0x00000000025E0000-0x00000000025EE000-memory.dmp

Filesize
56KB

Download
memory/2496-11-0x00000000025D0000-0x00000000025DA000-memory.dmp

Filesize
40KB

Download
memory/2496-1-0x0000000000390000-0x0000000000884000-memory.dmp

Filesize
5.0MB

Download
memory/2496-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2496-14-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2496-9-0x0000000002450000-0x000000000245A000-memory.dmp

Filesize
40KB

Download
memory/2496-15-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2496-8-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2496-154-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-7-0x0000000002430000-0x0000000002446000-memory.dmp

Filesize
88KB

Download
memory/2496-139-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2496-16-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/2496-354-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2496-4-0x0000000000B40000-0x0000000000B5C000-memory.dmp

Filesize
112KB

Download
memory/2496-3-0x000000001B520000-0x000000001B64E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-205-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download