dcrat | ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

Analysis

max time kernel
119s
max time network
116s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Size

1.1MB
MD5

bf13fac7f8484064e0b61d4930e82580
SHA1

08495d92383b65f214c87a4aaed1103fe4cc7330
SHA256

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e
SHA512

cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2656	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2656	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2920-18-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2920-16-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2920-14-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2920-11-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2920-10-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2556-422-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2556-421-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2108	powershell.exe
2292	powershell.exe
336	powershell.exe
2376	powershell.exe
2852	powershell.exe
2056	powershell.exe
1112	powershell.exe
1348	powershell.exe
1808	powershell.exe
2532	powershell.exe
2356	powershell.exe
2036	powershell.exe
916	powershell.exe
2316	powershell.exe
2272	powershell.exe
1680	powershell.exe
1872	powershell.exe
1604	powershell.exe
2948	powershell.exe

Executes dropped EXE 5 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid process

1296 sppsvc.exe
2176 sppsvc.exe
628 sppsvc.exe
2556 sppsvc.exe
560 sppsvc.exe

pid	process
1296	sppsvc.exe
2176	sppsvc.exe
628	sppsvc.exe
2556	sppsvc.exe
560	sppsvc.exe

Loads dropped DLL 8 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exesppsvc.exeWScript.exesppsvc.exeWScript.exe

pid	process
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
1296	sppsvc.exe
2804	WScript.exe
2804	WScript.exe
628	sppsvc.exe
2428	WScript.exe
2428	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exesppsvc.exesppsvc.exe

description	pid	process	target process
PID 1820 set thread context of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1296 set thread context of 2176	1296	sppsvc.exe	sppsvc.exe
PID 628 set thread context of 2556	628	sppsvc.exe	sppsvc.exe

Drops file in Program Files directory 40 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\RCX4202.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\886983d96e3d3e	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\f3b6ecef712a24	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX26AE.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2F9B.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\RCX2D29.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX320E.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\cc11b995f2a76d	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX21C9.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX26AD.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2F9C.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Common Files\6203df4a6bafc7	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX243B.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\lsass.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX36F1.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RCX320D.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCX3701.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\7a0fd90576e088	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\fb7bf17bc86597	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Common Files\lsass.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\RCX4271.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\69ddcba757bf72	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX2237.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\24dbde2999530e	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\RCX24A9.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\RCX2D97.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Drops file in Windows directory 15 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\RCX3D8C.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Tasks\Idle.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\ja-JP\101b941d020240	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Setup\RCX1FC5.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\ja-JP\lsm.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\ja-JP\lsm.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Tasks\6ccacd8608530f	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\ja-JP\RCX1DB0.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\ja-JP\RCX1DB1.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Setup\RCX1FC4.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Setup\winlogon.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Setup\cc11b995f2a76d	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Tasks\RCX3DFA.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Tasks\Idle.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Setup\winlogon.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeWScript.exesppsvc.exepowershell.exepowershell.exepowershell.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exepowershell.exepowershell.exesppsvc.exepowershell.exepowershell.exepowershell.exeWScript.exeWScript.exesppsvc.exesppsvc.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sppsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2980	schtasks.exe
1856	schtasks.exe
840	schtasks.exe
2416	schtasks.exe
1740	schtasks.exe
1808	schtasks.exe
1084	schtasks.exe
2720	schtasks.exe
1488	schtasks.exe
1036	schtasks.exe
1984	schtasks.exe
2180	schtasks.exe
896	schtasks.exe
1612	schtasks.exe
2440	schtasks.exe
1224	schtasks.exe
2256	schtasks.exe
624	schtasks.exe
968	schtasks.exe
1360	schtasks.exe
2092	schtasks.exe
2608	schtasks.exe
884	schtasks.exe
1620	schtasks.exe
2836	schtasks.exe
792	schtasks.exe
900	schtasks.exe
2532	schtasks.exe
2500	schtasks.exe
944	schtasks.exe
1756	schtasks.exe
1956	schtasks.exe
556	schtasks.exe
2716	schtasks.exe
3032	schtasks.exe
2880	schtasks.exe
1112	schtasks.exe
2344	schtasks.exe
336	schtasks.exe
1352	schtasks.exe
608	schtasks.exe
2516	schtasks.exe
2264	schtasks.exe
1148	schtasks.exe
2952	schtasks.exe
2164	schtasks.exe
2928	schtasks.exe
812	schtasks.exe
2412	schtasks.exe
2696	schtasks.exe
2872	schtasks.exe
3048	schtasks.exe
2272	schtasks.exe
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exe

pid	process
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
2056	powershell.exe
1604	powershell.exe
2532	powershell.exe
2036	powershell.exe
2948	powershell.exe
2272	powershell.exe
1680	powershell.exe
1112	powershell.exe
1808	powershell.exe
1348	powershell.exe
1872	powershell.exe
2292	powershell.exe
336	powershell.exe
2316	powershell.exe
2376	powershell.exe
2108	powershell.exe
916	powershell.exe
2852	powershell.exe
2176	sppsvc.exe
2556	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2176	sppsvc.exe
Token: SeDebugPrivilege	2556	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

description	pid	process	target process
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1820 wrote to memory of 2920	1820	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 2920 wrote to memory of 1872	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1872	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1872	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1872	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2356	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2356	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2356	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2356	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1112	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1112	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1112	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1112	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1604	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1604	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1604	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1604	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1348	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1348	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1348	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1348	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2948	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2948	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2948	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2948	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1808	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1808	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1808	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1808	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2292	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2292	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2292	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2292	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2316	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2316	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2316	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2316	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2272	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2272	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2272	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2272	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2036	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2036	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2036	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 2036	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 336	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 336	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 336	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 336	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 916	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 916	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 916	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 916	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1680	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1680	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 2920 wrote to memory of 1680	2920	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
"C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1296
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2176
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeed7ed1-7474-4a63-9ea4-88fcfb0b716f.vbs"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "{path}"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\498cd7e6-291c-4dbc-bba8-1bd57ea67fa1.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\568e34cb-977c-4425-9b20-8c261123b1f0.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:328
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81dc98c3-b8b2-4b9c-beaa-2c46470a958f.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN" /sc ONLOGON /tr "'C:\Users\Default User\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\SpeechEngines\smss.exe

Filesize
1.1MB

MD5
62bf8557f68ac63fafff99305a30e590

SHA1
41ff656addf59aae604f1afb83443e0dd8553cd8

SHA256
2c805f4584e73f743bcc96548545dfc382ca77f8017ab8515e07d17f79a61db1

SHA512
4484742662f05b6d250b65c960c3d0cf178fb06fbbb1dcb745aee34f202bd3e6fd752326ad63dad633a91570c80fed53a41b53a4c36bb6c997e4aa1f7d4a34f1

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Filesize
1.1MB

MD5
bf13fac7f8484064e0b61d4930e82580

SHA1
08495d92383b65f214c87a4aaed1103fe4cc7330

SHA256
ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

SHA512
cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\es-ES\csrss.exe

Filesize
1.1MB

MD5
1d1d309b309aacd48ffadf640382b9cf

SHA1
074e51f3f0e807b50a5285b55061cf71f30a09ee

SHA256
5e3f55606e20e631852b4bb413a85bb4d983690dad80d9c9d9bd199d194abe5e

SHA512
67a6a77d855c5799ba96f1cf6b5ea0d126530ac92263c491be9967f31e868205a6f80f351333cbcef331ea6f8b9b6f6ac89030b3c960efb0653c5e349bce359a

Download Submit
C:\Program Files\Common Files\lsass.exe

Filesize
1.1MB

MD5
bc310851e2ddc747ee3d58de0c7d4953

SHA1
75cf367ff48d01b7873466afaa38e985d5ac3281

SHA256
f60d22be5156b346498a70a40b6fde1c652f710f05f0e1b9f5588e90e9e5cbb1

SHA512
9a8bf81bd31c32e15408ed51d75565f2c5dde6c5edb1f6792ee9e06a9d6d03b79f300852ca5b7871a0c11e0257a0064809b888ec764f2c0ccc2a28f1fca1222d

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe

Filesize
1.1MB

MD5
35a3b7531a9f528200f738d2bf857d38

SHA1
cbbed40159f873992ac523910f76830179fa7ed6

SHA256
83bcd24d3d1fba247af171f24a194d050a310f62bb30586840eb23cc5edaa3a8

SHA512
c1105a6aa37e44eafbab46502e9ae4269670a8cfeba8803f43b7e29b3e3e36ea90a5aacc14a863326d7d8b369759fdf04ad23d2325685aa6268f17c7623c04de

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe

Filesize
1.1MB

MD5
9688477fc26e70f08ce04ff20803a67a

SHA1
4a7bf3b1eb1b30c50581336fd64b26c7511f1469

SHA256
3efc04c615dcbe44af791612fa8c43750653b098f2d0f5ab13ecb8cd6af35c78

SHA512
affd898dcc4240dac2ce1917682396034c2432040ef9d2ead87ee478f907de4f8a7818d6c498d43f5a9aabb6dee3b2d842e50fee032636cac9081b59a7d97176

Download Submit
C:\Users\Admin\AppData\Local\Temp\498cd7e6-291c-4dbc-bba8-1bd57ea67fa1.vbs

Filesize
749B

MD5
a87d8335a246eab1e5d6e371297eed1a

SHA1
0d706f7d46f8e17fcbd401afc53e8a6287aa201f

SHA256
67d43766e9d95d94818a4c83ac5cdc59d553cb8eeb1200d06e8073af3814cdf6

SHA512
66134c39383a8ef7704fd0286ad9392ec0a6028f699db61404a5c2587895c119f99c807950b578cf1097828a536dcc1639ca2e9564b0d5617a47d9a2155b4a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\81dc98c3-b8b2-4b9c-beaa-2c46470a958f.vbs

Filesize
525B

MD5
cacae751df0f769802919a691c453f6a

SHA1
839bd0660087db7dabe83208b1052fc9bd83d46a

SHA256
772a257fc05634f097a10bacc5b32aa571bb963ebc733c4ca58ac63942cfa610

SHA512
0d78471804f47c5efc524a252def38b2c3d50fb959a21e710776ea626010d5cf57541a19c5e926125868a806a45d241324eeea311caaa58521ac0f8261f94873

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeed7ed1-7474-4a63-9ea4-88fcfb0b716f.vbs

Filesize
749B

MD5
37570fae81e3f491d1070c79581df537

SHA1
bdfd0eb19e763f58c2fc62efc7ab51437e3610d7

SHA256
f5fa1ef5322cbf74dfc946cb57cf1d5951e5fc76520516f91bd1b83bc44e766f

SHA512
bd6fa48c8af8aca9c1ab14b6cccacb661ec1ae41e3f7303d1ac2504c77ce487e73e4ee512e6aa08e3567fb8cb37a8460b586f021722d211fb536be7baffada29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fb17c670d88a609d3eadf80af25a0c0b

SHA1
4b97d636b3062619017b39668772375206d8b967

SHA256
4c94dc825407a6f09c46734e0423de1a75834f46b910e8eb96e058b859d3d87b

SHA512
46d0988e12086e83249fec06ff6a14d872e834280b5e23a38af446d7209b742550a131d68b68d9980777547ae896517bbbbacc6dd0432289cbd2501537ab99db

Download Submit
C:\Users\Default\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Filesize
1.1MB

MD5
04a5724d1f43acbfa54393ab3d99bb09

SHA1
9aaacc498fb121321144c0898ed050d5b210ac4d

SHA256
edc40959fbecf2998113f676b33f8475b1f4131ce1d2a1d5323f69658d2a04c0

SHA512
af37ab0d41bbc9fa31be3101759696dc81641287324bcd3fd5f5488d68625d53acdb5ed20fb80f73bc6308eacd56130bb112df9c7360db08a29e79b1afe20612

Download Submit
C:\Windows\Tasks\Idle.exe

Filesize
1.1MB

MD5
d76ea769b6684d1f9d779317279eef01

SHA1
b2d04b5b63f2510b6eab4cf56ab811f6e06b703e

SHA256
f7983c7b2d56f9999500d9d56431bdb1d82f937b2e3188a770de50351d4a32a8

SHA512
5842798ecb332a9d5ebe200ee0d6999bbd5dca0611066732266c072b5e718c782ab42a34d7d688acd00965dcfb6a8d48eb19391c024508dc46bf9ee594d82ed8

Download Submit
memory/560-436-0x0000000000BF0000-0x0000000000D1C000-memory.dmp

Filesize
1.2MB

Download
memory/628-408-0x0000000000BF0000-0x0000000000D1C000-memory.dmp

Filesize
1.2MB

Download
memory/1296-376-0x0000000000BF0000-0x0000000000D1C000-memory.dmp

Filesize
1.2MB

Download
memory/1820-7-0x0000000005C50000-0x0000000005D7E000-memory.dmp

Filesize
1.2MB

Download
memory/1820-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1820-20-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-6-0x0000000005400000-0x00000000054F6000-memory.dmp

Filesize
984KB

Download
memory/1820-5-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-4-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1820-3-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1820-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1820-1-0x00000000013C0000-0x00000000014EC000-memory.dmp

Filesize
1.2MB

Download
memory/2176-391-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-418-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-422-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2556-421-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-19-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-32-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2920-31-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2920-30-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2920-29-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2920-28-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2920-27-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2920-223-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-26-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2920-246-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-24-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/2920-25-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2920-23-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2920-377-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-22-0x0000000000210000-0x000000000022C000-memory.dmp

Filesize
112KB

Download
memory/2920-21-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-14-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-16-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-18-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download