dcrat | c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Size

4.9MB
MD5

6980bcd5d7d665f70f434120a1d20549
SHA1

8104f0c2f92ecb1ab9c6700f14d56059a93a9465
SHA256

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
SHA512

2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2892	schtasks.exe

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

spoolsv.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2260-2-0x000000001B600000-0x000000001B72E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2756	powershell.exe
2140	powershell.exe
1312	powershell.exe
2080	powershell.exe
2148	powershell.exe
1104	powershell.exe
2640	powershell.exe
2732	powershell.exe
2648	powershell.exe
2744	powershell.exe
2468	powershell.exe
2956	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2096	spoolsv.exe
2188	spoolsv.exe
2660	spoolsv.exe
2464	spoolsv.exe
2440	spoolsv.exe
832	spoolsv.exe
1724	spoolsv.exe
2124	spoolsv.exe
2788	spoolsv.exe
2704	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exespoolsv.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in Program Files directory 24 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\lsass.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\DVD Maker\944d8125759fb4	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFDC3.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX12E1.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\f3b6ecef712a24	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\75a57c1bdf437c	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Google\Temp\services.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX1756.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Windows Defender\ja-JP\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXFBA0.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX5C1.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\DVD Maker\RCX1533.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\DVD Maker\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\DVD Maker\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files\Windows Defender\ja-JP\0a1fd5f707cd16	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\services.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\sppsvc.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Drops file in Windows directory 4 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\lsm.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\Logs\lsm.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\Logs\101b941d020240	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Windows\Logs\RCXC59.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2744	schtasks.exe
2920	schtasks.exe
656	schtasks.exe
1284	schtasks.exe
2736	schtasks.exe
2300	schtasks.exe
2544	schtasks.exe
2288	schtasks.exe
1480	schtasks.exe
1484	schtasks.exe
432	schtasks.exe
2620	schtasks.exe
2800	schtasks.exe
1972	schtasks.exe
528	schtasks.exe
620	schtasks.exe
2896	schtasks.exe
1352	schtasks.exe
1824	schtasks.exe
1772	schtasks.exe
1788	schtasks.exe
3020	schtasks.exe
2376	schtasks.exe
2916	schtasks.exe
940	schtasks.exe
824	schtasks.exe
2628	schtasks.exe
1872	schtasks.exe
1712	schtasks.exe
1176	schtasks.exe
2572	schtasks.exe
1612	schtasks.exe
1744	schtasks.exe
2684	schtasks.exe
772	schtasks.exe
340	schtasks.exe
2972	schtasks.exe
3008	schtasks.exe
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
2080	powershell.exe
2640	powershell.exe
2648	powershell.exe
2148	powershell.exe
2732	powershell.exe
1312	powershell.exe
2468	powershell.exe
2756	powershell.exe
2140	powershell.exe
2744	powershell.exe
2956	powershell.exe
1104	powershell.exe
2096	spoolsv.exe
2188	spoolsv.exe
2660	spoolsv.exe
2464	spoolsv.exe
2440	spoolsv.exe
832	spoolsv.exe
1724	spoolsv.exe
2124	spoolsv.exe
2788	spoolsv.exe
2704	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2096	spoolsv.exe
Token: SeDebugPrivilege	2188	spoolsv.exe
Token: SeDebugPrivilege	2660	spoolsv.exe
Token: SeDebugPrivilege	2464	spoolsv.exe
Token: SeDebugPrivilege	2440	spoolsv.exe
Token: SeDebugPrivilege	832	spoolsv.exe
Token: SeDebugPrivilege	1724	spoolsv.exe
Token: SeDebugPrivilege	2124	spoolsv.exe
Token: SeDebugPrivilege	2788	spoolsv.exe
Token: SeDebugPrivilege	2704	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exespoolsv.exeWScript.exespoolsv.exeWScript.exespoolsv.exeWScript.exe

description	pid	process	target process
PID 2260 wrote to memory of 2140	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2140	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2140	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2956	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2956	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2956	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2648	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2648	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2648	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2756	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2756	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2756	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2732	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2732	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2732	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2640	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2640	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2640	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1104	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1104	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1104	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2148	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2148	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2148	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2080	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2080	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2080	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1312	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1312	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 1312	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2468	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2468	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2468	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2744	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 2260 wrote to memory of 2096	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	spoolsv.exe
PID 2260 wrote to memory of 2096	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	spoolsv.exe
PID 2260 wrote to memory of 2096	2260	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	spoolsv.exe
PID 2096 wrote to memory of 2492	2096	spoolsv.exe	WScript.exe
PID 2096 wrote to memory of 2492	2096	spoolsv.exe	WScript.exe
PID 2096 wrote to memory of 2492	2096	spoolsv.exe	WScript.exe
PID 2096 wrote to memory of 2724	2096	spoolsv.exe	WScript.exe
PID 2096 wrote to memory of 2724	2096	spoolsv.exe	WScript.exe
PID 2096 wrote to memory of 2724	2096	spoolsv.exe	WScript.exe
PID 2492 wrote to memory of 2188	2492	WScript.exe	spoolsv.exe
PID 2492 wrote to memory of 2188	2492	WScript.exe	spoolsv.exe
PID 2492 wrote to memory of 2188	2492	WScript.exe	spoolsv.exe
PID 2188 wrote to memory of 1412	2188	spoolsv.exe	WScript.exe
PID 2188 wrote to memory of 1412	2188	spoolsv.exe	WScript.exe
PID 2188 wrote to memory of 1412	2188	spoolsv.exe	WScript.exe
PID 2188 wrote to memory of 2400	2188	spoolsv.exe	WScript.exe
PID 2188 wrote to memory of 2400	2188	spoolsv.exe	WScript.exe
PID 2188 wrote to memory of 2400	2188	spoolsv.exe	WScript.exe
PID 1412 wrote to memory of 2660	1412	WScript.exe	spoolsv.exe
PID 1412 wrote to memory of 2660	1412	WScript.exe	spoolsv.exe
PID 1412 wrote to memory of 2660	1412	WScript.exe	spoolsv.exe
PID 2660 wrote to memory of 1472	2660	spoolsv.exe	WScript.exe
PID 2660 wrote to memory of 1472	2660	spoolsv.exe	WScript.exe
PID 2660 wrote to memory of 1472	2660	spoolsv.exe	WScript.exe
PID 2660 wrote to memory of 1668	2660	spoolsv.exe	WScript.exe
PID 2660 wrote to memory of 1668	2660	spoolsv.exe	WScript.exe
PID 2660 wrote to memory of 1668	2660	spoolsv.exe	WScript.exe
PID 1472 wrote to memory of 2464	1472	WScript.exe	spoolsv.exe

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

spoolsv.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
"C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
  "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2096
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab3a5ba3-3472-4fda-b02a-dede2da571a6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
      "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2188
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43a4119-c8ed-4398-944c-e9c61471523a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc32aa1b-560e-4d19-bd96-a6a6dd53bf6c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7db329d-5498-4a34-9059-beb181ca1812.vbs"
        9⤵
        
        PID:1192
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b315bfa7-8c60-41cf-bc34-5f25cb8b06dd.vbs"
        11⤵
        
        PID:2076
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\466b7f39-9def-4554-bad4-85ba6702c970.vbs"
        13⤵
        
        PID:1016
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c716c8cf-4a3c-48fc-b069-bc68b4cf446e.vbs"
        15⤵
        
        PID:2476
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4188cb22-cbbe-439d-9492-80ca11274edd.vbs"
        17⤵
        
        PID:3028
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\947caa09-aea5-4e6b-b12a-bc5e7e3bac82.vbs"
        19⤵
        
        PID:1904
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2211e04-9e64-4c38-9211-d98e19ea4b8c.vbs"
        21⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9886dc85-740b-41cc-a598-31ab345d186d.vbs"
        21⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546dd873-0c62-4e8b-8b42-e680f5100e2f.vbs"
        19⤵
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c36252d3-a8ad-4cf7-8918-47ef6ea82274.vbs"
        17⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ab5318-fad4-41ad-bd9c-bf1887bf82ae.vbs"
        15⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfb868de-2992-4693-a7a4-59ba281ddedb.vbs"
        13⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4846dd97-6f72-4921-905c-ec8aa60dd808.vbs"
        11⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6ffd452-a2fe-4c4c-b31f-26c3ed666845.vbs"
        9⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\802896f8-b00f-4739-8c41-e74b60318482.vbs"
        7⤵
        
        PID:1668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9b7aa1b-e9c0-4e8f-9f07-95be623498bb.vbs"
        5⤵
        
        PID:2400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c4977c4-dbd6-4763-839e-35d29aec43c6.vbs"
    3⤵
    PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16c" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16c" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RCXE7C.tmp

Filesize
4.9MB

MD5
62755ad7a36cde63e4aec2e07972582f

SHA1
12ec0a1c8199074abbf02f55bad0c3adca2e8b53

SHA256
5abd1bd693f291158a3c887ba299c257f884b06575feb42a8547d90fe1b4e4cb

SHA512
24f5da236e5b653e6eb982e98fa15d0198a3cc0b775ce1f771cd2f0d35f408d20a00c807a2590c0cd76019d288021fba2534de4b24b98c6c8e956028baf1dcf4

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\WMIADAP.exe

Filesize
4.9MB

MD5
6980bcd5d7d665f70f434120a1d20549

SHA1
8104f0c2f92ecb1ab9c6700f14d56059a93a9465

SHA256
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

SHA512
2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3

Download Submit
C:\Program Files\Windows Defender\ja-JP\sppsvc.exe

Filesize
4.9MB

MD5
ac09eaed82e8fa9315a7e452fe6510cc

SHA1
7486909084a0cee9257ad13cd428a387a8ff1855

SHA256
c691702b40ce6dc0509600defbc616890f2a92bee42cebf49009b92479d12b63

SHA512
f93bc0275b3e6efeda8aaa4fb9f0f78c0261472843641d13298faebd4088825101be79d6d11bd53a99d022740526dcc7679c68ccf1fd40e41f2c53c6e6063faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4188cb22-cbbe-439d-9492-80ca11274edd.vbs

Filesize
734B

MD5
ccd684a22f525facd0e9cd4d72414828

SHA1
04c53af43f26e687d5d7cefcd26bd0e606dbc626

SHA256
52c5f46c0f45d8483b0657c28418f143ab4f13dc02d80c5ed481caf9df6c453b

SHA512
ee5641099dfdedb84dfe161b26e1472f75124c643a9274a0f891cc90102f955971ff9d0c5cfe0caf37b9a8689f5f70ce1aa08d082dc5e0c77e7f3c881942f923

Download Submit
C:\Users\Admin\AppData\Local\Temp\466b7f39-9def-4554-bad4-85ba6702c970.vbs

Filesize
733B

MD5
d6759285f6fe4e2c6d14418be72755ea

SHA1
5ad37bd70b8364a80710838c738cfa78abe2c684

SHA256
fdf310725b8f39b9ccc0c728d0461902ec1ae5986ca2ecea32395916bfecc4fe

SHA512
64a03bbff4ac08e69105cba153ff65b1f1d404805ac3fe7ef20695d9cac8f54d1190818ec043b668139ef45ba5711df1b78ed78217e7823484c22c91c3cdfa14

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c4977c4-dbd6-4763-839e-35d29aec43c6.vbs

Filesize
510B

MD5
c96b31aadf37126d27d341d8278d0833

SHA1
d5e527d987b71cefc262e46f99eba7f1527ca85d

SHA256
95950e7cf31dea25d80a4d76faa501ce0ba73854f7e8c1ae090e18f5326a2e5c

SHA512
41cfea6cc75a2320001e91b2f294e73b03289930377d2d119900d91d03544f6d807c31e1d564e6aed9e9fbc4bfda209843d79793dda55b572f744c8a91175f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\947caa09-aea5-4e6b-b12a-bc5e7e3bac82.vbs

Filesize
734B

MD5
95095eea00f9381ba80ee2ce7ebec09c

SHA1
90e159c5159052a0e063f194d8daf4048a1e5770

SHA256
43014100367e70d4b105595253fc207859ec9af892d4b9f374dca5993d084732

SHA512
4c8945c74eb6008091a01798e6cf67dc95e96712d9258c6e76db7fc1b69b4caa649817c080df7dcf9f6d191682697a8aa5a89ffa43e6264a02ab7ab6b80cbdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a43a4119-c8ed-4398-944c-e9c61471523a.vbs

Filesize
734B

MD5
2fb6eac8ef327d3f5fc296609b7cea50

SHA1
cc0d129462c0611ec1f8975af2e5850fbff5dd29

SHA256
59f3f49224a0fe07b1e6be5e1b10e0a1475a6d2700f48c68243a1f33ef6c012c

SHA512
c6a589a100c75b56447b9e5c3bab0dcc9c4afff87363d9ad25bd26cc0b32737c44cdcace4974f5af91ad0c3128937bfea5555695e16650e778afed5d6ba0abb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab3a5ba3-3472-4fda-b02a-dede2da571a6.vbs

Filesize
734B

MD5
50f1ffff30217198fb173dd178781f37

SHA1
8212d20993000d0d53a11269505131e3975ddda4

SHA256
48f3b177f0e2bf2f6a4fe0554ec6925ed339293416c29d83afa592c5dc5912f1

SHA512
1f4ba4c730c69178cd172bc961459fb6a1687172d88322443331344a20098f2922b7cb85c4fa6549b33a375a2c04563bb296194e032dde3ce6fc8e27697b0449

Download Submit
C:\Users\Admin\AppData\Local\Temp\b315bfa7-8c60-41cf-bc34-5f25cb8b06dd.vbs

Filesize
734B

MD5
49776c01b1c8ed920a25203e21f08308

SHA1
acee71d5b9869f5e5404ce6df950810662bc7710

SHA256
997c2a297acb31bdaf5ae7a20411eebd997d9dfbee537da8968ecc931d8f5895

SHA512
ca9d5f2f3ef9bd276581de8397a192371bcb529f675acfbcd4cee38b993a19486e26b628d7adbf1b0b7e8161f00c441fa288631d9618c8b983bd2c396e87b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7db329d-5498-4a34-9059-beb181ca1812.vbs

Filesize
734B

MD5
8a3ba445ca516dcecc444ef72ea0175d

SHA1
97ded9d56aae28025fe0b79eae9bacb61b8faa80

SHA256
cdd11d9117d0a30608aaba2a94ae8752fbfde423f6247b21f357a2e3feb09558

SHA512
a18b9a62e1ff3b2ed300b7135a39371e68bd7065aace282fc17b483b3a07e132162f8bacb2108276cd1914bd7c58187d035b79d93fa107fe4c797c1b28cdad1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c716c8cf-4a3c-48fc-b069-bc68b4cf446e.vbs

Filesize
734B

MD5
d7b97470c1bf7c743c2a9b1edcdce86c

SHA1
fd043e8865bf1cb50fc9fb0d5b1bc9e839a70b31

SHA256
d1af76758ceb7c1fea6b1afbb909efb3a4c68a5d4e38e55ebe4f9bdce03b7e2f

SHA512
4da1bed2c7083e3d614fb96b0dbd7515b169e450297485f71195feaa6212522193bb7305e0075faace651b4e56cbced373cc8b2453daf558585efd14c6a10303

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2211e04-9e64-4c38-9211-d98e19ea4b8c.vbs

Filesize
734B

MD5
043ea239fa490a5324560f131a25209b

SHA1
587a9e9186a0858d3dae316e99de94894f388353

SHA256
fe4edcb5089bb1a1f672f0e03552afa391b78afbea41cfd9cb589d9883fd6e90

SHA512
4c85c27c56ca1f3ae7b84e76667515f81750ecfc099b613659ddc3bb29ff9415e94ca6db0091c1ca0e46fceab97affbfc5b03b19d195ddf0c600d899fef0d4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc32aa1b-560e-4d19-bd96-a6a6dd53bf6c.vbs

Filesize
734B

MD5
d7e9bdfe21cca9bbce04b42d6699612b

SHA1
c59dfb4c57f9637bf6e6bd3c602696a159972ab8

SHA256
68648fd7ce4d20ee0a50b97fba135f800d9ddac21f45d33bbc929fabe2bcf14d

SHA512
da1c339c7be5b7d724306372d206cbac4ecbd0f21c052bf7506a96a6b5cd37928bdb9a069faefef095d7a2b551e8c8362b8e7e327fc23b5ead9d1e9aeaffd404

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E41.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c5415a97fdcb23de2ecf2657a1eabba

SHA1
9b5f1148326b762ae8591c334dc9dde60a59b6ae

SHA256
b9e4d0b5978e6ac45575c3493435519f450b5955d2b73fc31f67e919cef351dd

SHA512
b588f2e03880c377ac1580582d98280d4632914b0f4c6eb170a04e66f6b17cc6ab1285549b53c2c1bdb5094a4d37f58610c48578f016e332b790abc49c75b53e

Download Submit
memory/1724-295-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/2080-154-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2080-165-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2096-208-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2096-168-0x00000000010B0000-0x00000000015A4000-memory.dmp

Filesize
5.0MB

Download
memory/2124-310-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2188-222-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2260-166-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-7-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/2260-112-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-97-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2260-16-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2260-15-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2260-14-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2260-13-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2260-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2260-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2260-9-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2260-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/2260-8-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2260-2-0x000000001B600000-0x000000001B72E000-memory.dmp

Filesize
1.2MB

Download
memory/2260-3-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-4-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/2260-5-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2260-6-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2260-10-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2440-266-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2660-237-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2704-341-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/2788-325-0x0000000000290000-0x0000000000784000-memory.dmp

Filesize
5.0MB

Download
memory/2788-326-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download