dcrat | 7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3

Analysis

max time kernel
115s
max time network
113s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Size

4.9MB
MD5

9f101118f7c7a990e1991adffbd13a90
SHA1

aa29ddbcd084d3bb62584d55cb51011e51b0f0ce
SHA256

7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3
SHA512

3e21074feb16b2f59b41db35142ec3d2102602cd0f7f6a102eae4d972e3a4a40505a65dc9144ba0730dca3f4717324b21076da9fe41712d45a3d8166fc1bf55a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2836	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2900-2-0x000000001B820000-0x000000001B94E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
780	powershell.exe
572	powershell.exe
588	powershell.exe
1688	powershell.exe
2020	powershell.exe
2460	powershell.exe
2960	powershell.exe
2232	powershell.exe
1304	powershell.exe
1952	powershell.exe
1736	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2880	WmiPrvSE.exe
2484	WmiPrvSE.exe
2924	WmiPrvSE.exe
1688	WmiPrvSE.exe
2744	WmiPrvSE.exe
1396	WmiPrvSE.exe
2180	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\6cb0b6c459d5d3	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\dllhost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCXA0CA.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA510.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCXA946.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows Sidebar\spoolsv.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\24dbde2999530e	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\dllhost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\101b941d020240	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows Sidebar\f3b6ecef712a24	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX9EA7.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX9773.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\MSBuild\1610b97d3ab4a7	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\42af1c969fbb7b	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\de-DE\RCXB1E2.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXB637.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\MSBuild\OSPPSVC.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\5940a34987c991	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\OSPPSVC.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXA723.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\42af1c969fbb7b	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows Sidebar\spoolsv.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXAD8C.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Scenes\wininit.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Web\Wallpaper\Scenes\56085415360792	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\schemas\EAPMethods\7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\6ccacd8608530f	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX99C5.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\servicing\ja-JP\dllhost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\wininit.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCXAFAF.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe
888	schtasks.exe
2080	schtasks.exe
1548	schtasks.exe
2324	schtasks.exe
1224	schtasks.exe
2104	schtasks.exe
2200	schtasks.exe
3000	schtasks.exe
1688	schtasks.exe
780	schtasks.exe
2136	schtasks.exe
2796	schtasks.exe
2208	schtasks.exe
368	schtasks.exe
2532	schtasks.exe
1400	schtasks.exe
1292	schtasks.exe
3040	schtasks.exe
2312	schtasks.exe
1920	schtasks.exe
2112	schtasks.exe
2840	schtasks.exe
2676	schtasks.exe
2660	schtasks.exe
2764	schtasks.exe
1028	schtasks.exe
2560	schtasks.exe
2004	schtasks.exe
2548	schtasks.exe
1632	schtasks.exe
1404	schtasks.exe
2348	schtasks.exe
852	schtasks.exe
836	schtasks.exe
904	schtasks.exe
2960	schtasks.exe
592	schtasks.exe
620	schtasks.exe
2212	schtasks.exe
1144	schtasks.exe
2056	schtasks.exe
1412	schtasks.exe
1608	schtasks.exe
2704	schtasks.exe
884	schtasks.exe
2076	schtasks.exe
920	schtasks.exe
1956	schtasks.exe
2220	schtasks.exe
2528	schtasks.exe
2696	schtasks.exe
396	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
780	powershell.exe
1548	powershell.exe
572	powershell.exe
2020	powershell.exe
2960	powershell.exe
2232	powershell.exe
1688	powershell.exe
1736	powershell.exe
2460	powershell.exe
1952	powershell.exe
588	powershell.exe
1304	powershell.exe
2880	WmiPrvSE.exe
2484	WmiPrvSE.exe
2924	WmiPrvSE.exe
1688	WmiPrvSE.exe
2744	WmiPrvSE.exe
1396	WmiPrvSE.exe
2180	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2880	WmiPrvSE.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2484	WmiPrvSE.exe
Token: SeDebugPrivilege	2924	WmiPrvSE.exe
Token: SeDebugPrivilege	1688	WmiPrvSE.exe
Token: SeDebugPrivilege	2744	WmiPrvSE.exe
Token: SeDebugPrivilege	1396	WmiPrvSE.exe
Token: SeDebugPrivilege	2180	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2020	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	85
PID 2900 wrote to memory of 2020	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	85
PID 2900 wrote to memory of 2020	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	85
PID 2900 wrote to memory of 1548	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	86
PID 2900 wrote to memory of 1548	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	86
PID 2900 wrote to memory of 1548	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	86
PID 2900 wrote to memory of 2460	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	87
PID 2900 wrote to memory of 2460	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	87
PID 2900 wrote to memory of 2460	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	87
PID 2900 wrote to memory of 2960	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	90
PID 2900 wrote to memory of 2960	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	90
PID 2900 wrote to memory of 2960	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	90
PID 2900 wrote to memory of 588	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	91
PID 2900 wrote to memory of 588	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	91
PID 2900 wrote to memory of 588	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	91
PID 2900 wrote to memory of 1688	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	92
PID 2900 wrote to memory of 1688	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	92
PID 2900 wrote to memory of 1688	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	92
PID 2900 wrote to memory of 1736	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	93
PID 2900 wrote to memory of 1736	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	93
PID 2900 wrote to memory of 1736	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	93
PID 2900 wrote to memory of 572	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	94
PID 2900 wrote to memory of 572	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	94
PID 2900 wrote to memory of 572	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	94
PID 2900 wrote to memory of 780	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	95
PID 2900 wrote to memory of 780	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	95
PID 2900 wrote to memory of 780	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	95
PID 2900 wrote to memory of 2232	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	96
PID 2900 wrote to memory of 2232	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	96
PID 2900 wrote to memory of 2232	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	96
PID 2900 wrote to memory of 1952	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	97
PID 2900 wrote to memory of 1952	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	97
PID 2900 wrote to memory of 1952	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	97
PID 2900 wrote to memory of 1304	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	99
PID 2900 wrote to memory of 1304	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	99
PID 2900 wrote to memory of 1304	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	99
PID 2900 wrote to memory of 2880	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	109
PID 2900 wrote to memory of 2880	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	109
PID 2900 wrote to memory of 2880	2900	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	109
PID 2880 wrote to memory of 1264	2880	WmiPrvSE.exe	110
PID 2880 wrote to memory of 1264	2880	WmiPrvSE.exe	110
PID 2880 wrote to memory of 1264	2880	WmiPrvSE.exe	110
PID 2880 wrote to memory of 964	2880	WmiPrvSE.exe	111
PID 2880 wrote to memory of 964	2880	WmiPrvSE.exe	111
PID 2880 wrote to memory of 964	2880	WmiPrvSE.exe	111
PID 1264 wrote to memory of 2484	1264	WScript.exe	112
PID 1264 wrote to memory of 2484	1264	WScript.exe	112
PID 1264 wrote to memory of 2484	1264	WScript.exe	112
PID 2484 wrote to memory of 896	2484	WmiPrvSE.exe	113
PID 2484 wrote to memory of 896	2484	WmiPrvSE.exe	113
PID 2484 wrote to memory of 896	2484	WmiPrvSE.exe	113
PID 2484 wrote to memory of 2412	2484	WmiPrvSE.exe	114
PID 2484 wrote to memory of 2412	2484	WmiPrvSE.exe	114
PID 2484 wrote to memory of 2412	2484	WmiPrvSE.exe	114
PID 896 wrote to memory of 2924	896	WScript.exe	115
PID 896 wrote to memory of 2924	896	WScript.exe	115
PID 896 wrote to memory of 2924	896	WScript.exe	115
PID 2924 wrote to memory of 1148	2924	WmiPrvSE.exe	116
PID 2924 wrote to memory of 1148	2924	WmiPrvSE.exe	116
PID 2924 wrote to memory of 1148	2924	WmiPrvSE.exe	116
PID 2924 wrote to memory of 2908	2924	WmiPrvSE.exe	117
PID 2924 wrote to memory of 2908	2924	WmiPrvSE.exe	117
PID 2924 wrote to memory of 2908	2924	WmiPrvSE.exe	117
PID 1148 wrote to memory of 1688	1148	WScript.exe	118

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
"C:\Users\Admin\AppData\Local\Temp\7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f0fbf8-e2d4-4324-ac12-3cd5d92bd547.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
      "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2484
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bdec28-2afb-4d62-bc66-ae090c2543d9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fe92c98-4c71-43b9-97a8-4979a1fb41c5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a7cd2b-2219-48ec-a760-9e877b6c1335.vbs"
        9⤵
        
        PID:1924
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9a2ab24-dee8-4de0-a2f7-b94f602016f4.vbs"
        11⤵
        
        PID:540
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ded0111-6d68-4ba4-aaed-3f4b3e0ad293.vbs"
        13⤵
        
        PID:1452
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6596aebe-cf5e-40f1-9279-71b0cb164f20.vbs"
        15⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65cd645e-c449-4514-9698-5b39cba18153.vbs"
        15⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8579132-e269-4052-b3f9-6205aedb405e.vbs"
        13⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a43a0a1-ae5a-4be3-a273-98d4ae8f4db4.vbs"
        11⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16b521d-49f6-47c2-a70b-490e89dfb3f8.vbs"
        9⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba4fa97-1b70-4d54-a0d2-46c2337014fe.vbs"
        7⤵
        
        PID:2908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20e51b91-1a0c-4bb2-bd82-1f2f2a025ac6.vbs"
        5⤵
        
        PID:2412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c05d7e-a0cc-477e-bc20-aee14ee022e0.vbs"
    3⤵
    PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Scenes\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Scenes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
4.9MB

MD5
9f101118f7c7a990e1991adffbd13a90

SHA1
aa29ddbcd084d3bb62584d55cb51011e51b0f0ce

SHA256
7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3

SHA512
3e21074feb16b2f59b41db35142ec3d2102602cd0f7f6a102eae4d972e3a4a40505a65dc9144ba0730dca3f4717324b21076da9fe41712d45a3d8166fc1bf55a

Download Submit
C:\Program Files\Windows Sidebar\spoolsv.exe

Filesize
4.9MB

MD5
d405247f8b8c89d2a197418b8bbeec2c

SHA1
1a7d16dff04a37d8766c01110631692b14013f17

SHA256
9a3a6e2125637cf3cc13dadb005aad140c6d93d68baddb47af7162f20b773241

SHA512
e73aa5b3e46da49db7bdaec09159ed856925dc89cb6bc869ddab04fa1c115e5168b4c29ae1e47a13bf3c505b1860a0f460666a8d70ad7dcbb24fb2eda5e905c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20bdec28-2afb-4d62-bc66-ae090c2543d9.vbs

Filesize
762B

MD5
2467f17997d7344508c33bd15044e3f1

SHA1
dc07759507b38d6af69561d86d3ffc7183d1de28

SHA256
d76da5ecf82b2e6ba4b09b89a33d6f677b4dbf2711d7a2527598d1a46ee88eda

SHA512
0aa6f003ef02380546e9f6764538ab2467a91101c2f726a2ca9a42730da00b3f27dd8b460a475a1e4d45fab78e51f9546f4858f463fffd3783d65ae2f31b69b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\30a7cd2b-2219-48ec-a760-9e877b6c1335.vbs

Filesize
762B

MD5
0f55a4bd25011c22c98bb66522d02cce

SHA1
e0cd4a93af9fc181456de2d6b60aed0ae66e93dc

SHA256
01a403bf6ad94b7b6700e3b046190d988a764956e2ebdd0f028bd04c4f12e79d

SHA512
a7caaa3854206f60bce8030eae47a54add1beb332793bf14a7fb35ed93ab540e3878678df14f6f736ff13298fe409a8451da5be2124a010dc85d82b3adfd10cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\40f0fbf8-e2d4-4324-ac12-3cd5d92bd547.vbs

Filesize
762B

MD5
fcb31f505daeab5abeddf08ede15a4ad

SHA1
02e0ee5a0490cfd1603ba834655c712939ef77a7

SHA256
0ecfb4ebd55b7c3b65b4ce9d09662516f9c389dfd5db39e2936e8daba8de533a

SHA512
729911a6f5f9e5efe92a184a5ec749393e8bbd7c682b71acfc16d66396b3a08147268838fd440003c4220ded3fc10a7b9d6c6d949022643a2f06427119268ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ded0111-6d68-4ba4-aaed-3f4b3e0ad293.vbs

Filesize
762B

MD5
0ae042c2579888a09519753779ce2c40

SHA1
aeafdd875f5668c05377990a2ebd45bf2ca7e559

SHA256
83bf1ed26b7a043a208678cc692fcca7a870ec47ba7f520598957d7fc9d4df9c

SHA512
25af80450b243d627ad0cbb31df3711be52e228b9246715464c821ad5c1811f636526e4868083bf9d3a529a307d10d260921bc32bdfa3bae9b96afe43faf8edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6596aebe-cf5e-40f1-9279-71b0cb164f20.vbs

Filesize
762B

MD5
0ef4e6b90b3b1cb4bffa9a7fe72794d8

SHA1
b25537f8317df685a16a90996b2e60dce073c0e9

SHA256
61878900d9b16c036b911326c5a79e882e51f89dadbace1938c8490728509fe6

SHA512
1d459285a4b1a2c97bf343cfc3b46c6ebd4b4275d1e3d9c1bf0d3bc22e69389232765eb2fd945f86179e13c5b3d6d3d167ca69ef90c3f5f47010a620c8748faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fe92c98-4c71-43b9-97a8-4979a1fb41c5.vbs

Filesize
762B

MD5
557d1cc72b81a8211902c930fbce4b2e

SHA1
b81eb5f3a9ff08cd24006948953ffd64dc52bf6b

SHA256
bdf0dceaed6ebbac445cd5230c79e65e6f7f147076c8a4166f1eb0ab15e8d5a8

SHA512
153668142319137ca9279d298a8ffc3b5cc6bf73595b3244d27cf34411ee4b50a51a3d86f3cec3a37d3a2a5ebda2e9950a20e46a56ac6b19c69b7feecd07b1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9a2ab24-dee8-4de0-a2f7-b94f602016f4.vbs

Filesize
762B

MD5
8c22949abb10a0e6ec6685ea314693e1

SHA1
b2c6f7a72acf0e911a4e69f5db6949e951c7900c

SHA256
bed783c99c04d90d6e878f9d5f0214fa1e1398e7b3017b6b546872e96d9fc1ec

SHA512
4304c8fd2814d346d81a750df4a8b40b9c67eb157345fbcea93d8a5509f3bdeaa4f5112f33620dbb7c02eef149b75b89e14ec998febd8396b3080a5e76cce54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c05d7e-a0cc-477e-bc20-aee14ee022e0.vbs

Filesize
538B

MD5
85a1da3970734cea4b9d3b17e87b5619

SHA1
79d9abd98d6f2b09a6e68897d9442df0950adde9

SHA256
59e535f939234f2dba32da2c22c1269548191218fb47ad59b6e7d5aa3ea35617

SHA512
b67ed839939d9a49b9fe14cdc63b373a06be4058235508b9ab813202b5b1d6d2b30e1422ef510d405923aedab77a00922557b95ecc1df7b6e689f41d6cd080e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d02c4acfa3312f418214ddcde8a0b097

SHA1
19a88b2ade2b2c27a2975bee800d156013095c72

SHA256
c663674a81f6f1e62cbcf49a5e145382b9bd0826bf27b379598361fa40c7920d

SHA512
34dc2c738248b28b6224b4d5c4933b2037f1e878042405f2f311a44b5daa179e15dd2305fe87cdd0bbc50bda101c234f783d97a69480592aa5bc542be1fac438

Download Submit
memory/572-227-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/1548-203-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/1688-283-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download
memory/2880-226-0x0000000000C70000-0x0000000001164000-memory.dmp

Filesize
5.0MB

Download
memory/2900-9-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/2900-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/2900-93-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/2900-108-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-15-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2900-14-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2900-13-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/2900-12-0x0000000000A20000-0x0000000000A2E000-memory.dmp

Filesize
56KB

Download
memory/2900-11-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/2900-232-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-10-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2900-16-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2900-8-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2900-7-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/2900-1-0x0000000000360000-0x0000000000854000-memory.dmp

Filesize
5.0MB

Download
memory/2900-6-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2900-5-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2900-4-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2900-3-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-2-0x000000001B820000-0x000000001B94E000-memory.dmp

Filesize
1.2MB

Download
memory/2924-268-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download