dcrat | 65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Size

1.7MB
MD5

f1c7ba434142190a707f597065fda0fc
SHA1

1c2991037471e1247910ca32f4435309bf7ff7fd
SHA256

65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53
SHA512

9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:OTHUxUoh1IF9gl23

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1056	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1056	schtasks.exe	82

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1612-1-0x0000000000250000-0x0000000000410000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb7-30.dat	dcrat
behavioral2/files/0x0009000000023cbb-153.dat	dcrat
behavioral2/files/0x0009000000023cc3-165.dat	dcrat
behavioral2/files/0x000b000000023cc7-189.dat	dcrat
behavioral2/files/0x0009000000023ccf-200.dat	dcrat
behavioral2/files/0x0009000000023cd2-211.dat	dcrat
behavioral2/files/0x0008000000023cdb-246.dat	dcrat
behavioral2/files/0x0009000000023ce0-255.dat	dcrat
behavioral2/files/0x0009000000023ce2-268.dat	dcrat
behavioral2/memory/5024-405-0x0000000000360000-0x0000000000520000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1492	powershell.exe
1328	powershell.exe
800	powershell.exe
4100	powershell.exe
936	powershell.exe
1508	powershell.exe
5084	powershell.exe
1548	powershell.exe
2292	powershell.exe
3824	powershell.exe
1772	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 9 IoCs

pid	Process
5024	dwm.exe
2460	dwm.exe
5100	dwm.exe
3356	dwm.exe
2440	dwm.exe
5000	dwm.exe
2460	dwm.exe
3456	dwm.exe
1328	dwm.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXE40C.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Common Files\Services\5b884080fd4f94	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC0C6.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\27d1bcfc3c54e0	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCXCBEB.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXD85A.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\66fc9ff0ee96c2	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\RCXD5D8.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Java\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6cb0b6c459d5d3	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\RCXD569.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Java\jdk-1.8\lib\e1ef82546f0b02	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXC4D1.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXE189.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXE207.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXC753.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXC754.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\1bf8c28e80639f	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\ea1d8f6d871115	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Java\9e8d7a4ca61bd9	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC0C7.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXC4D2.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\upfc.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCXCC5A.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXD365.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXE48A.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCXCE5E.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\RCXCEDC.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXD7DC.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXD2F6.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\upfc.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\RCXBC9B.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\bcastdvr\RCXBEB0.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\TAPI\RCXC9D6.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\TAPI\RCXC9D7.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXDA5F.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\security\RCXDEE7.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\bcastdvr\services.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\bcastdvr\c5b4cb5e9653cc	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\TAPI\27d1bcfc3c54e0	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\rescache\_merged\4245263321\csrss.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Resources\Themes\9e8d7a4ca61bd9	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Panther\setup.exe\55b276f4edf653	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\security\7a0fd90576e088	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\security\explorer.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\Resources\Themes\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Resources\Themes\RuntimeBroker.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\TAPI\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File created	C:\Windows\security\explorer.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Resources\Themes\RCXBC9C.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\bcastdvr\RCXBEB1.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\bcastdvr\services.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\TAPI\System.exe	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXDA60.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
File opened for modification	C:\Windows\security\RCXDF65.tmp	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2208	schtasks.exe
2824	schtasks.exe
3104	schtasks.exe
4956	schtasks.exe
2440	schtasks.exe
4856	schtasks.exe
4536	schtasks.exe
2720	schtasks.exe
2496	schtasks.exe
3220	schtasks.exe
4592	schtasks.exe
5044	schtasks.exe
4336	schtasks.exe
3996	schtasks.exe
2996	schtasks.exe
3708	schtasks.exe
1804	schtasks.exe
4580	schtasks.exe
4796	schtasks.exe
3496	schtasks.exe
1096	schtasks.exe
636	schtasks.exe
2820	schtasks.exe
5048	schtasks.exe
1004	schtasks.exe
4720	schtasks.exe
1556	schtasks.exe
2584	schtasks.exe
208	schtasks.exe
4700	schtasks.exe
756	schtasks.exe
4456	schtasks.exe
1200	schtasks.exe
2000	schtasks.exe
4612	schtasks.exe
2924	schtasks.exe
4084	schtasks.exe
2140	schtasks.exe
560	schtasks.exe
1688	schtasks.exe
4684	schtasks.exe
2992	schtasks.exe
4696	schtasks.exe
1404	schtasks.exe
3988	schtasks.exe
4748	schtasks.exe
1752	schtasks.exe
3892	schtasks.exe
5056	schtasks.exe
3312	schtasks.exe
384	schtasks.exe
3632	schtasks.exe
2192	schtasks.exe
3108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
5084	powershell.exe
5084	powershell.exe
1772	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	5024	dwm.exe
Token: SeDebugPrivilege	2460	dwm.exe
Token: SeDebugPrivilege	5100	dwm.exe
Token: SeDebugPrivilege	3356	dwm.exe
Token: SeDebugPrivilege	2440	dwm.exe
Token: SeDebugPrivilege	5000	dwm.exe
Token: SeDebugPrivilege	2460	dwm.exe
Token: SeDebugPrivilege	3456	dwm.exe
Token: SeDebugPrivilege	1328	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1492	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	143
PID 1612 wrote to memory of 1492	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	143
PID 1612 wrote to memory of 5084	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	144
PID 1612 wrote to memory of 5084	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	144
PID 1612 wrote to memory of 1772	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	145
PID 1612 wrote to memory of 1772	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	145
PID 1612 wrote to memory of 3824	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	146
PID 1612 wrote to memory of 3824	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	146
PID 1612 wrote to memory of 1508	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	147
PID 1612 wrote to memory of 1508	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	147
PID 1612 wrote to memory of 2292	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	148
PID 1612 wrote to memory of 2292	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	148
PID 1612 wrote to memory of 936	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	149
PID 1612 wrote to memory of 936	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	149
PID 1612 wrote to memory of 4100	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	150
PID 1612 wrote to memory of 4100	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	150
PID 1612 wrote to memory of 800	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	151
PID 1612 wrote to memory of 800	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	151
PID 1612 wrote to memory of 1328	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	152
PID 1612 wrote to memory of 1328	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	152
PID 1612 wrote to memory of 1548	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	153
PID 1612 wrote to memory of 1548	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	153
PID 1612 wrote to memory of 3648	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	165
PID 1612 wrote to memory of 3648	1612	65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe	165
PID 3648 wrote to memory of 3312	3648	cmd.exe	167
PID 3648 wrote to memory of 3312	3648	cmd.exe	167
PID 3648 wrote to memory of 5024	3648	cmd.exe	168
PID 3648 wrote to memory of 5024	3648	cmd.exe	168
PID 5024 wrote to memory of 3288	5024	dwm.exe	169
PID 5024 wrote to memory of 3288	5024	dwm.exe	169
PID 5024 wrote to memory of 3588	5024	dwm.exe	170
PID 5024 wrote to memory of 3588	5024	dwm.exe	170
PID 3288 wrote to memory of 2460	3288	WScript.exe	172
PID 3288 wrote to memory of 2460	3288	WScript.exe	172
PID 2460 wrote to memory of 4864	2460	dwm.exe	174
PID 2460 wrote to memory of 4864	2460	dwm.exe	174
PID 2460 wrote to memory of 2408	2460	dwm.exe	175
PID 2460 wrote to memory of 2408	2460	dwm.exe	175
PID 4864 wrote to memory of 5100	4864	WScript.exe	176
PID 4864 wrote to memory of 5100	4864	WScript.exe	176
PID 5100 wrote to memory of 1612	5100	dwm.exe	177
PID 5100 wrote to memory of 1612	5100	dwm.exe	177
PID 5100 wrote to memory of 4260	5100	dwm.exe	178
PID 5100 wrote to memory of 4260	5100	dwm.exe	178
PID 1612 wrote to memory of 3356	1612	WScript.exe	179
PID 1612 wrote to memory of 3356	1612	WScript.exe	179
PID 3356 wrote to memory of 4892	3356	dwm.exe	180
PID 3356 wrote to memory of 4892	3356	dwm.exe	180
PID 3356 wrote to memory of 3156	3356	dwm.exe	181
PID 3356 wrote to memory of 3156	3356	dwm.exe	181
PID 4892 wrote to memory of 2440	4892	WScript.exe	182
PID 4892 wrote to memory of 2440	4892	WScript.exe	182
PID 2440 wrote to memory of 3984	2440	dwm.exe	183
PID 2440 wrote to memory of 3984	2440	dwm.exe	183
PID 2440 wrote to memory of 1052	2440	dwm.exe	184
PID 2440 wrote to memory of 1052	2440	dwm.exe	184
PID 3984 wrote to memory of 5000	3984	WScript.exe	185
PID 3984 wrote to memory of 5000	3984	WScript.exe	185
PID 5000 wrote to memory of 1900	5000	dwm.exe	186
PID 5000 wrote to memory of 1900	5000	dwm.exe	186
PID 5000 wrote to memory of 4592	5000	dwm.exe	187
PID 5000 wrote to memory of 4592	5000	dwm.exe	187
PID 1900 wrote to memory of 2460	1900	WScript.exe	188
PID 1900 wrote to memory of 2460	1900	WScript.exe	188

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe
"C:\Users\Admin\AppData\Local\Temp\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v1BFFgLzHm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3312
- - C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68cba092-93b8-4d14-b6db-d53fb117eed3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3288
    - - C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0362474c-2ca9-48a8-8aaf-b43fa81973ee.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10d504f-f506-4fb5-8bfc-05f3bea9995a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae90f743-9227-40e9-a538-89b3c281ad02.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0f82e4-5b3b-43de-a672-13eada2355d3.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50b60342-ca67-4655-8a7e-0b94dabad66e.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54addcb2-ae43-4350-a480-1fe81411483f.vbs"
        16⤵
        
        PID:4552
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f1eee9-491c-401e-b599-f057d2924901.vbs"
        18⤵
        
        PID:2576
        
        C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1747841-2277-4db3-a1b6-7ef7556c9206.vbs"
        20⤵
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e684d7b-f3c3-485c-bab1-76bea7fb0dfe.vbs"
        20⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55906bd0-aaf6-4d27-8fb9-32237cd3a39a.vbs"
        18⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c405d97-43be-42a4-b6cf-9eb6587c1b78.vbs"
        16⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d08f6ea3-6849-44a8-a477-0fd735ae3b73.vbs"
        14⤵
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e2c608-be7a-45ad-a806-621c97950d8b.vbs"
        12⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4efafcd9-9421-401d-9d26-2e469abde986.vbs"
        10⤵
        
        PID:3156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a17c9db8-fbce-4b71-a237-81cec64dcc60.vbs"
        8⤵
        
        PID:4260
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca8606b1-5b79-46e4-bdeb-e242a0abcd95.vbs"
        6⤵
        
        PID:2408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97eaaac0-5263-460e-8cdd-103d12daed65.vbs"
      4⤵
      PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\bcastdvr\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d536" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\security\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\security\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\security\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\fontdrvhost.exe

Filesize
1.7MB

MD5
7ce50f27f6976a1ba12d8a53bcb21905

SHA1
ef0d5d22c2101416558809725c519533fec63d82

SHA256
c2c57b5eb86423cd131848c92bef946b01edc0981b6815009233d6bcf3d16a59

SHA512
cfde44551e8677c6fb3f76549156b4b0d6f9ea2a819451c2f0bd6993568c037e86af74a9b8de295aea8d9126d5cb0bb2301b38352e7a3845780a69da67713210

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53.exe

Filesize
1.7MB

MD5
f1c7ba434142190a707f597065fda0fc

SHA1
1c2991037471e1247910ca32f4435309bf7ff7fd

SHA256
65ede29c9eb1fb5cfcd274327beaad80642ed10468b478d9c291bdde4c849d53

SHA512
9aed1b32c9d40149f41afbf88dd9757f52a52d26889b89d47defca85ea39a25c675d0a31c092657c8cfd8473f1130c8323efa9091c00eec4d733f7e29e1743eb

Download Submit
C:\Program Files (x86)\Windows Defender\fr-FR\System.exe

Filesize
1.7MB

MD5
1a4aee292aecd457d2bf358fc790464e

SHA1
5e29383a70e0dba522ae78f78447890a33f9e4d3

SHA256
08c99876475edf0c22431ab9db689ac5e291d5d9f830af582fa59aa0f2c0c2bd

SHA512
a829feda64cb0f4858299cdc428c4848e03437fa9144350ca114e1a500c27e84809cad0d28d2634299c0b648f3b1b51d06ea6033e016d339a7498da6c0ad36a5

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe

Filesize
1.7MB

MD5
a420ef1c1386d11df27b25244e2e4a2e

SHA1
1def97904f76ae6db44fa7281e4d959d9a96b706

SHA256
fb5ab1b146f15ac7f4e3edcb135926cabc7bf74d50c4a76f18b0c490240669b0

SHA512
0a20f9d8696545bb83997c11a685a91a30723cc02ec31e3ed1b747bc82fcdf791c79ebc2152d9347450d0ced74cb386201d5f226b037d2414ff3ac6201cf38f5

Download Submit
C:\Program Files\Java\RuntimeBroker.exe

Filesize
1.7MB

MD5
fc3ad5990f5a8348c343f113bc446986

SHA1
e62d165f1b4187c9446bc26fe6e0cb753c45c918

SHA256
d8382c3c52e7b7556dfdd1c8aa8de9a9eab00e84ec3ed8ddd2b1ef7d1731ce77

SHA512
86e4f0dace933cae9128ed4b7f57c7f6d03747742490330d03cbe365a0f853e9bf5aac940c4d7b79afb4978e7927b1a17d192b4997110692e2632b72526c3304

Download Submit
C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe

Filesize
1.7MB

MD5
b5a02557d15ff95c9a076df10edb52c7

SHA1
0f47dcc5eec0d0610bf4ad4bac6c75c98fd40dfa

SHA256
8a93c71f5b5958fe58bf422435f1577e2ba47169a4b9f90d7ee8f4bf7590dad1

SHA512
5c7c1458d3b40b75cad7aff28793c5c9e068cafb8528a16ff5fb869ab35ba87e45ec43f000fbc64dce5ca8ec1082d9a7c6dfabcc0924c14b04ea89de2cc39a2f

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe

Filesize
1.7MB

MD5
32f4a38fa6c2f33e2f1b80fc9ced0cde

SHA1
4825cbfcd780a6265c69b6cc55c2c99ce38f71d4

SHA256
ab4ebe1cf88258ff9fe00b4a851e575cca092a981754c5530f5c411ca444356c

SHA512
a5084406e88b07478525ed46c152db98dd2c6b58e576b291626fe729015b8aeaeb7b92d04b62e29c8a905cb80f37e56eadc50f1a828af5e2b0f764518c42e644

Download Submit
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\sihost.exe

Filesize
1.7MB

MD5
18e92d8a33223204397381da3bdc66b7

SHA1
d8318a550fc321e95bd5ff065fce0fad97f07501

SHA256
136a4992ed011423b04e34f3a26cd1be24b25450637323d899c81da5d3424c28

SHA512
10303ad5e7f36d66dabc89e1b2acc5eab804a2a38d593111c7d15195281fad6595985ac51d5ecf418c140617c5a0262e1345d046b8516d6b5a2069413ac0d630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0362474c-2ca9-48a8-8aaf-b43fa81973ee.vbs

Filesize
734B

MD5
c1c9f0c1c4130f6dde692511d33465ff

SHA1
6871fc509f2f5a3b943ed76383eba0ba04327a5d

SHA256
7fbf93677f5f553ff432e5cb53580d03cadc88f58709bcbdc766b9522b7a2aa5

SHA512
2d99e672f688c45f36f6eb198ddebd4a8bc2724a5c16a48f694ee796d470e852dbbcedd596a80f96a627cfed7376acb2dac67abc69f423f077d4d2413c92f3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\50b60342-ca67-4655-8a7e-0b94dabad66e.vbs

Filesize
734B

MD5
7ad135e557cb0c9f9e261d229243e4ab

SHA1
9972930fd850a94d3609be763b0b92be8123ca5c

SHA256
0e946ec7e3a19a5f3d0cd989eb8af7ad55f69cc546df90ed8a3c2cbcfb70ded7

SHA512
1d7ddbe726ab6b099ec871be32f5b6a5fcac83e910b32d0ff3fe2557b400444f9460075b32ea167085631428d99900dbe7bb8dae3fb9bc501f73562b39a5cb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\68cba092-93b8-4d14-b6db-d53fb117eed3.vbs

Filesize
734B

MD5
6d120b62d47214541b46dcd4b1944b04

SHA1
01412850fe85ed794ecc81bc965603e7717dbd94

SHA256
9d596b436a8fae0c25036fd4baa58f6e66739df24657e5b1260b7917d533987b

SHA512
77f90ce3ab031b3a9a450fef8c07a83a00499b2c41e1469463817b83edd4de0a0bbc89c71c014016f708f895501a04b50338072ff5028119633cea981b74c61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\97eaaac0-5263-460e-8cdd-103d12daed65.vbs

Filesize
510B

MD5
1154d4cee512750fefa82fc8df424be2

SHA1
9e12402b9410fac3b8b780a07fe005412e508432

SHA256
a475c9918d92e03d95e00151bc2c9e1efaab50413d1e418bad1d40914de24906

SHA512
6ed44947cc7b233b5215b812e06ae2069a76992f979c0dd895fdde63951afc62b0e16617a0b660d315888e865bc177b82023ac1786714749c02b5df10692ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vh0wtuw.vja.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae90f743-9227-40e9-a538-89b3c281ad02.vbs

Filesize
734B

MD5
1d21ad5b6b0f9ab44e75dc740e64983b

SHA1
b8db7ec3307525792daf8ce2074d17fad91fdf3a

SHA256
e3c430bb74eb2455448c3a059863995b730265a83335f35c043e66d4be715065

SHA512
e80019d63c8fbe4f2aa50346d73060785454967c2599f2ce44ddb30b2f73d3d718b75868c41dce8dc90bee4e05f3daa8d678e4fb513da12b6b0fbd66bb2c95a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1f1eee9-491c-401e-b599-f057d2924901.vbs

Filesize
734B

MD5
8b80811f322b03da4637e78305675f4d

SHA1
48f3c72b4b99e91c86fa1babc32fc14a9e10da27

SHA256
7d14ae388c0fac83860520f30058596a44e9d7d686589b3e6864f2f16615fb67

SHA512
f9e92431237ba6509617633b5062560ea90c7b32757d111e687ac3f75b8ed611836c9944f37c9599335b973e784b8642a293682474c20c76624008310fd64324

Download Submit
C:\Users\Admin\AppData\Local\Temp\d10d504f-f506-4fb5-8bfc-05f3bea9995a.vbs

Filesize
734B

MD5
b33fd0d42d309e03475708324bd5b3b0

SHA1
3d6bbccd05298def7515ee4adac9628f16f121f2

SHA256
75ecbe1f5d3e5560796fa61bc6acf5cf7bb12ae1870c5bb9ce7bfa29f312ae47

SHA512
8712569e2e6327013c7deaa967266b97f697b09043c2e6cfe37c708d0655c5ba1ced15d6c58d2cb705b17629d83a8bb781d59f585529a081ae74c3e725615196

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1747841-2277-4db3-a1b6-7ef7556c9206.vbs

Filesize
734B

MD5
6d8e75830bf0fc8f6e704a45ab6c8aab

SHA1
39dc2c02d727250d52ff1130d20def4dd9dd5baf

SHA256
0d09b2513416f157415d3672b5893222e409f4aa6f5a162dd4e8816669fbda3f

SHA512
13763233cc22d9e142d0bcb7101a92e22646953dc0adc39a5a52a849e657ed3c15283f077b52d12a0388f5afc2174e870c50e0b5d92e1e7ecbb703d33efb837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0f82e4-5b3b-43de-a672-13eada2355d3.vbs

Filesize
734B

MD5
9dff3bb7906628a50d5334d587f17667

SHA1
4e59b1740e44228aa806eb613d7a398e5e889cf1

SHA256
4d2fbe8037d69fd6e025f6e30e1c1a8ac6b4f28b414b7d082aab1e5321f8ca54

SHA512
ce6b6f2de3f9c961e8c6c42983de6bf4de7144cb069bffd6868937596149dfca970a71345f6453f07ad89492801c16ae42fd2e8ffe9c2ee114156be0d198818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1BFFgLzHm.bat

Filesize
223B

MD5
b7bf04187ce465209f965d64fa1c8d2c

SHA1
cef312e06e240b30828c00e2a058f9eb7303b205

SHA256
018ebea6783bc149e9104bede46dcad53735f4d0acd15d586869fdad3c8e56b5

SHA512
3d3225aac528ab1ea5f018d456be94696078170f57a92a6bac6b5782babd6d3e2357082e9e53b75d78ff28c0ff12b7859b31dd03d8fab9bc7fcf4e1f49a743cf

Download Submit
C:\Windows\security\explorer.exe

Filesize
1.7MB

MD5
06bf2b8a2a5eb6eef3746dac37ba6155

SHA1
3be34005b0c82ffa16b51b91e2bf89b36d69fdc9

SHA256
b6ff08b3b5b6f647fe8e3662bb76a0b34a55e43e20e4a93a3bd1d69128bae0d7

SHA512
5d47e1e218c91241887917a01a27dc8039fe6a2de014074782b13726abae73f2285c3dcafdc689071902f3939ec5a7773a89130fca1cc714e11935ea7e9483aa

Download Submit
memory/800-286-0x0000029959630000-0x0000029959652000-memory.dmp

Filesize
136KB

Download
memory/1612-180-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-0-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

Filesize
8KB

Download
memory/1612-9-0x0000000002690000-0x000000000269C000-memory.dmp

Filesize
48KB

Download
memory/1612-7-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1612-8-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/1612-10-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/1612-12-0x000000001B090000-0x000000001B0A2000-memory.dmp

Filesize
72KB

Download
memory/1612-287-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-17-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/1612-5-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/1612-4-0x000000001B0E0000-0x000000001B130000-memory.dmp

Filesize
320KB

Download
memory/1612-6-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1612-3-0x0000000002510000-0x000000000252C000-memory.dmp

Filesize
112KB

Download
memory/1612-214-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-2-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-16-0x000000001B130000-0x000000001B13E000-memory.dmp

Filesize
56KB

Download
memory/1612-13-0x000000001BCC0000-0x000000001C1E8000-memory.dmp

Filesize
5.2MB

Download
memory/1612-156-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

Filesize
8KB

Download
memory/1612-1-0x0000000000250000-0x0000000000410000-memory.dmp

Filesize
1.8MB

Download
memory/1612-14-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download
memory/1612-18-0x000000001B150000-0x000000001B15C000-memory.dmp

Filesize
48KB

Download
memory/1612-23-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-19-0x000000001B160000-0x000000001B16C000-memory.dmp

Filesize
48KB

Download
memory/1612-22-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/1612-15-0x000000001B0D0000-0x000000001B0DA000-memory.dmp

Filesize
40KB

Download
memory/2440-451-0x000000001B3C0000-0x000000001B3D2000-memory.dmp

Filesize
72KB

Download
memory/3456-485-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/5024-405-0x0000000000360000-0x0000000000520000-memory.dmp

Filesize
1.8MB

Download