dcrat | cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Size

4.9MB
MD5

289ed55b09590f6399d722fda8236a7f
SHA1

592d7af9cd2ed6b2f7c06bec69e495e7f0b63ba2
SHA256

cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a
SHA512

9ac6fbe13327bd2014e5156e543e3fdba3d6b5b38cb8504475ea8f2efda34f0d1e57fc6b42ad102ae2a50a18a82779b4cfd40e65b7dc6a45e4c97192e8c149aa
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8A:A

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1104	schtasks.exe	31

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2528-3-0x000000001B210000-0x000000001B33E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2848	powershell.exe
2720	powershell.exe
2700	powershell.exe
2424	powershell.exe
2772	powershell.exe
2612	powershell.exe
2816	powershell.exe
2608	powershell.exe
628	powershell.exe
2844	powershell.exe
2728	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3040	sppsvc.exe
2940	sppsvc.exe
1668	sppsvc.exe
2736	sppsvc.exe
2024	sppsvc.exe
1272	sppsvc.exe
1544	sppsvc.exe
2612	sppsvc.exe
944	sppsvc.exe
1792	sppsvc.exe
2700	sppsvc.exe
2928	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\RCXEC8C.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Reference Assemblies\audiodg.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXF372.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Windows Journal\de-DE\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Windows Journal\de-DE\0a1fd5f707cd16	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Windows Journal\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Windows Journal\0a1fd5f707cd16	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Reference Assemblies\audiodg.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXDD19.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXE817.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Windows Journal\sppsvc.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXEE90.tmp	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files\Reference Assemblies\42af1c969fbb7b	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\6ccacd8608530f	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2016	schtasks.exe
2252	schtasks.exe
1612	schtasks.exe
1552	schtasks.exe
2808	schtasks.exe
648	schtasks.exe
2904	schtasks.exe
2144	schtasks.exe
2884	schtasks.exe
2140	schtasks.exe
3032	schtasks.exe
2412	schtasks.exe
2616	schtasks.exe
1548	schtasks.exe
2076	schtasks.exe
1272	schtasks.exe
2356	schtasks.exe
2104	schtasks.exe
1320	schtasks.exe
1328	schtasks.exe
288	schtasks.exe
2828	schtasks.exe
2632	schtasks.exe
1752	schtasks.exe
448	schtasks.exe
2824	schtasks.exe
1248	schtasks.exe
1164	schtasks.exe
304	schtasks.exe
2176	schtasks.exe
2224	schtasks.exe
2708	schtasks.exe
2272	schtasks.exe
2556	schtasks.exe
1592	schtasks.exe
2756	schtasks.exe
856	schtasks.exe
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
2700	powershell.exe
628	powershell.exe
2844	powershell.exe
2584	powershell.exe
2772	powershell.exe
2816	powershell.exe
2608	powershell.exe
2848	powershell.exe
2424	powershell.exe
2728	powershell.exe
2612	powershell.exe
2720	powershell.exe
3040	sppsvc.exe
2940	sppsvc.exe
1668	sppsvc.exe
2736	sppsvc.exe
2024	sppsvc.exe
1272	sppsvc.exe
1544	sppsvc.exe
2612	sppsvc.exe
944	sppsvc.exe
1792	sppsvc.exe
2700	sppsvc.exe
2928	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3040	sppsvc.exe
Token: SeDebugPrivilege	2940	sppsvc.exe
Token: SeDebugPrivilege	1668	sppsvc.exe
Token: SeDebugPrivilege	2736	sppsvc.exe
Token: SeDebugPrivilege	2024	sppsvc.exe
Token: SeDebugPrivilege	1272	sppsvc.exe
Token: SeDebugPrivilege	1544	sppsvc.exe
Token: SeDebugPrivilege	2612	sppsvc.exe
Token: SeDebugPrivilege	944	sppsvc.exe
Token: SeDebugPrivilege	1792	sppsvc.exe
Token: SeDebugPrivilege	2700	sppsvc.exe
Token: SeDebugPrivilege	2928	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 628	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 2528 wrote to memory of 628	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 2528 wrote to memory of 628	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	71
PID 2528 wrote to memory of 2844	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 2528 wrote to memory of 2844	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 2528 wrote to memory of 2844	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	72
PID 2528 wrote to memory of 2424	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	73
PID 2528 wrote to memory of 2424	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	73
PID 2528 wrote to memory of 2424	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	73
PID 2528 wrote to memory of 2772	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	75
PID 2528 wrote to memory of 2772	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	75
PID 2528 wrote to memory of 2772	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	75
PID 2528 wrote to memory of 2700	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	76
PID 2528 wrote to memory of 2700	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	76
PID 2528 wrote to memory of 2700	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	76
PID 2528 wrote to memory of 2720	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	78
PID 2528 wrote to memory of 2720	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	78
PID 2528 wrote to memory of 2720	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	78
PID 2528 wrote to memory of 2848	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	79
PID 2528 wrote to memory of 2848	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	79
PID 2528 wrote to memory of 2848	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	79
PID 2528 wrote to memory of 2584	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	81
PID 2528 wrote to memory of 2584	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	81
PID 2528 wrote to memory of 2584	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	81
PID 2528 wrote to memory of 2608	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	82
PID 2528 wrote to memory of 2608	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	82
PID 2528 wrote to memory of 2608	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	82
PID 2528 wrote to memory of 2816	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 2528 wrote to memory of 2816	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 2528 wrote to memory of 2816	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	83
PID 2528 wrote to memory of 2612	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	85
PID 2528 wrote to memory of 2612	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	85
PID 2528 wrote to memory of 2612	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	85
PID 2528 wrote to memory of 2728	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	86
PID 2528 wrote to memory of 2728	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	86
PID 2528 wrote to memory of 2728	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	86
PID 2528 wrote to memory of 3040	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	95
PID 2528 wrote to memory of 3040	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	95
PID 2528 wrote to memory of 3040	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	95
PID 2528 wrote to memory of 3040	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	95
PID 2528 wrote to memory of 3040	2528	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe	95
PID 3040 wrote to memory of 1156	3040	sppsvc.exe	96
PID 3040 wrote to memory of 1156	3040	sppsvc.exe	96
PID 3040 wrote to memory of 1156	3040	sppsvc.exe	96
PID 3040 wrote to memory of 1600	3040	sppsvc.exe	97
PID 3040 wrote to memory of 1600	3040	sppsvc.exe	97
PID 3040 wrote to memory of 1600	3040	sppsvc.exe	97
PID 1156 wrote to memory of 2940	1156	WScript.exe	98
PID 1156 wrote to memory of 2940	1156	WScript.exe	98
PID 1156 wrote to memory of 2940	1156	WScript.exe	98
PID 1156 wrote to memory of 2940	1156	WScript.exe	98
PID 1156 wrote to memory of 2940	1156	WScript.exe	98
PID 2940 wrote to memory of 1392	2940	sppsvc.exe	99
PID 2940 wrote to memory of 1392	2940	sppsvc.exe	99
PID 2940 wrote to memory of 1392	2940	sppsvc.exe	99
PID 2940 wrote to memory of 2800	2940	sppsvc.exe	100
PID 2940 wrote to memory of 2800	2940	sppsvc.exe	100
PID 2940 wrote to memory of 2800	2940	sppsvc.exe	100
PID 1392 wrote to memory of 1668	1392	WScript.exe	101
PID 1392 wrote to memory of 1668	1392	WScript.exe	101
PID 1392 wrote to memory of 1668	1392	WScript.exe	101
PID 1392 wrote to memory of 1668	1392	WScript.exe	101
PID 1392 wrote to memory of 1668	1392	WScript.exe	101
PID 1668 wrote to memory of 2548	1668	sppsvc.exe	102

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe
"C:\Users\Admin\AppData\Local\Temp\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Program Files\Windows Journal\de-DE\sppsvc.exe
  "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\865510a4-087a-429b-894b-e2129f0f7ab7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Program Files\Windows Journal\de-DE\sppsvc.exe
      "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c5d410a-f3f2-44fa-bd03-1237fb5c841b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
      - C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12175c6d-4327-467e-97b8-a0e21413f1d5.vbs"
        7⤵
        
        PID:2548
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d890d454-0a29-4e17-bc3a-a367ad86b064.vbs"
        9⤵
        
        PID:2788
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\386b2f81-e7df-4251-a847-55c6e50e5c3c.vbs"
        11⤵
        
        PID:2468
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51d91890-569b-40c9-882f-67526d5f0b34.vbs"
        13⤵
        
        PID:2896
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4eda98-8292-41c6-bd33-bb2637e677fc.vbs"
        15⤵
        
        PID:648
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48003e61-c744-4cc3-8021-23405558a403.vbs"
        17⤵
        
        PID:1684
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7b4db1c-b28f-4004-a8f1-34564374397b.vbs"
        19⤵
        
        PID:2420
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6426645b-55eb-45e7-941a-57198a237bb7.vbs"
        21⤵
        
        PID:2244
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ade2c229-7277-4ccb-9784-b82a9e6d338b.vbs"
        23⤵
        
        PID:3052
        
        C:\Program Files\Windows Journal\de-DE\sppsvc.exe
        
        "C:\Program Files\Windows Journal\de-DE\sppsvc.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cc0bb26-ed57-4aef-822b-cd15c3298e61.vbs"
        25⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ccbeff-9e24-4c09-8f7e-1439747ca639.vbs"
        25⤵
        
        PID:600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de45b571-bbd5-479a-8ed0-fe10d81204fc.vbs"
        23⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c2d3e2d-a7f6-4291-92ab-370f1b89c958.vbs"
        21⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90f35291-6685-432c-b62c-d65107ea9e4c.vbs"
        19⤵
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a7c9c73-210b-4289-889e-552c4a7578db.vbs"
        17⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f16e39-601a-496e-825b-f38debb3573f.vbs"
        15⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4481b031-eafa-4a87-b6c1-4ae71160b683.vbs"
        13⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7e69ee7-d11e-4ab0-b894-3ea18b1334bf.vbs"
        11⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7b1df0b-3456-4266-830e-833327069fac.vbs"
        9⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d744ac-5f5a-4edc-af42-69db9b59c706.vbs"
        7⤵
        
        PID:2476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9aa44d-3f67-40d0-bce0-f92b46aca861.vbs"
        5⤵
        
        PID:2800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11620631-0deb-4068-83d9-a4595ef96064.vbs"
    3⤵
    PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\NetHood\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20ac" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20ac" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\attachments\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20ac" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20ac" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\de-DE\sppsvc.exe

Filesize
4.9MB

MD5
cde3919b2cea3277f106a17c7a3e3cb5

SHA1
6232bef0c79bddbdfde6ab3ba7c375fb77d5f829

SHA256
9b171435d51a30c7526f9807994242d22d12cf3a6ce795e879c3b54528a45fd9

SHA512
f1e0505086970286f8c95448af139ef09a5287cdaecd64aeabd00a8834e2ea6bf15e6460b374c6a5bc394ecce9820165c13694620a19332db9c2b325b4407149

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a.exe

Filesize
4.9MB

MD5
5ef1ce6b39843362a9fef0ed86028747

SHA1
5cbbe11fa7eee5481fafcb273048f41675d6bb97

SHA256
3674d6b2e6a50dc009d179538068382893de69c57c3275ef42d7ebbb93ac2d66

SHA512
1ef6e0afab2c39ed71c09664fa26e73b06a57426b142730c1d6726374a3f8b9c83668873de5ad61f65f69a5fa719082cb783ae6e94b30d1d33960a5b15a00a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\11620631-0deb-4068-83d9-a4595ef96064.vbs

Filesize
501B

MD5
cce1134f59b4da092a45a54ebfad2eb3

SHA1
5a504d223a8c0351c5464669d575c7386a97829f

SHA256
633dae8d958733965c06bddb245f3480f168c78bc80ad65a4c8f6554c8698e1f

SHA512
c0ddd2798d57cc47ae76e9b7b0db57a1aec563c1c33098610bd783bba867ceaa2813c72653e39d214a4a62d1304349420a4723476f8da63764606755264eabe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\12175c6d-4327-467e-97b8-a0e21413f1d5.vbs

Filesize
725B

MD5
4504606d074ff3c576e40259513fe4d5

SHA1
f9b9ff9b8a6851757e67bb3e97df4699f0e8519c

SHA256
d8f723ed7d1f7f48bd5559f8b6cd14fbbc6296b5e9d702f64c8810d4b1df021f

SHA512
2e713f870ed834c2af018b1c5b19a5530cf8406af1a4d330c44feafda60184f9c995405c9db45ad28910417a4dddf200b3c1bfbd8322592794614e277bae839f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a4eda98-8292-41c6-bd33-bb2637e677fc.vbs

Filesize
725B

MD5
d30623fc87ef206ca47ea4e0a5012802

SHA1
f614011d6981641839980ff21da1b10b5c6315be

SHA256
76b1ea6f2e5a386b2c351b8fff2aafd5e1fb7c137795c6bac38bb04ce3c5e62f

SHA512
4c539ffef3e5eba349ff9621cd95062121bce9263515ac0650fd418d9f555b98591aeff280d8eea1c0f7617e2194c178dbfa3027943c4c1bddea4701ce533615

Download Submit
C:\Users\Admin\AppData\Local\Temp\386b2f81-e7df-4251-a847-55c6e50e5c3c.vbs

Filesize
725B

MD5
29534686a8e432361e4213b83daa8113

SHA1
f39ad8d6070b5aefb9cc36cfba17bcdb7511c99a

SHA256
db61d2939a9675ba777568b57db4f5756a9a53f033e28c643766d4a431313de5

SHA512
549b31667b81fd08d3f6ea8ebfb7c20daea813b59c584b5bee6d7260e5f6353524fcbaf1d9b2a27e77f3d4854735cbf494d0b0a0aa85c60198cd6a1bcc8b5fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cc0bb26-ed57-4aef-822b-cd15c3298e61.vbs

Filesize
725B

MD5
984f1756d2104423146cfb5e472d1ab3

SHA1
1a7fd76652f353088f432dbf43b03a7b15db31ff

SHA256
5e502ca4a4b12137e5b519751fd06601af04bd50a49b55243baa271097aff0df

SHA512
8c76ba6a3bc51775c3ffd8c45b883a9c68b9210bee0d28ada3d6bc626bef16426e372df0105a7a217516851dc490bf52dfe567e24a8dfee9984d26ad338e7de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\48003e61-c744-4cc3-8021-23405558a403.vbs

Filesize
725B

MD5
369283d9c6b294b078a14f69d4a186e3

SHA1
a2308f8985a28963e6a24ed4e3521b48e14a6ed4

SHA256
fb438b84a40285a52b11f1e15cfa30a620558a3060bad0f01456bc9a27722e23

SHA512
5320d041248dbcd97ebc9c9c1855da16a2895766d040342dd7b0eec0cee1ae74c6d98fba16470b66369f300bc3b966f1c3b50ce943deb7e04cf3b4b7e5883be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\51d91890-569b-40c9-882f-67526d5f0b34.vbs

Filesize
725B

MD5
6c07c31dd858931542da60abb6c9521b

SHA1
6f34d1155bb1802730a195be2f8b599daa697311

SHA256
01feab833829bf5a55f4ea129e1b3f421f8730aa8e40abc2dfb9eda0085bb659

SHA512
5278a7eae37119fd5188f553f9591b19c06568c624a809671859a1d7f8c8988977f9be4efc9c08f2ae8afb0e7b0f5374a354430dd6a674aec2c33507b85e5b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6426645b-55eb-45e7-941a-57198a237bb7.vbs

Filesize
725B

MD5
2508700a8e003c5c62947422d2bbbc4a

SHA1
7aef305423595c11b23ea86fb521cef54151d7f1

SHA256
b4e931e2a0ea4c05df3f6fe6d52a82eda77e96e18111a412c20b62a26dfc65ac

SHA512
f9929da91bb3993e77eb0d9bb35b228a8e2e547a29fd3c29fbfb87811b14d3a3d37dd1374aa1b117465316ab722123a4cba08897670473211218e1c7da1fee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c5d410a-f3f2-44fa-bd03-1237fb5c841b.vbs

Filesize
725B

MD5
8cb003c3d341f79d852d5706e84bb712

SHA1
46b546466546d2496299d505ca75efa4eeb56057

SHA256
b598028e701366fd9f869fd1885a2dc7e1fba42e124d8a3df9fe7c6ba5fe6f30

SHA512
776cbf31d1ce168d4fbd316c66cd0da34ac8beecd19585df28a2e2315b6a82f8bb46c9182c6318425250ff65d3d18b472a3a3e1ade99f1767cd3d034a6791b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\865510a4-087a-429b-894b-e2129f0f7ab7.vbs

Filesize
725B

MD5
7e4d0e43354099b5cef5f7a099cf3e79

SHA1
3e7fbb7736bf8d04938af73f2357b7ab38d31086

SHA256
470a5be0c44f2e52c1912cae80bcb404001f64336c106ec2933cc4d6729419b4

SHA512
0c566fd2269990b0fb57eb8453915d8366ec936d5e741b78d69fe22805de545567c31d2bba9dbe9436d3929761baba7f543dd879ff33d543b09381abcec2b258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ade2c229-7277-4ccb-9784-b82a9e6d338b.vbs

Filesize
725B

MD5
f445d815e093b21246be70ff14c0fe35

SHA1
7182cba13a409e915cf0b7e607c35284c909bf54

SHA256
ec60237d3d6e5b3789236f0e1316f1d55622645a8e3b5f8df75063dca4d97743

SHA512
c18965ca4b69a4cc7faab0a9749cfb89021fc9562ef8672d0313f82a331620b81b12415fa22c2d05dfec965d8422170f12733ded42315e58e1a797506b49797b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d890d454-0a29-4e17-bc3a-a367ad86b064.vbs

Filesize
725B

MD5
0b48d5fb1886ef26faf372a36e3f74e8

SHA1
98cbec09e6185aac4daa6f9be6756fec4f8054e1

SHA256
997c0a33326379adab5e2fef3b5a15c1622e7b34ac510b4a395d24a531ba796c

SHA512
20b7ce8cf7f750b9b95289c1ab4362417c0e82539e37590498a976aeb2d430064d9b7bbbbe2a480e5d653cd957f2bf687e79564b40053481db21b7f069aa56d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7b4db1c-b28f-4004-a8f1-34564374397b.vbs

Filesize
724B

MD5
f99f9ec5f1f07008b74a9c4082948465

SHA1
33b322d39d3f3dd86c7ad79c816e04a487887e21

SHA256
04a97dd5e9d246869f0d97299f8cdc42b0e85c1905df1b9bfb7dece9742e0eb9

SHA512
87ce656e414c3b518c4b0ab278a57b7f0624755b077d65b71fe6419db3d8572221bf5f0de9ab8a71a2e0b7ee76ce92e418a9e6ace2c54b493aa38f8f04dedfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZZYKZKZYPEGDDALH9EY1.temp

Filesize
7KB

MD5
d2570b36a9ac0cfc5d0eddc4970fe3ec

SHA1
68f2c9232d2e5160b6317cbe52c3a325d7ec522d

SHA256
cd864cab3afdb5a82c073d413dfccf375382b0124690c34f3c1ebc5d72012d7e

SHA512
bd0f76d4ef1baa39943b618d9c27929d673aec5b92e52d41fadb9831279bc99f04a596fba9b8dda5d3ac2eba9293a6cc835bb5553e95e30d384cd4ef15aaf40a

Download Submit
C:\Users\Admin\dwm.exe

Filesize
4.9MB

MD5
289ed55b09590f6399d722fda8236a7f

SHA1
592d7af9cd2ed6b2f7c06bec69e495e7f0b63ba2

SHA256
cc40c7688f4ad5dedb1a3ac1abba9c35bc7c3eadb777ab8f1b8b21b29ddee20a

SHA512
9ac6fbe13327bd2014e5156e543e3fdba3d6b5b38cb8504475ea8f2efda34f0d1e57fc6b42ad102ae2a50a18a82779b4cfd40e65b7dc6a45e4c97192e8c149aa

Download Submit
memory/944-321-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/944-320-0x0000000000270000-0x0000000000764000-memory.dmp

Filesize
5.0MB

Download
memory/1272-276-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1544-291-0x0000000000F80000-0x0000000001474000-memory.dmp

Filesize
5.0MB

Download
memory/1668-230-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download
memory/1792-336-0x0000000000A70000-0x0000000000F64000-memory.dmp

Filesize
5.0MB

Download
memory/2024-261-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/2528-12-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2528-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2528-1-0x00000000003F0000-0x00000000008E4000-memory.dmp

Filesize
5.0MB

Download
memory/2528-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-202-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-135-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2528-16-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/2528-3-0x000000001B210000-0x000000001B33E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-4-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/2528-15-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2528-14-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2528-13-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2528-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/2528-11-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2528-10-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2528-9-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/2528-8-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2528-7-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/2528-5-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2700-171-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2700-351-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/2700-160-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2736-246-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/2736-245-0x0000000000340000-0x0000000000834000-memory.dmp

Filesize
5.0MB

Download
memory/2928-366-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/3040-155-0x0000000000F40000-0x0000000001434000-memory.dmp

Filesize
5.0MB

Download