5e807de88a43edb7b341ed17b4e218f35c3204bf5dc969c131792b0a23e9ddc1

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Size

1.9MB
MD5

8b90b02faca36074af1577d7195ee6a6
SHA1

58a84f82276f92154be4271244a6bc0d1837c33f
SHA256

e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c
SHA512

2a38045191bfb8b2bdce869181ea1d4bd8745dbd87e6ea062ecbe4e9b04ab5aac96a8428790fde989b26c41137b830c7b76efddd4361c60cee2c9203d31ad8f1
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2924	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
564	powershell.exe
1684	powershell.exe
2796	powershell.exe
2676	powershell.exe
1308	powershell.exe
2792	powershell.exe
1736	powershell.exe
2780	powershell.exe
536	powershell.exe
776	powershell.exe
2136	powershell.exe
2548	powershell.exe
1524	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Executes dropped EXE 10 IoCs

pid	Process
580	Idle.exe
560	Idle.exe
2152	Idle.exe
2244	Idle.exe
1916	Idle.exe
2396	Idle.exe
1652	Idle.exe
1896	Idle.exe
2980	Idle.exe
236	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\f3b6ecef712a24	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX85E4.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX934A.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\VideoLAN\taskhost.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX9752.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files\VideoLAN\taskhost.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\VideoLAN\RCX954E.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\RCX9CB3.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\RCX9CB4.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\886983d96e3d3e	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX8652.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\VideoLAN\RCX954D.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX97C0.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files\VideoLAN\b75386f1303e64	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\6ccacd8608530f	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX92DB.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DigitalLocker\RCX8C60.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\AppPatch\de-DE\c5b4cb5e9653cc	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\Fonts\1610b97d3ab4a7	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\AppPatch\de-DE\RCX8A5B.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\fr-FR\RCX90D8.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\fr-FR\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\AppPatch\de-DE\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\DigitalLocker\RCX8C61.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\Fonts\RCX9A31.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\AppPatch\de-DE\RCX8A5C.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\AppPatch\de-DE\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\diagnostics\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\DigitalLocker\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\DigitalLocker\c5b4cb5e9653cc	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\Fonts\OSPPSVC.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\DigitalLocker\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\fr-FR\RCX90D7.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\fr-FR\services.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File created	C:\Windows\fr-FR\c5b4cb5e9653cc	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\Fonts\RCX9AA0.tmp	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
File opened for modification	C:\Windows\Fonts\OSPPSVC.exe	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe
1620	schtasks.exe
2680	schtasks.exe
792	schtasks.exe
1736	schtasks.exe
2268	schtasks.exe
972	schtasks.exe
720	schtasks.exe
2428	schtasks.exe
2516	schtasks.exe
3020	schtasks.exe
1124	schtasks.exe
1096	schtasks.exe
1452	schtasks.exe
2052	schtasks.exe
2668	schtasks.exe
2156	schtasks.exe
3024	schtasks.exe
600	schtasks.exe
2076	schtasks.exe
2040	schtasks.exe
2888	schtasks.exe
2872	schtasks.exe
692	schtasks.exe
2088	schtasks.exe
1744	schtasks.exe
2640	schtasks.exe
596	schtasks.exe
2140	schtasks.exe
1884	schtasks.exe
1964	schtasks.exe
2920	schtasks.exe
1692	schtasks.exe
1504	schtasks.exe
1952	schtasks.exe
976	schtasks.exe
1604	schtasks.exe
2284	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
2676	powershell.exe
2796	powershell.exe
2548	powershell.exe
2136	powershell.exe
776	powershell.exe
1308	powershell.exe
2780	powershell.exe
564	powershell.exe
1684	powershell.exe
1524	powershell.exe
2792	powershell.exe
1736	powershell.exe
2180	powershell.exe
536	powershell.exe
580	Idle.exe
560	Idle.exe
2152	Idle.exe
2244	Idle.exe
1916	Idle.exe
2396	Idle.exe
1652	Idle.exe
1896	Idle.exe
2980	Idle.exe
236	Idle.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	580	Idle.exe
Token: SeDebugPrivilege	560	Idle.exe
Token: SeDebugPrivilege	2152	Idle.exe
Token: SeDebugPrivilege	2244	Idle.exe
Token: SeDebugPrivilege	1916	Idle.exe
Token: SeDebugPrivilege	2396	Idle.exe
Token: SeDebugPrivilege	1652	Idle.exe
Token: SeDebugPrivilege	1896	Idle.exe
Token: SeDebugPrivilege	2980	Idle.exe
Token: SeDebugPrivilege	236	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2676	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	70
PID 2828 wrote to memory of 2676	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	70
PID 2828 wrote to memory of 2676	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	70
PID 2828 wrote to memory of 2796	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	71
PID 2828 wrote to memory of 2796	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	71
PID 2828 wrote to memory of 2796	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	71
PID 2828 wrote to memory of 2136	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	72
PID 2828 wrote to memory of 2136	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	72
PID 2828 wrote to memory of 2136	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	72
PID 2828 wrote to memory of 1684	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	74
PID 2828 wrote to memory of 1684	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	74
PID 2828 wrote to memory of 1684	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	74
PID 2828 wrote to memory of 1308	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	75
PID 2828 wrote to memory of 1308	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	75
PID 2828 wrote to memory of 1308	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	75
PID 2828 wrote to memory of 776	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	76
PID 2828 wrote to memory of 776	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	76
PID 2828 wrote to memory of 776	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	76
PID 2828 wrote to memory of 536	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	78
PID 2828 wrote to memory of 536	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	78
PID 2828 wrote to memory of 536	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	78
PID 2828 wrote to memory of 2780	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	79
PID 2828 wrote to memory of 2780	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	79
PID 2828 wrote to memory of 2780	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	79
PID 2828 wrote to memory of 564	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	80
PID 2828 wrote to memory of 564	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	80
PID 2828 wrote to memory of 564	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	80
PID 2828 wrote to memory of 1736	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	81
PID 2828 wrote to memory of 1736	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	81
PID 2828 wrote to memory of 1736	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	81
PID 2828 wrote to memory of 2180	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	82
PID 2828 wrote to memory of 2180	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	82
PID 2828 wrote to memory of 2180	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	82
PID 2828 wrote to memory of 1524	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	83
PID 2828 wrote to memory of 1524	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	83
PID 2828 wrote to memory of 1524	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	83
PID 2828 wrote to memory of 2792	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	85
PID 2828 wrote to memory of 2792	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	85
PID 2828 wrote to memory of 2792	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	85
PID 2828 wrote to memory of 2548	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	86
PID 2828 wrote to memory of 2548	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	86
PID 2828 wrote to memory of 2548	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	86
PID 2828 wrote to memory of 2292	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	98
PID 2828 wrote to memory of 2292	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	98
PID 2828 wrote to memory of 2292	2828	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe	98
PID 2292 wrote to memory of 1916	2292	cmd.exe	100
PID 2292 wrote to memory of 1916	2292	cmd.exe	100
PID 2292 wrote to memory of 1916	2292	cmd.exe	100
PID 2292 wrote to memory of 580	2292	cmd.exe	101
PID 2292 wrote to memory of 580	2292	cmd.exe	101
PID 2292 wrote to memory of 580	2292	cmd.exe	101
PID 580 wrote to memory of 1956	580	Idle.exe	102
PID 580 wrote to memory of 1956	580	Idle.exe	102
PID 580 wrote to memory of 1956	580	Idle.exe	102
PID 580 wrote to memory of 444	580	Idle.exe	103
PID 580 wrote to memory of 444	580	Idle.exe	103
PID 580 wrote to memory of 444	580	Idle.exe	103
PID 1956 wrote to memory of 560	1956	WScript.exe	105
PID 1956 wrote to memory of 560	1956	WScript.exe	105
PID 1956 wrote to memory of 560	1956	WScript.exe	105
PID 560 wrote to memory of 1636	560	Idle.exe	106
PID 560 wrote to memory of 1636	560	Idle.exe	106
PID 560 wrote to memory of 1636	560	Idle.exe	106
PID 560 wrote to memory of 1108	560	Idle.exe	107

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe
"C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CpU31K911A.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1916
- - C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
    "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:580
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3542e53b-3d96-4d15-9f5b-00005de1ed4d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090727ca-074b-4ae8-b96d-bae5314180cf.vbs"
        6⤵
        
        PID:1636
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a346e373-1308-4d28-ac65-73a7f5c889a5.vbs"
        8⤵
        
        PID:1948
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fd69339-c484-4419-a01d-d45d7ce9efd0.vbs"
        10⤵
        
        PID:2304
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3599132f-7e55-406d-82a7-08625a439bca.vbs"
        12⤵
        
        PID:2860
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01c10540-b163-4803-83ea-f041a3a17a30.vbs"
        14⤵
        
        PID:2344
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9093c286-83d2-4ad1-ad4e-f5fd0c872c1d.vbs"
        16⤵
        
        PID:1636
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b40a1f1-5d73-411f-850a-d4b864a496a8.vbs"
        18⤵
        
        PID:2168
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df29dde7-af98-4c2a-87b9-fba3e25bf458.vbs"
        20⤵
        
        PID:1176
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b26517-346c-4156-b9c6-7b788122c88a.vbs"
        22⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86bf0d74-0d4b-48be-998f-eee5d0e591ff.vbs"
        22⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42616eda-9d29-4ea6-9e26-dbb56597412e.vbs"
        20⤵
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3bf90ef-ad7d-4593-be20-614db6e3d9cd.vbs"
        18⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98588d81-bc4b-4632-863f-96a0462e3252.vbs"
        16⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a75b901-7fd4-492e-adfd-c2193a64e8fe.vbs"
        14⤵
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2b51715-a139-4b4d-88bc-6a76efbe7d0d.vbs"
        12⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be862de2-e420-469d-a226-aa5268aa5afa.vbs"
        10⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95a02ea5-1717-4f4e-957a-b15cedaf5f1d.vbs"
        8⤵
        
        PID:2652
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d543b4af-ddd5-4147-ae8d-3fd5b751b1c6.vbs"
        6⤵
        
        PID:1108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eee536a-71df-4e53-b940-e9265de14d4f.vbs"
      4⤵
      PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Hearts\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\audiodg.exe

Filesize
1.9MB

MD5
8b90b02faca36074af1577d7195ee6a6

SHA1
58a84f82276f92154be4271244a6bc0d1837c33f

SHA256
e2071b429ed0a109ba6ae98cc6bd94651c73805963058322d9ab5fc3ad8c385c

SHA512
2a38045191bfb8b2bdce869181ea1d4bd8745dbd87e6ea062ecbe4e9b04ab5aac96a8428790fde989b26c41137b830c7b76efddd4361c60cee2c9203d31ad8f1

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\csrss.exe

Filesize
1.9MB

MD5
25e38f6c8f6f7b67a2c7b815e0f0bb23

SHA1
69a131e75f35ffb4d08d902105dc2c85d5d73d04

SHA256
b4c77bf3d81720be4e062ec3dbdb26864c61b61d9ec08badda3d7e0c1331cc7d

SHA512
077c29d2449be9fce5a6d18ad0359bc3b37287b002a71d7191b0a47c1070697cdc32edd7678b025cdd98a74c1dedd9f082fd8d0cf450418c228e8c764d2adeca

Download Submit
C:\Program Files (x86)\Windows Sidebar\ja-JP\spoolsv.exe

Filesize
1.9MB

MD5
ebfc11c3949cc107cafbcadb3a9651a5

SHA1
13f4912f9fa5b1142b8e7c8430db7bbb97fe9ba4

SHA256
5189fabbebc003ca2cb8abd12143212243ac2d56c4e1f259f41b2d6f59183dd4

SHA512
bfb7e026a189afca5d4bbf009bb9094e8f2f3d69951932bd01b686f9d37c10c01d811765bc20fcde5abbe3ab8325e7a4da7ed5989d266ab8580cf36249e672bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\01c10540-b163-4803-83ea-f041a3a17a30.vbs

Filesize
730B

MD5
44f8cb3ae5884ec62b2b0db296b5fc3f

SHA1
e06093bce0aff0e05963ca84cb467f5c16c50e94

SHA256
35bb0b765a314f9b728cbb10f1b42502c7365bb61d0d23bb2c9ba3463b08534e

SHA512
4d736859185b42943f9e8ec94dd723f219bbc561f51978b6e3102d8ec0f02747f353495fe8c1c204ae3e4872ea0c4b06930f483abb95f5d8d7fd9f5a8b4a11a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\090727ca-074b-4ae8-b96d-bae5314180cf.vbs

Filesize
729B

MD5
7d56dc0cf194a3b9a616f1657e5cc08a

SHA1
fbdd8c6bcf4a9c248cef0697a8b11714f5c9a0e3

SHA256
5b2a1275d18f323f8328e07d0800a6ab4f211db41cf221ae6bbb78f7dc988f4b

SHA512
31d61ccafec23bdc0fc6a7c4a90c7f1c9f003a7fe93812f99f55296fe987b6ccba66dffc0418d738d11574ca04a62746b82685170f0cb31c5386708e4389cc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fd69339-c484-4419-a01d-d45d7ce9efd0.vbs

Filesize
730B

MD5
1d9b9d6be2c7ca12a0bd8ed8082f06a2

SHA1
a217288f311363b2f92d6697fd4b373ce28bfe4b

SHA256
f5a65c5996fcdaaedef4ba371d976923c6323754f83fcb0d11755a52f44b792f

SHA512
e33c383ff459998ad2a2df2a657eaa8e89de2319ea788df1034c17fe90f5462df8e0c1cf28112581148e79f9ca3a1d3f00a7cf637a98466d6435d3495447749c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3542e53b-3d96-4d15-9f5b-00005de1ed4d.vbs

Filesize
729B

MD5
2b114e1e0b32f8cedc5b054956809d6a

SHA1
574be4c24eaa91657770b867ade8f07eee3a3c03

SHA256
1266f1c44e38a59b9a6781ffd3f66a6efad5de1195be4e8c903a426ad06cd9c4

SHA512
220bed56a50f6c440993a95de10c04de6aed22db9dc548bdd56044f4cccdea9881e244d3005149f0a12e26ef7db89d089e1ae54a4f52b8d29239433358723a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\3599132f-7e55-406d-82a7-08625a439bca.vbs

Filesize
730B

MD5
11442ada7a5fdae5c8ca781842effdef

SHA1
e21a9eead04d42fee77b0edd613380dd18c687d9

SHA256
48e3c795e8fe414a537946fcb0bfd0b5ff6473ab75d04494c34488f1fa26e6b3

SHA512
9bb81ef5729db6b14503ae2f91d96c65eab5252be3f9f69c8289d706b2254d2a190b81e774bb8847e681bbdad608d6eeb47be56912a0042a1cce248f158c7f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\77b26517-346c-4156-b9c6-7b788122c88a.vbs

Filesize
729B

MD5
e5327593ea5ebed059c7ae4e7848daf7

SHA1
7311cfb3731783331814e9d6cb45c7a3f5a9667c

SHA256
3534e5d8808dfc79f3edec6b48e49e530489096e811d6460a1dbe6222bb4dd93

SHA512
e42433443343f5cc5ab3140e4e337d957dab83bafc990321bef1eff1b1879dee434ed72e245fb9251d5406eb78450a44a4746187e409e5f69cb0f4f7da77496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b40a1f1-5d73-411f-850a-d4b864a496a8.vbs

Filesize
730B

MD5
f9ce95301436419a7f2e016b51be9071

SHA1
1f9c149bcf2161e34ae0edc7ca8685de25e2a16b

SHA256
07be1bf8b99ae1b42d5ce17eb9d319677e0b8423973a85dcfcd31874d2305b8b

SHA512
b8a20d01da8e449834150ab85bb2d5b6d0178a5d65382333b0fe6df7f1f82b5109d2476ce9156216eb50d44856319650268e4a0a3c8931ce52853e7d68e19bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eee536a-71df-4e53-b940-e9265de14d4f.vbs

Filesize
506B

MD5
81bd4f0c59d4ebe572b70e35a800e44c

SHA1
cc471b291f267658324db4987d544364e4414edd

SHA256
e5eec2c813a99098459f2a9c3dc218a3306a4337e9e3989e3651ad66237f5fde

SHA512
fc51c0c7e56b9d37e24a943ec68544fc969779873d9e3c876254bbf57ab70375b7b1f3cbfa894f8a3ae53268d1f8d7c38df9bc34873fe3bfac1d82a583cda27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9093c286-83d2-4ad1-ad4e-f5fd0c872c1d.vbs

Filesize
730B

MD5
0b00b0fced3b39ff8f3d88e309d590eb

SHA1
352342af85ab8c2af57d38caac88a3d8583e7e14

SHA256
41e865ab6a16e457d52fcf378b6c6ee415154364e386730d1b9a58ffccb68b80

SHA512
15bbe86aaedf9b3d6a42ef4102b78e95c863ebcb4dfca3ed13a1f5419bf48895acfcf1db19cc8c1e05a03cef28ca2bca9a64b382ca125b6167419b8908d6278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpU31K911A.bat

Filesize
219B

MD5
9d55ff042eac1e9575d803d4b03d46eb

SHA1
f939757c9cde3ab7c673e525cff15b968321f673

SHA256
898b239ca3da2e4a080dcb8e74427e4fcba296d89f411f09b66a96f12df50415

SHA512
68aa03c93dcf09f70d37f0351b5cfba9e34a873055bda0d4a928eb361c05a5290214495094d2a5153c697e9a3cc976b145968efbd99d7c4cb4615e6d97cabe6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a346e373-1308-4d28-ac65-73a7f5c889a5.vbs

Filesize
730B

MD5
f39d679a1d0a411bb4d1ea8e6e209c3a

SHA1
b776cacb6608e32ccd89d77a8db740b290ba63e4

SHA256
a9a754ba1cffc85fa3a1d139a14730660d38e2f4af930aa154f5974f394a8e4f

SHA512
d160fa42373013eb3b0742d1ed97b978f314a4ac4dc57f0ae3975950401e911259dca8ed9259fc747ad359cf3d5fa0773960024496a9c1d492b25fb181c1b6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\df29dde7-af98-4c2a-87b9-fba3e25bf458.vbs

Filesize
730B

MD5
f0bd1ccc8a1b298d9d4223d50bb6fe88

SHA1
6ce2ab09f01da906e09e65ea4c13856e3c098166

SHA256
dd1f0aca3080a07a4fa02cfecaedbe1a0370fdd36aab1e72d96db0aaf780bdc0

SHA512
d7b057562200978817987d7740335118a76d9dd4b961eff23e384831b1e0318739fe5f5b3250d350c37a4c0a9528aa133129bbf62c2cc8ad5f81def0e68b5200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0054733ff54ed8e6740d3437e8264734

SHA1
fff62430163bad0b961b4ef681be56511275b4a9

SHA256
2f7f2aa588ad99203b1d76f90c967cb40e43496c49fa9baedbd305dbb11ad38d

SHA512
da8d4eff6ab63508c3476ce064ae28a921b92f3ba2fd43b69954c46ad1c9e333a7d8a4a5e7a27aafa17d124e6c161023ecebd3f4f568bc65ad98035c671e66b4

Download Submit
C:\Windows\Fonts\OSPPSVC.exe

Filesize
1.9MB

MD5
beb014d53a60dc75e63ecbff14b62347

SHA1
feb64af46e01baa7895a0dcebe844d0526b167b1

SHA256
cf0bf71e1edeb22e487416e9a509983069ef9597b6d41e819feafc6b4face0ee

SHA512
ce69063ff2dec19b8c03d0e0754626919c1319b588715b7828f7d1b07aca427b83e7966dc5f711a5863967d73233f066dff3daeb1d499c73cff50b7780132542

Download Submit
memory/560-293-0x0000000000120000-0x000000000030A000-memory.dmp

Filesize
1.9MB

Download
memory/580-281-0x0000000000AD0000-0x0000000000CBA000-memory.dmp

Filesize
1.9MB

Download
memory/580-282-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1652-356-0x0000000001290000-0x000000000147A000-memory.dmp

Filesize
1.9MB

Download
memory/1652-357-0x0000000001240000-0x0000000001296000-memory.dmp

Filesize
344KB

Download
memory/1652-358-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/1916-331-0x00000000002A0000-0x000000000048A000-memory.dmp

Filesize
1.9MB

Download
memory/2152-306-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2152-305-0x0000000000BB0000-0x0000000000D9A000-memory.dmp

Filesize
1.9MB

Download
memory/2244-318-0x0000000000350000-0x000000000053A000-memory.dmp

Filesize
1.9MB

Download
memory/2244-319-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2396-343-0x0000000000DF0000-0x0000000000FDA000-memory.dmp

Filesize
1.9MB

Download
memory/2396-344-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2676-222-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2796-220-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2828-232-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-200-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

Filesize
4KB

Download
memory/2828-18-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2828-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2828-16-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2828-15-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/2828-14-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2828-13-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2828-12-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2828-10-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2828-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2828-8-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/2828-7-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2828-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2828-5-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2828-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2828-3-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2828-2-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-1-0x0000000001110000-0x00000000012FA000-memory.dmp

Filesize
1.9MB

Download