4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Size

1.9MB
MD5

414863aa7119c788f473f89650c25803
SHA1

45300792d3fffba9bc35e9f3ff2bd3e42dada29b
SHA256

04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989
SHA512

baabf728513a96c0ba2cc0d1f85177323d26235086de1ec1bef2c7781750d37906e9281cc6344a3024d5a5214590ac09f0efea4ab96222b71e63102511e040b0
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5632	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5308	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4508	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4508	schtasks.exe	88

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5704	powershell.exe
2624	powershell.exe
2516	powershell.exe
2548	powershell.exe
5880	powershell.exe
5944	powershell.exe
3936	powershell.exe
4992	powershell.exe
4268	powershell.exe
5348	powershell.exe
5960	powershell.exe
4180	powershell.exe
5588	powershell.exe
4080	powershell.exe
1440	powershell.exe
6024	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 9 IoCs

pid	Process
5632	SppExtComObj.exe
5028	SppExtComObj.exe
4524	SppExtComObj.exe
1880	SppExtComObj.exe
3292	SppExtComObj.exe
5412	SppExtComObj.exe
1440	SppExtComObj.exe
1988	SppExtComObj.exe
1240	SppExtComObj.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9831.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA141.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA142.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA5C8.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e1ef82546f0b02	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9832.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Common Files\OfficeClickToRun.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA5C9.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\lsass.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Common Files\e6c9b481da804f	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\7-Zip\Lang\121e5b5079f7c0	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\RCX9416.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Common Files\RCX9CB9.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Common Files\RCX9CBA.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sysmon.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\6cb0b6c459d5d3	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Common Files\OfficeClickToRun.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\7-Zip\Lang\sysmon.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\RCX9417.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Provisioning\System.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\Provisioning\System.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\Provisioning\27d1bcfc3c54e0	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\Provisioning\RCX9A37.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\Provisioning\RCX9A38.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1112	schtasks.exe
4696	schtasks.exe
3428	schtasks.exe
5052	schtasks.exe
5308	schtasks.exe
4852	schtasks.exe
552	schtasks.exe
5752	schtasks.exe
3196	schtasks.exe
2332	schtasks.exe
1492	schtasks.exe
4316	schtasks.exe
4804	schtasks.exe
5456	schtasks.exe
2572	schtasks.exe
1448	schtasks.exe
4628	schtasks.exe
5852	schtasks.exe
2104	schtasks.exe
3116	schtasks.exe
4196	schtasks.exe
3796	schtasks.exe
5500	schtasks.exe
5632	schtasks.exe
5464	schtasks.exe
5216	schtasks.exe
672	schtasks.exe
2024	schtasks.exe
4880	schtasks.exe
4716	schtasks.exe
5924	schtasks.exe
4684	schtasks.exe
4464	schtasks.exe
3968	schtasks.exe
6072	schtasks.exe
1224	schtasks.exe
2800	schtasks.exe
6008	schtasks.exe
2060	schtasks.exe
3052	schtasks.exe
1976	schtasks.exe
4640	schtasks.exe
4580	schtasks.exe
4648	schtasks.exe
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
4180	powershell.exe
4180	powershell.exe
1440	powershell.exe
1440	powershell.exe
3936	powershell.exe
3936	powershell.exe
4080	powershell.exe
4080	powershell.exe
2624	powershell.exe
2624	powershell.exe
4268	powershell.exe
4268	powershell.exe
2516	powershell.exe
2516	powershell.exe
6024	powershell.exe
6024	powershell.exe
5944	powershell.exe
5944	powershell.exe
5348	powershell.exe
5348	powershell.exe
2548	powershell.exe
2548	powershell.exe
4992	powershell.exe
4992	powershell.exe
5960	powershell.exe
5960	powershell.exe
5588	powershell.exe
5704	powershell.exe
5588	powershell.exe
5704	powershell.exe
5880	powershell.exe
5880	powershell.exe
2548	powershell.exe
5588	powershell.exe
1440	powershell.exe
4268	powershell.exe
4180	powershell.exe
4180	powershell.exe
5348	powershell.exe
3936	powershell.exe
3936	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	5348	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	5960	powershell.exe
Token: SeDebugPrivilege	5588	powershell.exe
Token: SeDebugPrivilege	5704	powershell.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	5632	SppExtComObj.exe
Token: SeDebugPrivilege	5028	SppExtComObj.exe
Token: SeDebugPrivilege	4524	SppExtComObj.exe
Token: SeDebugPrivilege	1880	SppExtComObj.exe
Token: SeDebugPrivilege	3292	SppExtComObj.exe
Token: SeDebugPrivilege	5412	SppExtComObj.exe
Token: SeDebugPrivilege	1440	SppExtComObj.exe
Token: SeDebugPrivilege	1988	SppExtComObj.exe
Token: SeDebugPrivilege	1240	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4180	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	141
PID 3260 wrote to memory of 4180	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	141
PID 3260 wrote to memory of 3936	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	142
PID 3260 wrote to memory of 3936	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	142
PID 3260 wrote to memory of 5704	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	143
PID 3260 wrote to memory of 5704	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	143
PID 3260 wrote to memory of 2624	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	144
PID 3260 wrote to memory of 2624	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	144
PID 3260 wrote to memory of 1440	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	145
PID 3260 wrote to memory of 1440	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	145
PID 3260 wrote to memory of 2516	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	146
PID 3260 wrote to memory of 2516	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	146
PID 3260 wrote to memory of 2548	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	147
PID 3260 wrote to memory of 2548	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	147
PID 3260 wrote to memory of 4992	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	148
PID 3260 wrote to memory of 4992	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	148
PID 3260 wrote to memory of 5880	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	149
PID 3260 wrote to memory of 5880	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	149
PID 3260 wrote to memory of 6024	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	150
PID 3260 wrote to memory of 6024	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	150
PID 3260 wrote to memory of 4080	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	151
PID 3260 wrote to memory of 4080	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	151
PID 3260 wrote to memory of 5944	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	152
PID 3260 wrote to memory of 5944	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	152
PID 3260 wrote to memory of 5960	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	153
PID 3260 wrote to memory of 5960	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	153
PID 3260 wrote to memory of 5348	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	154
PID 3260 wrote to memory of 5348	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	154
PID 3260 wrote to memory of 4268	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	156
PID 3260 wrote to memory of 4268	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	156
PID 3260 wrote to memory of 5588	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	158
PID 3260 wrote to memory of 5588	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	158
PID 3260 wrote to memory of 5632	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	173
PID 3260 wrote to memory of 5632	3260	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	173
PID 5632 wrote to memory of 2644	5632	SppExtComObj.exe	175
PID 5632 wrote to memory of 2644	5632	SppExtComObj.exe	175
PID 5632 wrote to memory of 3300	5632	SppExtComObj.exe	176
PID 5632 wrote to memory of 3300	5632	SppExtComObj.exe	176
PID 2644 wrote to memory of 5028	2644	WScript.exe	178
PID 2644 wrote to memory of 5028	2644	WScript.exe	178
PID 5028 wrote to memory of 4316	5028	SppExtComObj.exe	179
PID 5028 wrote to memory of 4316	5028	SppExtComObj.exe	179
PID 5028 wrote to memory of 3440	5028	SppExtComObj.exe	180
PID 5028 wrote to memory of 3440	5028	SppExtComObj.exe	180
PID 4316 wrote to memory of 4524	4316	WScript.exe	192
PID 4316 wrote to memory of 4524	4316	WScript.exe	192
PID 4524 wrote to memory of 4684	4524	SppExtComObj.exe	193
PID 4524 wrote to memory of 4684	4524	SppExtComObj.exe	193
PID 4524 wrote to memory of 4292	4524	SppExtComObj.exe	194
PID 4524 wrote to memory of 4292	4524	SppExtComObj.exe	194
PID 4684 wrote to memory of 1880	4684	WScript.exe	195
PID 4684 wrote to memory of 1880	4684	WScript.exe	195
PID 1880 wrote to memory of 3296	1880	SppExtComObj.exe	196
PID 1880 wrote to memory of 3296	1880	SppExtComObj.exe	196
PID 1880 wrote to memory of 3820	1880	SppExtComObj.exe	197
PID 1880 wrote to memory of 3820	1880	SppExtComObj.exe	197
PID 3296 wrote to memory of 3292	3296	WScript.exe	198
PID 3296 wrote to memory of 3292	3296	WScript.exe	198
PID 3292 wrote to memory of 6112	3292	SppExtComObj.exe	199
PID 3292 wrote to memory of 6112	3292	SppExtComObj.exe	199
PID 3292 wrote to memory of 1928	3292	SppExtComObj.exe	201
PID 3292 wrote to memory of 1928	3292	SppExtComObj.exe	201
PID 6112 wrote to memory of 5412	6112	WScript.exe	202
PID 6112 wrote to memory of 5412	6112	WScript.exe	202

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
"C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5588
- C:\d25f591a00514bc9ba8441\SppExtComObj.exe
  "C:\d25f591a00514bc9ba8441\SppExtComObj.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\938edeff-ece8-4616-8440-0d392bc57817.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\d25f591a00514bc9ba8441\SppExtComObj.exe
      C:\d25f591a00514bc9ba8441\SppExtComObj.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c1d16f-2508-4a3f-b7b3-24e0275a0cfb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c0b484-f299-4535-a94b-17639ca7a15e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4b7262c-5e01-42ef-b317-a0fc1e4d0a34.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29bcfe54-f08c-4cf2-aa03-4cd744ceff01.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:6112
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62999d2c-f878-4def-8806-67c442cf2310.vbs"
        13⤵
        
        PID:2552
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a788b133-3f7f-478b-9254-71c674cb9785.vbs"
        15⤵
        
        PID:4516
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a811fc83-3edf-4667-8ad1-c9d02f21b542.vbs"
        17⤵
        
        PID:5072
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        
        C:\d25f591a00514bc9ba8441\SppExtComObj.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4592f22a-97a8-413e-85ad-5bf8abd68c0e.vbs"
        17⤵
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bdb74e4-073c-45a2-ac2f-a18728a5bf90.vbs"
        15⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5747e3e6-b893-473d-b6a0-1d053e98b7cc.vbs"
        13⤵
        
        PID:3768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd8cf72-ce1f-4024-9f6f-bb4cd29bff64.vbs"
        11⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b554cb-0b78-477a-a6d8-97850d9b0d99.vbs"
        9⤵
        
        PID:3820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aec44f8-7481-4631-809a-8b52ea2f74ce.vbs"
        7⤵
        
        PID:4292
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324ec7ea-b531-4e0a-857c-f508af2acec4.vbs"
        5⤵
        
        PID:3440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82efa076-1ec7-47f5-b086-a280979df55b.vbs"
    3⤵
    PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Provisioning\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b9890" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b9890" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe

Filesize
1.9MB

MD5
ad18a146ef0d9398858341f9c4d984a7

SHA1
1ceb33c0d71919e4a543b72d97b7a39dad383d12

SHA256
d08a4b1daa83048789b4c8b57a9dfe2a62b6745df49102ae905fd6b400869e0a

SHA512
8f0e794f4401739b4d0a027d9a2d5b9263f3812adafec71cd784d91835184d68cdb92e3eec77bd0483fe09dafa161af629581971972e2680d13198971e7f3c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d782315212428708ea5985e26e20282c

SHA1
c0147bd4e6b193955a49a2c40ce2630c148ada44

SHA256
4dd7d4e71affa1852c8cc9131bf8cae3771c40876ef6bff6264ba9f7aa9eca5a

SHA512
2d523a52c54524ead9303b12c650572c1e15cc99261c9a9f780bf49b2a63e65efc1be1d79da3cf20d00c7a3e4ea5e301f4a708aabb035fc314f8d78e02c5e318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a1e48b8d7963bbbb73f442cd864dca3

SHA1
7f71e6af810a734d5f6a0c3ba90c171442e7e334

SHA256
33f70a94f53d11ebf2ea52debe0eb6afd7b30a095b31e784b0d4a0fb42b708e9

SHA512
26599ce4722f735e1b19f8b68d82318978d577245530e23f5445330dbccb395ffff4e6c4020cdeada5b179b94b557a3e093c2dbe5606b1b6956c1f73a91f637e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd3836b9dfd35d27a1995a2fd22e3d69

SHA1
db2b529de5bc342001e1345cb080a6d4e37d4bbb

SHA256
68319d7a4938108026a325379c349b37812234bcfa2d20273c3190f7858f5e5e

SHA512
76faa047525920891f6ae4c25f86ebde4861a0fa3122bd697d8c7d6d84866495bb8344af15f53ebb60bec1a39df59b81cb245b213a0788465a20e501de9387b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
926d63e37d8d59fbcfa67e42d1649082

SHA1
82e3cabc4f7292d1b5a930dba6dc2e58f4e14e8e

SHA256
65b4fa2399127534142c8773639e72a797d1cbabb5ecef72bf99abec6b2cd87c

SHA512
f0fcb7d7dc9317a18b02076c96da745cc838798baa67eb034bfb22e40a44a47a27b6c5ca470944529735569dca48a494274794606375ca9cd9f3f5e3c52457de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
309f0051b04adbbef61aaabf270c7268

SHA1
d46326702e032281e62189901485aac6dce617d9

SHA256
07006d24b00ea173a30d6badaa92f10f79d5b82ed8bd1e2d95fe5b9da8aa839c

SHA512
4bec40bcdcd4da44e48f2c3938351f3ee197b37c3b0a949cf3bb44f3433103c6ed5c8cdf29e4c774d950c3c2f376df2a0aefba194691eac2a15f5b05ef17642a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\18c0b484-f299-4535-a94b-17639ca7a15e.vbs

Filesize
718B

MD5
98801106d51646eb88fcc83eb4964e3e

SHA1
ebbbd1c015f2948157306beb7069433755416fbf

SHA256
cf7e7be3a53d570cb62250abcd201b8edb4ddd6fb6473f5e4c77ccd1c6dea473

SHA512
f33c963d655228d7139b6b01ef38a052aee462e13eb27db159b8ad9c55145554ce39c52faca70c99fe13b115c3f060852c3caf68bd4319d5f163cacc63fd3a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\29bcfe54-f08c-4cf2-aa03-4cd744ceff01.vbs

Filesize
718B

MD5
d66dbe57ca16ab304d60a1cc41f3c4be

SHA1
abf278ab58fb36e7166d4517f86a6395df4411a2

SHA256
96444e4eb98e3e64949f94e66f916a99763843601fe4e64933d78d8b58f5d302

SHA512
07ecfada6fcd8a42d99b13cf08d792a01c941732dd114840af02cd57251425a5ae01f1d502fcfef37fc200d4da56dae16194c2a0c0a1b608ef46683d74ecf8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\62999d2c-f878-4def-8806-67c442cf2310.vbs

Filesize
718B

MD5
08390da3c3ce162545cf0caf039b7d5d

SHA1
5a55ef7fcaa8f69e4cbeaaf7943d8348e847b7d2

SHA256
30d4e8fa6f6619e4a04411e76e8b919e395962ff74d0759a44e2dde152329780

SHA512
f18944a88f5a757a8f58a06e29deb2b919e9ada90da63f28f9685227a5d335c4f9cb2e0ad58e5fa29ecdc95a8f6bcc871590b892637203d4343b5e7c9251321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\82efa076-1ec7-47f5-b086-a280979df55b.vbs

Filesize
494B

MD5
73e61f2291a29f7be49818425696ff99

SHA1
ccd6f04413862ec3185deac4293d4add37c8a5f7

SHA256
6a67a70b3defe547503182f26aa885861765af4ea1fbada98b9187b226bb4058

SHA512
a9fc9896adf087fd6df6df499be7e9d28b887a391d042a4113d0186245571a7ee5e80560d22eb856471d631463bda89e30617ac05effd365fcb15efeb7fe2c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\938edeff-ece8-4616-8440-0d392bc57817.vbs

Filesize
718B

MD5
40ddad6c096ac63975b5be3725a44f67

SHA1
2606d41357fb6c7f409ebdbec30e15eaf32e8f1e

SHA256
871d5b7c8fcc4fcadc63fb7a02e67905a630a218a1ff0b857c1edb021121a45d

SHA512
fd96bfcbb52ca83c21f7b92a784138e062fbe6684af82bb5421fc551fc35a7736f49a8b197cef125d08d3a5d493d2c8a575af7d6585aff44355215eeb11c73bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcpwzefo.hf3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4b7262c-5e01-42ef-b317-a0fc1e4d0a34.vbs

Filesize
718B

MD5
61f4734fae441416bfcbfe264be3135d

SHA1
af58180e8735d451766b099aa05a7c638005da9b

SHA256
9cce8da98cfd5d77471642913711cf79c28190b32f5f42387877f66b4f8ade9b

SHA512
c5ff2399305cb3d9ed9a693643a38d7fcf3c85c2de8cad2c5f6c6395a8d8619b1d20603c6f0420a5cfc942cc42753b701f6e073a6b517f3d96af595f665de238

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5c1d16f-2508-4a3f-b7b3-24e0275a0cfb.vbs

Filesize
718B

MD5
8640a07bfed4f0cfd7b918be26e39b58

SHA1
97cc1cb023443642cd215be59f788862765d4f21

SHA256
db7cc070b61db6fe7da8b028473e6c35e7a6d8a8b6648f30a7588fba62980dd6

SHA512
d4f23baccbf25a41c55ef8df6cd462e92f2f89b8c563ba77600ce8d46d12a86354d2f5d036d43588858c15ab55a1721c749937e031047a37bdf015c60f102460

Download Submit
C:\Users\Admin\AppData\Local\Temp\a788b133-3f7f-478b-9254-71c674cb9785.vbs

Filesize
718B

MD5
c052f486f476f602ddf6980d7190fa25

SHA1
13e839ee4f5e2ae8130b808664cb085e217e86bb

SHA256
07a71066debd5427c3ebb337bb238b9aef9ed73d8d73746e5fbfa4d68227fe13

SHA512
18feea096cc78bad331e357d39629e44a417ade35885e0078101ccf8a5dfcc604bf3b69e325d1a343e4368256889e2dd68a2452d89fc40a2824cfc48a931a098

Download Submit
C:\Users\Admin\AppData\Local\Temp\a811fc83-3edf-4667-8ad1-c9d02f21b542.vbs

Filesize
718B

MD5
01fba5a20750c87107fac5c31851f74d

SHA1
da02e525457f5f962f22970a79e088fc7a7606ca

SHA256
4032c59add3a57b274237a36a203fc0079f359adaa09d63fb6e53fe1a8f908d8

SHA512
87c79ffa5a5f0e6d3d7b2169191d460b021a1b7105e89eae0d34cc1c51577385d61dd1c41e942e13f0633a7a56d8798ce6aacc0e40434345e9723751ba452c60

Download Submit
C:\Windows\Provisioning\System.exe

Filesize
1.9MB

MD5
414863aa7119c788f473f89650c25803

SHA1
45300792d3fffba9bc35e9f3ff2bd3e42dada29b

SHA256
04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989

SHA512
baabf728513a96c0ba2cc0d1f85177323d26235086de1ec1bef2c7781750d37906e9281cc6344a3024d5a5214590ac09f0efea4ab96222b71e63102511e040b0

Download Submit
C:\d25f591a00514bc9ba8441\SppExtComObj.exe

Filesize
1.9MB

MD5
e18a1ac1177d2ae9544196f346f0a100

SHA1
62cd66fd109bc625c2a833ab05611b6cbd427537

SHA256
0bb535f8d306ae2c0bc140c8f30293a184db4c0a27f6b685e30edfb3295c1eec

SHA512
277e5fd922a69d3532385bc208f6467512fdeb1637d5361884d099ded4dd922dcb678431f828016898c71f97608558f56b25727c3e6dcc355ca0593cc1d939b7

Download Submit
memory/1440-281-0x0000020F66AD0000-0x0000020F66AF2000-memory.dmp

Filesize
136KB

Download
memory/1988-542-0x0000000002B80000-0x0000000002BD6000-memory.dmp

Filesize
344KB

Download
memory/3260-11-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/3260-2-0x00007FF9E0980000-0x00007FF9E1441000-memory.dmp

Filesize
10.8MB

Download
memory/3260-429-0x00007FF9E0980000-0x00007FF9E1441000-memory.dmp

Filesize
10.8MB

Download
memory/3260-1-0x00000000007E0000-0x00000000009CA000-memory.dmp

Filesize
1.9MB

Download
memory/3260-0-0x00007FF9E0983000-0x00007FF9E0985000-memory.dmp

Filesize
8KB

Download
memory/3260-211-0x00007FF9E0980000-0x00007FF9E1441000-memory.dmp

Filesize
10.8MB

Download
memory/3260-17-0x000000001BE00000-0x000000001BE0E000-memory.dmp

Filesize
56KB

Download
memory/3260-18-0x000000001BE10000-0x000000001BE18000-memory.dmp

Filesize
32KB

Download
memory/3260-20-0x000000001BE30000-0x000000001BE3C000-memory.dmp

Filesize
48KB

Download
memory/3260-19-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/3260-16-0x000000001BDF0000-0x000000001BDFA000-memory.dmp

Filesize
40KB

Download
memory/3260-13-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/3260-187-0x00007FF9E0983000-0x00007FF9E0985000-memory.dmp

Filesize
8KB

Download
memory/3260-14-0x000000001C680000-0x000000001CBA8000-memory.dmp

Filesize
5.2MB

Download
memory/3260-15-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/3260-10-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/3260-4-0x000000001BB90000-0x000000001BBE0000-memory.dmp

Filesize
320KB

Download
memory/3260-9-0x000000001BB40000-0x000000001BB96000-memory.dmp

Filesize
344KB

Download
memory/3260-5-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/3260-3-0x0000000002A30000-0x0000000002A4C000-memory.dmp

Filesize
112KB

Download
memory/3260-7-0x000000001B600000-0x000000001B616000-memory.dmp

Filesize
88KB

Download
memory/3260-8-0x000000001B620000-0x000000001B62A000-memory.dmp

Filesize
40KB

Download
memory/3260-6-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/4524-486-0x0000000003400000-0x0000000003412000-memory.dmp

Filesize
72KB

Download
memory/5632-431-0x000000001B760000-0x000000001B772000-memory.dmp

Filesize
72KB

Download
memory/5632-430-0x000000001B6F0000-0x000000001B746000-memory.dmp

Filesize
344KB

Download
memory/5632-428-0x00000000008A0000-0x0000000000A8A000-memory.dmp

Filesize
1.9MB

Download