35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Size

1.9MB
MD5

733112fa2d9d15aaff3659ea9e2d3b4c
SHA1

85a535c82f3f869fd52b0199b2ef4cbddb979c68
SHA256

d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c
SHA512

74b123f9717bc2a49ff9a814e441a54c4b2d9969ec30cbb692927bd10e93884237b6f8cbf87480bab76ec7835ee5661baa9d06e56887ac3ab530b366efe04c25
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2916	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1000	powershell.exe
2892	powershell.exe
1816	powershell.exe
1248	powershell.exe
2560	powershell.exe
2200	powershell.exe
2092	powershell.exe
2272	powershell.exe
1440	powershell.exe
1752	powershell.exe
2640	powershell.exe
2496	powershell.exe
800	powershell.exe
292	powershell.exe
2528	powershell.exe
1568	powershell.exe
2348	powershell.exe
2724	powershell.exe
3004	powershell.exe
2528	powershell.exe
1132	powershell.exe
2524	powershell.exe
1072	powershell.exe
288	powershell.exe
2560	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe

Executes dropped EXE 10 IoCs

pid	Process
1128	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2472	csrss.exe
2040	csrss.exe
1724	csrss.exe
1324	csrss.exe
1540	csrss.exe
1904	csrss.exe
1424	csrss.exe
2920	csrss.exe
2428	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCX9179.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\24dbde2999530e	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files\Internet Explorer\it-IT\Idle.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files\Internet Explorer\it-IT\6ccacd8608530f	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXA9ED.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB0D6.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\69ddcba757bf72	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCX9169.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXB82B.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXB82C.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files\7-Zip\Lang\WMIADAP.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\56085415360792	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXA9EC.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB0D5.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\Idle.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\WMIADAP.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXA77A.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXA7E8.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Program Files\7-Zip\Lang\75a57c1bdf437c	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\debug\csrss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\es-ES\audiodg.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\es-ES\audiodg.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\security\database\dllhost.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\Media\Landscape\csrss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\security\database\dllhost.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\debug\csrss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\debug\886983d96e3d3e	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\5940a34987c991	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\Media\Landscape\RCX9419.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\security\database\RCXA297.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXA576.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\es-ES\42af1c969fbb7b	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\security\database\5940a34987c991	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\security\database\RCXA296.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\CSC\v2.0.6\WmiPrvSE.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\Media\Landscape\csrss.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\Media\Landscape\886983d96e3d3e	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\Media\Landscape\RCX942A.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXA508.tmp	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
1756	schtasks.exe
2184	schtasks.exe
2684	schtasks.exe
476	schtasks.exe
2240	schtasks.exe
2252	schtasks.exe
1396	schtasks.exe
448	schtasks.exe
1580	schtasks.exe
2812	schtasks.exe
1324	schtasks.exe
1576	schtasks.exe
1804	schtasks.exe
2952	schtasks.exe
1568	schtasks.exe
1280	schtasks.exe
2392	schtasks.exe
1592	schtasks.exe
2656	schtasks.exe
800	schtasks.exe
3052	schtasks.exe
2652	schtasks.exe
600	schtasks.exe
1784	schtasks.exe
3012	schtasks.exe
864	schtasks.exe
972	schtasks.exe
2348	schtasks.exe
2256	schtasks.exe
1724	schtasks.exe
2920	schtasks.exe
1896	schtasks.exe
2936	schtasks.exe
2480	schtasks.exe
2292	schtasks.exe
664	schtasks.exe
1440	schtasks.exe
1132	schtasks.exe
2996	schtasks.exe
2216	schtasks.exe
2280	schtasks.exe
2704	schtasks.exe
2128	schtasks.exe
3044	schtasks.exe
2028	schtasks.exe
1940	schtasks.exe
1420	schtasks.exe
1268	schtasks.exe
1524	schtasks.exe
2640	schtasks.exe
752	schtasks.exe
1880	schtasks.exe
832	schtasks.exe
564	schtasks.exe
2324	schtasks.exe
3004	schtasks.exe
2636	schtasks.exe
1584	schtasks.exe
1904	schtasks.exe
2796	schtasks.exe
1616	schtasks.exe
1684	schtasks.exe
292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2272	powershell.exe
1248	powershell.exe
1568	powershell.exe
3004	powershell.exe
1752	powershell.exe
1072	powershell.exe
2724	powershell.exe
1440	powershell.exe
2348	powershell.exe
2560	powershell.exe
2496	powershell.exe
2524	powershell.exe
2640	powershell.exe
2892	powershell.exe
1132	powershell.exe
2092	powershell.exe
1816	powershell.exe
1000	powershell.exe
2528	powershell.exe
292	powershell.exe
1128	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
1128	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
1128	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
2560	powershell.exe
2528	powershell.exe
2200	powershell.exe
288	powershell.exe
800	powershell.exe
2472	csrss.exe
2040	csrss.exe
1724	csrss.exe
1324	csrss.exe
1540	csrss.exe
1904	csrss.exe
1424	csrss.exe
2920	csrss.exe
2428	csrss.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	1128	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2472	csrss.exe
Token: SeDebugPrivilege	2040	csrss.exe
Token: SeDebugPrivilege	1724	csrss.exe
Token: SeDebugPrivilege	1324	csrss.exe
Token: SeDebugPrivilege	1540	csrss.exe
Token: SeDebugPrivilege	1904	csrss.exe
Token: SeDebugPrivilege	1424	csrss.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	2428	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2560	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	88
PID 2980 wrote to memory of 2560	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	88
PID 2980 wrote to memory of 2560	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	88
PID 2980 wrote to memory of 1072	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	89
PID 2980 wrote to memory of 1072	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	89
PID 2980 wrote to memory of 1072	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	89
PID 2980 wrote to memory of 3004	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	90
PID 2980 wrote to memory of 3004	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	90
PID 2980 wrote to memory of 3004	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	90
PID 2980 wrote to memory of 1248	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	91
PID 2980 wrote to memory of 1248	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	91
PID 2980 wrote to memory of 1248	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	91
PID 2980 wrote to memory of 2524	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	93
PID 2980 wrote to memory of 2524	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	93
PID 2980 wrote to memory of 2524	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	93
PID 2980 wrote to memory of 2496	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	94
PID 2980 wrote to memory of 2496	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	94
PID 2980 wrote to memory of 2496	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	94
PID 2980 wrote to memory of 2640	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	96
PID 2980 wrote to memory of 2640	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	96
PID 2980 wrote to memory of 2640	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	96
PID 2980 wrote to memory of 2724	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	98
PID 2980 wrote to memory of 2724	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	98
PID 2980 wrote to memory of 2724	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	98
PID 2980 wrote to memory of 2348	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	99
PID 2980 wrote to memory of 2348	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	99
PID 2980 wrote to memory of 2348	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	99
PID 2980 wrote to memory of 1752	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	100
PID 2980 wrote to memory of 1752	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	100
PID 2980 wrote to memory of 1752	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	100
PID 2980 wrote to memory of 1568	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	101
PID 2980 wrote to memory of 1568	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	101
PID 2980 wrote to memory of 1568	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	101
PID 2980 wrote to memory of 1440	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	102
PID 2980 wrote to memory of 1440	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	102
PID 2980 wrote to memory of 1440	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	102
PID 2980 wrote to memory of 2272	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	103
PID 2980 wrote to memory of 2272	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	103
PID 2980 wrote to memory of 2272	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	103
PID 2980 wrote to memory of 2528	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	148
PID 2980 wrote to memory of 2528	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	148
PID 2980 wrote to memory of 2528	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	148
PID 2980 wrote to memory of 1132	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	115
PID 2980 wrote to memory of 1132	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	115
PID 2980 wrote to memory of 1132	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	115
PID 2980 wrote to memory of 1816	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	116
PID 2980 wrote to memory of 1816	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	116
PID 2980 wrote to memory of 1816	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	116
PID 2980 wrote to memory of 2892	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	119
PID 2980 wrote to memory of 2892	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	119
PID 2980 wrote to memory of 2892	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	119
PID 2980 wrote to memory of 1000	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	120
PID 2980 wrote to memory of 1000	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	120
PID 2980 wrote to memory of 1000	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	120
PID 2980 wrote to memory of 2092	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	121
PID 2980 wrote to memory of 2092	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	121
PID 2980 wrote to memory of 2092	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	121
PID 2980 wrote to memory of 292	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	122
PID 2980 wrote to memory of 292	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	122
PID 2980 wrote to memory of 292	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	122
PID 2980 wrote to memory of 676	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	128
PID 2980 wrote to memory of 676	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	128
PID 2980 wrote to memory of 676	2980	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe	128
PID 676 wrote to memory of 2880	676	cmd.exe	130

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
"C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Landscape\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\database\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ON83D8AI2o.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
    "C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\audiodg.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WMIADAP.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kcDIWAC5CG.bat"
      4⤵
      PID:1768
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:628
    - - C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40a96002-7816-4ce0-aa5b-554cfa6863d5.vbs"
        6⤵
        
        PID:832
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7f8f53-fbe1-4a41-88d3-4f5b58596736.vbs"
        8⤵
        
        PID:820
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0066e6ac-94a3-4335-9b70-d96febe2b135.vbs"
        10⤵
        
        PID:2876
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af6ea12-5b79-4fd4-ae82-d6ab76a30542.vbs"
        12⤵
        
        PID:2348
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\538a6d29-9d95-4715-bdc3-d8795327e085.vbs"
        14⤵
        
        PID:1644
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15574002-b3fa-4527-a7b4-318842995b2b.vbs"
        16⤵
        
        PID:1764
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae59412e-c65b-4e53-99f3-127593c38b96.vbs"
        18⤵
        
        PID:2304
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97b49ca4-f3a9-4365-898c-501a15ae90e5.vbs"
        20⤵
        
        PID:2808
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d54a34a-c308-4064-b4ff-bc3e85528551.vbs"
        22⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9763b0fa-9119-4ce3-8e77-653132dba898.vbs"
        22⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66226a9e-038a-43ed-9bfa-b48afa50c8b9.vbs"
        20⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b26a42-b0e9-4cc4-927c-960bebc9e396.vbs"
        18⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc813a59-b27a-4ac3-87dd-9d40339da376.vbs"
        16⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33e92ee8-55dc-468a-8dff-bed9b6eb26b8.vbs"
        14⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9c9a96d-d499-4c57-b7c3-c450d2b1b3bb.vbs"
        12⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8fb6ada-132a-4d4a-98f4-e2b3e81c7dc7.vbs"
        10⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d1d95b-2120-40a3-b29e-86ea492736b4.vbs"
        8⤵
        
        PID:2688
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d9fd32-f838-45cb-8e1a-64b82fc61fbc.vbs"
        6⤵
        
        PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\security\database\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\security\database\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe

Filesize
1.9MB

MD5
6668c07917004492f098e8811870713a

SHA1
5a4d6b3c2a78a3534831d37ab01815053b20b97b

SHA256
add4aae65ebe681fb7b4eafb027cb85adc1b58094eb2e9296747155ae3f9c5d1

SHA512
44de44e419e51cb1cbef4386bddeb38b15603ea04da222486d07969d307f662d14d2de944b00d8f1bdd39a9092fdd1cdab928cab61b19217f55acc8c8a4e0a30

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXB0D5.tmp

Filesize
1.9MB

MD5
194ebb7b3a413e35731f7609d7e0be34

SHA1
d16473eaea367d1e2e6aa77158451e38b174e133

SHA256
ce3218a6a006aa3d029a0b0afd6c98b0a0c2fa4ecbac6274e901012400ff118d

SHA512
7e86fdd08bd7007f92fc5413bf76da57d6e0aefdc290d4cb64fc408f7bf0c1b811383b55bb676187b0243e96ed5c53d55932914cd11d3938681f285fda7224a6

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\winlogon.exe

Filesize
1.9MB

MD5
e96b05dbc300114adee314fce999baea

SHA1
082cf258ba78426a5da715d2a8452521a257d194

SHA256
cdb34bfb7856aa984dc157a41fa03e8e155c6576fdfc95caefb1335f3287bf83

SHA512
82875a3333182e6e2a3c7bc3d0ab33f6280f04938c9bf616712bce76e31b5ff726dfcfe03c3ba63e781526241077172b9e3f7ab45e7b119bb120c2105625fc0e

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe

Filesize
1.9MB

MD5
5127b05554ab9d4256681fe07de06b4b

SHA1
e99743e3a11fca240018970989454f66e4dfd721

SHA256
25ea1b4ba367e7822f7c70f7619b6263da5ac4c4e8827ee49dca414fcfb7346b

SHA512
10ece21d9be2ed4644f3f18d5861c95ae8b43a1a378ff0d9b5d66022276bc8ab313945dd66f29ce182273261db6a5cb20dd6ff438365f4b78f78f02a1f94a474

Download Submit
C:\Users\Admin\AppData\Local\Temp\0066e6ac-94a3-4335-9b70-d96febe2b135.vbs

Filesize
707B

MD5
59c5596997ef5393de11d911ca3cd7c9

SHA1
4483f3c5c02dea4f9ed56328fa014dfa27837067

SHA256
9fff487c327050c1c3a53fdfe09a487fc39127fb6cb6721298094b1dbe5bfcca

SHA512
09c767c0e5506087fd937bfd1095020c0521cb8e63fdf58398c4cad0358892bc854ae909c533f54c42584cc55a0cd58521aa2d0cf93f23b3fcd5e9c0faec38f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\15574002-b3fa-4527-a7b4-318842995b2b.vbs

Filesize
707B

MD5
f04a94204881092c9f9d4a23efab509f

SHA1
62c9801432c68ff413cf47ab61a11fc42cd2808e

SHA256
e1a4c40b7a0aa9bb5b34fe4599c3daff952477f2f23feb635251a58ed7e39439

SHA512
9d3d90dcb5934b4161169af1f383ae10063805645742c20316d52f107d734e385fe32d2f37dc2485bc4bc016489f0d1e42b212927d0bde25a0cc01ebcf2ca686

Download Submit
C:\Users\Admin\AppData\Local\Temp\40a96002-7816-4ce0-aa5b-554cfa6863d5.vbs

Filesize
707B

MD5
f3ea3bccf177e5627fc32e9074f0b54d

SHA1
8b73c235da28b7b5a9cdf8fef2fb1db0876e8245

SHA256
7375160d14a740552fb83fd2e98b605fa77de6fa46f4ad0e60e2f254e14a04bb

SHA512
9fc364618d03b09d8731a40ca041f0c7bed7a5ab13e4a41e1deef51f99a4b1aff74f4b8367a52a8b4a7a0e97e560f07207f188730200eceade8f92c6e9b15a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\538a6d29-9d95-4715-bdc3-d8795327e085.vbs

Filesize
707B

MD5
600e6fe5442c8ecf1d73fbe41dc96d82

SHA1
e60af83e51861d7e5e82b4fcd4e31e279d2452c4

SHA256
d247ce90fcf1b3dae35fa876561ec4d7645cfaf619672f0c310ec62a94710291

SHA512
773f6ac1af28b6eda3f08063b98a39a3a68abc2459aedbecf8fa3c6e837300688ad586dfa9c71626a43d5b3d8580c233b2eeb4e7de5a1a528644d523a64891fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d54a34a-c308-4064-b4ff-bc3e85528551.vbs

Filesize
707B

MD5
da4dca359853a755193d7cdab05e170b

SHA1
202364ba9303dd9f3dad14bbf2a70a159faece35

SHA256
03da154b0b0dcd6e487c40b44561222e03ab859f6b9e51d3af2e6392fd7eb36d

SHA512
c01075826f1a9b86b16f3782994fe6d922b2c208ab5630f3e7466a69bab5ca3c43cb2c52777007cc25ecf7aab316eca3ca0276ee7dd577d2f6a4da4106b02b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d9fd32-f838-45cb-8e1a-64b82fc61fbc.vbs

Filesize
483B

MD5
5ca53fa312dac4ae50aafe0b71741b66

SHA1
ec028e10145512583a6bcb6c5283d9497cebae1c

SHA256
429444276cf4526661f0d3fda4df7955ee520bfedde90fdf13b0f7f10266368a

SHA512
6b698ba1d9848deff5327b9a1ba00d562dc9d4f6c1e5c95715318aa550bb1a00e7177085d08693efb5ae8281b4d5c8dc3c6b4cd37b00f0aac0bba9e7589dd3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\978f684442467354e28821397045b9780ba3154c.exe

Filesize
1.9MB

MD5
f7647003803116ac56c7c33c124c6cea

SHA1
68a9a0d7b0d490c61a74e4bc332883c813dbae86

SHA256
81b82a0841c529550186471816c71ef8e2f5dd90bb9d7afb20c133908cf93cf4

SHA512
8e58b4010980da16ae312abd4f288c679f3bf033ff77a44185aac46df29bf0ee1755fd23fbe02f4864ea2d8dcffe8fc0c69a7c7009ef9b1f885634dad652ef93

Download Submit
C:\Users\Admin\AppData\Local\Temp\97b49ca4-f3a9-4365-898c-501a15ae90e5.vbs

Filesize
707B

MD5
95a61e6314399f695607c09b6f83f4ec

SHA1
f86ae6b0883bb2908faa6211fccef3f109fadd24

SHA256
b36a34348f1f223bb32a575f85d9992f44cdac45b5f8e20acfba33c43e8bd0cd

SHA512
71931a2908c652c79d46b434d9c7f699852cc8357ac7a6c2d9e5fb6937b9d08555252851e95ff2321f8e7352d23719b5ca05b44b8132633d5c73f4839b0761e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9af6ea12-5b79-4fd4-ae82-d6ab76a30542.vbs

Filesize
707B

MD5
e53002d1706924b76dc6ab8d159d5106

SHA1
225e5d5477e9946c9d93bfe1bc2dc39f08ae5ac2

SHA256
11d252aaeffc8d469ae5cf9a9b403d975330cc44c9aaef28348079022b073bce

SHA512
2bf7bfd8379639ed94c9827b35b27bdc1070b4d1c6f535a5a781829593cec03337c5c857cf7156ef3cf077e6529f52b8ea6d6872fe9de0557655162eca67b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ON83D8AI2o.bat

Filesize
267B

MD5
1290e9363468d7991227236dc723e3b0

SHA1
d98c403f65d62cb6818ae862cc7eda5ec679b85e

SHA256
a9e8152c6caaaa0662427e7e8e3fed7d5051ceed720d00f89804cea3f732b649

SHA512
ce3790af260465e2f4a400628a64542293fb391f18fc5b915ff9bab6fe5346f00d3729afab61cc41fac85ea747f50a8fbcd58525e03813ece0feec52a7652ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae59412e-c65b-4e53-99f3-127593c38b96.vbs

Filesize
707B

MD5
4e5a53373b3ee33d8eeba27776d7f4be

SHA1
ff56e97c03e9b22bbba27f80ff7c62e87a93d43a

SHA256
b0f31837ce260b52de1026ba13940a8495a8aaa23f2a44503ccbff5210c2819c

SHA512
e662815d99296d15839f45a6ac9aacabb54ecd3c36f991cc7ccd0315ecc63311d533d45b9c01ca29878b517cc53e35e37061149196ff85ed9018e7bf556dcabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe7f8f53-fbe1-4a41-88d3-4f5b58596736.vbs

Filesize
707B

MD5
5238252fd2ad8627a2a83359f7d27154

SHA1
da1bfc940e27357055bd63cf1dab5b0972172a52

SHA256
59250a11cd6c1c45e8632fd027e71a63cd26e5e20e4375e2319e8614ad0ffe13

SHA512
2a48fdd84afe2f13133e98bc94f31d94a25c265d531a0a0d5c609db23c082837512de639e5e72b2f1cb3b9296cc8ffc30c5b62b123571581d6975555f63c8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcDIWAC5CG.bat

Filesize
196B

MD5
209e6b6756ece42b808255126c24f94d

SHA1
faa8317a2b79123f947ebd2d37ada863f6ff39a5

SHA256
63525284fe222149053a8201ab65c3dfe21c97c4d53db5a6372a746c3c8cc892

SHA512
01ab971a24c54347c9749008c0b1acce8262660f6002450c147b2c55df02d782e4647a759970bbea9e4b05687f9e42929f637306cc311071cfabe4724c604179

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
476B

MD5
a1cae586628565b565eeb4a334cb615d

SHA1
de5497e642f3c88ab1eb509529c6456085ae62f3

SHA256
02beab41d76283577f070cc65576e8545bcf8d394fd1a9708b4fd41a1b07d082

SHA512
f52b9996070af67ed038f9c6cbcfd78603e96131c3daeef257ddb2dfe740bd9a352d9fa7b5a94326d09c3e538ec331433aab1211687f8ff8c0dddb70451f8eef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92de1262bd0b449daedbbb0fa68219f5

SHA1
7d097c4a14fb1f5348521cbe5c7036dd699137c3

SHA256
ed11d512b54c59f10871961443c7364ce2668908f9317780a79915f1debb6914

SHA512
31fff520172e1bbb674b58e2361629fb36e203e2638a6c3d9bd2f2d8113aa17e2ebbc4171d6ffad8171c4eed59f8dc20d1eed70ce5f21c4f099ef399c9fa1742

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.9MB

MD5
7e96474e5a3a3849a4cc0a2f4087d33f

SHA1
eb9717691ba3560b420e0ee3ac06fbf7f20f6bc2

SHA256
bc88cec20a8475ace4788a748734e518948850b62d1199df13f7d0e76197ffe3

SHA512
4ddfabb844f4a48da15f81e24ef32844896bb1a19484b7f5069d49f306863776b711116fdb29661fd2f22321916e60440c156b5de0faa7a1338312e8530f181d

Download Submit
C:\Users\Public\services.exe

Filesize
1.9MB

MD5
733112fa2d9d15aaff3659ea9e2d3b4c

SHA1
85a535c82f3f869fd52b0199b2ef4cbddb979c68

SHA256
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c

SHA512
74b123f9717bc2a49ff9a814e441a54c4b2d9969ec30cbb692927bd10e93884237b6f8cbf87480bab76ec7835ee5661baa9d06e56887ac3ab530b366efe04c25

Download Submit
C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe

Filesize
1.9MB

MD5
246a1b61da1663ce8d498aae1c29ca51

SHA1
d530cd9e59a491f941680942acebb7aed98d8d48

SHA256
215a1aa05c3523da95bccd8ca9d8b344a471871a488f7040bec043a4fe032d16

SHA512
3326ff99f845c8bb1b44710a43f242f61c30e5615b3e731425cf7e9b2bfdbf86f403c0f60314083431cd2231ad90e89ca2b91c0cb09b46e3ff0ade52c3347876

Download Submit
memory/1128-382-0x00000000004E0000-0x0000000000536000-memory.dmp

Filesize
344KB

Download
memory/1128-383-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1248-294-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1324-470-0x0000000000110000-0x00000000002FA000-memory.dmp

Filesize
1.9MB

Download
memory/1424-507-0x0000000000B10000-0x0000000000CFA000-memory.dmp

Filesize
1.9MB

Download
memory/1424-508-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1540-482-0x00000000003C0000-0x00000000005AA000-memory.dmp

Filesize
1.9MB

Download
memory/1540-483-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1904-495-0x0000000000930000-0x0000000000B1A000-memory.dmp

Filesize
1.9MB

Download
memory/2272-297-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2428-533-0x0000000000790000-0x00000000007E6000-memory.dmp

Filesize
344KB

Download
memory/2428-532-0x0000000000870000-0x0000000000A5A000-memory.dmp

Filesize
1.9MB

Download
memory/2472-437-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2472-436-0x0000000000F40000-0x000000000112A000-memory.dmp

Filesize
1.9MB

Download
memory/2560-417-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2560-415-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-520-0x0000000000140000-0x000000000032A000-memory.dmp

Filesize
1.9MB

Download
memory/2980-10-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2980-6-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/2980-14-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2980-15-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

Filesize
56KB

Download
memory/2980-16-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2980-17-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2980-18-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/2980-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2980-13-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

Filesize
48KB

Download
memory/2980-12-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/2980-8-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download
memory/2980-9-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2980-7-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2980-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2980-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2980-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2980-197-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-220-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-327-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-1-0x0000000001190000-0x000000000137A000-memory.dmp

Filesize
1.9MB

Download