e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db547399adb1223b51dd04ca54bc0dcd.exe
Size

1.9MB
MD5

db547399adb1223b51dd04ca54bc0dcd
SHA1

5c5010b0c7d160d19aa37a981f28884c6fb753c5
SHA256

101ccc6b92cebfc2110fc59fe95374d2b7255103cd662a796513cc18f0c6022a
SHA512

6f000a5731877d84c56df1b3268f48b6346b5c5710e8044d7b0ecffc03b89f4a40a17049a9f929f9631bf6fbcec8cb35eadd521168d739085771fa8630e5f910
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5520	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	5940	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	5940	schtasks.exe	87

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4236	powershell.exe
692	powershell.exe
640	powershell.exe
2020	powershell.exe
2672	powershell.exe
5672	powershell.exe
1760	powershell.exe
3256	powershell.exe
2380	powershell.exe
2980	powershell.exe
4500	powershell.exe
5604	powershell.exe
2240	powershell.exe
1096	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	db547399adb1223b51dd04ca54bc0dcd.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	db547399adb1223b51dd04ca54bc0dcd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	spoolsv.exe
5252	spoolsv.exe
548	spoolsv.exe
4460	spoolsv.exe
3936	spoolsv.exe
1080	spoolsv.exe
5484	spoolsv.exe
4996	spoolsv.exe
6048	spoolsv.exe
4912	spoolsv.exe
5548	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db547399adb1223b51dd04ca54bc0dcd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCX596E.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX6C89.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX6CF8.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files\edge_BITS_4488_1439938410\29c1c3cc0f7685	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files\edge_BITS_4488_1439938410\RCX571B.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files (x86)\Microsoft\6203df4a6bafc7	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\cc11b995f2a76d	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files\edge_BITS_4488_1439938410\RCX574B.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCX598F.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\lsass.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Program Files (x86)\Microsoft\lsass.exe	db547399adb1223b51dd04ca54bc0dcd.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\9e8d7a4ca61bd9	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\de-DE\RCX6369.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\de-DE\RCX63D8.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\de-DE\RuntimeBroker.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File created	C:\Windows\Prefetch\ReadyBoot\eddb19405b7ce1	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\de-DE\RuntimeBroker.exe	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX6A84.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX6A85.tmp	db547399adb1223b51dd04ca54bc0dcd.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe	db547399adb1223b51dd04ca54bc0dcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	db547399adb1223b51dd04ca54bc0dcd.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4564	schtasks.exe
4776	schtasks.exe
4688	schtasks.exe
4796	schtasks.exe
4920	schtasks.exe
4972	schtasks.exe
4600	schtasks.exe
5008	schtasks.exe
1388	schtasks.exe
968	schtasks.exe
4008	schtasks.exe
4816	schtasks.exe
2960	schtasks.exe
5048	schtasks.exe
5520	schtasks.exe
3304	schtasks.exe
5052	schtasks.exe
1756	schtasks.exe
3740	schtasks.exe
3696	schtasks.exe
4464	schtasks.exe
4516	schtasks.exe
5024	schtasks.exe
3576	schtasks.exe
1680	schtasks.exe
3940	schtasks.exe
5096	schtasks.exe
2544	schtasks.exe
5800	schtasks.exe
4892	schtasks.exe
4948	schtasks.exe
2408	schtasks.exe
4832	schtasks.exe
4872	schtasks.exe
4296	schtasks.exe
1516	schtasks.exe
4896	schtasks.exe
2700	schtasks.exe
4196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2616	db547399adb1223b51dd04ca54bc0dcd.exe
2020	powershell.exe
2020	powershell.exe
692	powershell.exe
692	powershell.exe
5672	powershell.exe
4236	powershell.exe
5672	powershell.exe
4236	powershell.exe
4500	powershell.exe
4500	powershell.exe
640	powershell.exe
640	powershell.exe
1760	powershell.exe
1760	powershell.exe
2380	powershell.exe
2380	powershell.exe
5604	powershell.exe
5604	powershell.exe
1096	powershell.exe
1096	powershell.exe
3256	powershell.exe
3256	powershell.exe
2980	powershell.exe
2980	powershell.exe
2240	powershell.exe
2240	powershell.exe
2672	powershell.exe
2672	powershell.exe
2240	powershell.exe
3256	powershell.exe
5672	powershell.exe
4500	powershell.exe
2020	powershell.exe
2020	powershell.exe
2380	powershell.exe
5604	powershell.exe
2980	powershell.exe
4236	powershell.exe
1760	powershell.exe
1096	powershell.exe
692	powershell.exe
640	powershell.exe
2672	powershell.exe
2972	spoolsv.exe
2972	spoolsv.exe
5252	spoolsv.exe
548	spoolsv.exe
548	spoolsv.exe
4460	spoolsv.exe
3936	spoolsv.exe
1080	spoolsv.exe
5484	spoolsv.exe
4996	spoolsv.exe
6048	spoolsv.exe
4912	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	db547399adb1223b51dd04ca54bc0dcd.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	5604	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2972	spoolsv.exe
Token: SeDebugPrivilege	5252	spoolsv.exe
Token: SeDebugPrivilege	548	spoolsv.exe
Token: SeDebugPrivilege	4460	spoolsv.exe
Token: SeDebugPrivilege	3936	spoolsv.exe
Token: SeDebugPrivilege	1080	spoolsv.exe
Token: SeDebugPrivilege	5484	spoolsv.exe
Token: SeDebugPrivilege	4996	spoolsv.exe
Token: SeDebugPrivilege	6048	spoolsv.exe
Token: SeDebugPrivilege	4912	spoolsv.exe
Token: SeDebugPrivilege	5548	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4236	2616	db547399adb1223b51dd04ca54bc0dcd.exe	132
PID 2616 wrote to memory of 4236	2616	db547399adb1223b51dd04ca54bc0dcd.exe	132
PID 2616 wrote to memory of 3256	2616	db547399adb1223b51dd04ca54bc0dcd.exe	133
PID 2616 wrote to memory of 3256	2616	db547399adb1223b51dd04ca54bc0dcd.exe	133
PID 2616 wrote to memory of 1760	2616	db547399adb1223b51dd04ca54bc0dcd.exe	134
PID 2616 wrote to memory of 1760	2616	db547399adb1223b51dd04ca54bc0dcd.exe	134
PID 2616 wrote to memory of 5672	2616	db547399adb1223b51dd04ca54bc0dcd.exe	136
PID 2616 wrote to memory of 5672	2616	db547399adb1223b51dd04ca54bc0dcd.exe	136
PID 2616 wrote to memory of 2672	2616	db547399adb1223b51dd04ca54bc0dcd.exe	137
PID 2616 wrote to memory of 2672	2616	db547399adb1223b51dd04ca54bc0dcd.exe	137
PID 2616 wrote to memory of 1096	2616	db547399adb1223b51dd04ca54bc0dcd.exe	138
PID 2616 wrote to memory of 1096	2616	db547399adb1223b51dd04ca54bc0dcd.exe	138
PID 2616 wrote to memory of 2240	2616	db547399adb1223b51dd04ca54bc0dcd.exe	139
PID 2616 wrote to memory of 2240	2616	db547399adb1223b51dd04ca54bc0dcd.exe	139
PID 2616 wrote to memory of 5604	2616	db547399adb1223b51dd04ca54bc0dcd.exe	142
PID 2616 wrote to memory of 5604	2616	db547399adb1223b51dd04ca54bc0dcd.exe	142
PID 2616 wrote to memory of 4500	2616	db547399adb1223b51dd04ca54bc0dcd.exe	143
PID 2616 wrote to memory of 4500	2616	db547399adb1223b51dd04ca54bc0dcd.exe	143
PID 2616 wrote to memory of 2980	2616	db547399adb1223b51dd04ca54bc0dcd.exe	144
PID 2616 wrote to memory of 2980	2616	db547399adb1223b51dd04ca54bc0dcd.exe	144
PID 2616 wrote to memory of 2020	2616	db547399adb1223b51dd04ca54bc0dcd.exe	145
PID 2616 wrote to memory of 2020	2616	db547399adb1223b51dd04ca54bc0dcd.exe	145
PID 2616 wrote to memory of 2380	2616	db547399adb1223b51dd04ca54bc0dcd.exe	146
PID 2616 wrote to memory of 2380	2616	db547399adb1223b51dd04ca54bc0dcd.exe	146
PID 2616 wrote to memory of 640	2616	db547399adb1223b51dd04ca54bc0dcd.exe	147
PID 2616 wrote to memory of 640	2616	db547399adb1223b51dd04ca54bc0dcd.exe	147
PID 2616 wrote to memory of 692	2616	db547399adb1223b51dd04ca54bc0dcd.exe	148
PID 2616 wrote to memory of 692	2616	db547399adb1223b51dd04ca54bc0dcd.exe	148
PID 2616 wrote to memory of 2972	2616	db547399adb1223b51dd04ca54bc0dcd.exe	160
PID 2616 wrote to memory of 2972	2616	db547399adb1223b51dd04ca54bc0dcd.exe	160
PID 2972 wrote to memory of 5692	2972	spoolsv.exe	162
PID 2972 wrote to memory of 5692	2972	spoolsv.exe	162
PID 2972 wrote to memory of 2604	2972	spoolsv.exe	163
PID 2972 wrote to memory of 2604	2972	spoolsv.exe	163
PID 5692 wrote to memory of 5252	5692	WScript.exe	164
PID 5692 wrote to memory of 5252	5692	WScript.exe	164
PID 5252 wrote to memory of 1868	5252	spoolsv.exe	165
PID 5252 wrote to memory of 1868	5252	spoolsv.exe	165
PID 5252 wrote to memory of 5240	5252	spoolsv.exe	166
PID 5252 wrote to memory of 5240	5252	spoolsv.exe	166
PID 1868 wrote to memory of 548	1868	WScript.exe	176
PID 1868 wrote to memory of 548	1868	WScript.exe	176
PID 548 wrote to memory of 5696	548	spoolsv.exe	177
PID 548 wrote to memory of 5696	548	spoolsv.exe	177
PID 548 wrote to memory of 5820	548	spoolsv.exe	178
PID 548 wrote to memory of 5820	548	spoolsv.exe	178
PID 5696 wrote to memory of 4460	5696	WScript.exe	179
PID 5696 wrote to memory of 4460	5696	WScript.exe	179
PID 4460 wrote to memory of 644	4460	spoolsv.exe	180
PID 4460 wrote to memory of 644	4460	spoolsv.exe	180
PID 4460 wrote to memory of 3756	4460	spoolsv.exe	181
PID 4460 wrote to memory of 3756	4460	spoolsv.exe	181
PID 644 wrote to memory of 3936	644	WScript.exe	182
PID 644 wrote to memory of 3936	644	WScript.exe	182
PID 3936 wrote to memory of 1016	3936	spoolsv.exe	183
PID 3936 wrote to memory of 1016	3936	spoolsv.exe	183
PID 3936 wrote to memory of 2924	3936	spoolsv.exe	184
PID 3936 wrote to memory of 2924	3936	spoolsv.exe	184
PID 1016 wrote to memory of 1080	1016	WScript.exe	185
PID 1016 wrote to memory of 1080	1016	WScript.exe	185
PID 1080 wrote to memory of 3792	1080	spoolsv.exe	186
PID 1080 wrote to memory of 3792	1080	spoolsv.exe	186
PID 1080 wrote to memory of 2112	1080	spoolsv.exe	187
PID 1080 wrote to memory of 2112	1080	spoolsv.exe	187

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	db547399adb1223b51dd04ca54bc0dcd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe
"C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\db547399adb1223b51dd04ca54bc0dcd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\db547399adb1223b51dd04ca54bc0dcd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Recovery\WindowsRE\spoolsv.exe
  "C:\Recovery\WindowsRE\spoolsv.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ede9885c-45f6-42a4-a4cf-9486f089f1c2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5692
  - - C:\Recovery\WindowsRE\spoolsv.exe
      C:\Recovery\WindowsRE\spoolsv.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5252
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fa30ef-0119-4c98-b64d-f934b296f455.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91556756-96cf-4a28-b998-26845e4e6570.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5696
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b115f944-4c97-48ec-91dd-01f4432e3605.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af26b5e6-1ae4-45fa-94ed-c461fc560349.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\737832c0-9b00-47c3-8e8f-6fe2690bfd35.vbs"
        13⤵
        
        PID:3792
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac6739d0-561f-4eb3-8da5-c450da17ec39.vbs"
        15⤵
        
        PID:5796
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb62f2f9-acf5-4bb7-956a-e4c67e33a6b2.vbs"
        17⤵
        
        PID:1516
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea3b5cce-84a5-45ef-903f-880a3e6bfd3a.vbs"
        19⤵
        
        PID:4416
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2a41189-90c7-4f51-8260-160c07ba6326.vbs"
        21⤵
        
        PID:3232
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4080ac58-8a55-4ca4-886e-7f61faa4f651.vbs"
        23⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b48693a-096f-41db-afaf-9c4da9844f11.vbs"
        23⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ef914c4-042f-4a9a-a099-45692d833a63.vbs"
        21⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71773c51-d0b6-4544-b4f9-1c78421c758a.vbs"
        19⤵
        
        PID:6120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\788417f9-1308-42fe-94ac-349db142d4f0.vbs"
        17⤵
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d91b129d-8bb2-4a2b-a957-f96fc4f1b164.vbs"
        15⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bfaa012-8202-4eab-8aac-7b0b12a6d005.vbs"
        13⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af0aa0c6-aead-4adb-a0ae-19bf0638a215.vbs"
        11⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86fb12af-c2ae-4e04-a955-95a014435c9b.vbs"
        9⤵
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f3e087-77fd-4ab6-9db4-83d76124c775.vbs"
        7⤵
        
        PID:5820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b0dbb5f-3ff7-49e8-8845-de974098e142.vbs"
        5⤵
        
        PID:5240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb4c4951-b4bd-49e3-a661-16d11c58a98b.vbs"
    3⤵
    PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4488_1439938410\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Pictures\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Pictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcdd" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\db547399adb1223b51dd04ca54bc0dcd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcd" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\db547399adb1223b51dd04ca54bc0dcd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "db547399adb1223b51dd04ca54bc0dcdd" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\db547399adb1223b51dd04ca54bc0dcd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\dllhost.exe

Filesize
1.9MB

MD5
846d4ebf8bcacc4d706ba5892168237f

SHA1
141f33de69ede46c0a013d09d4c6965a094b6b87

SHA256
2bc0278f5dc431ff4a1d339d22734305db4ae3b03ddb7b138164a2644bba38d1

SHA512
700502bc93c666c3e2aaf76e6fd5f6902c21d27984588eb294bc6f45cb62273ce3843af2835eeb781d3a97b30b419b74cc603c307b1f58197ee1e6e9f70119ec

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe

Filesize
1.9MB

MD5
243860ebf399c767d9f7ff6e64d64387

SHA1
d6e07b3cb56eb5bb6a89b91d38005c94547c47fb

SHA256
16eff43cc27d99d5f0165c4c1a6cc1d07c5e0f0c54d7b34608673143b875426c

SHA512
1263012c57605e78e2994972826b8dbb3a9e780ee8406c285a61656ca50a4311926ad28732aada565e7069a183088ed390c10fd20e5f5a56aba55b4382880fab

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.9MB

MD5
db547399adb1223b51dd04ca54bc0dcd

SHA1
5c5010b0c7d160d19aa37a981f28884c6fb753c5

SHA256
101ccc6b92cebfc2110fc59fe95374d2b7255103cd662a796513cc18f0c6022a

SHA512
6f000a5731877d84c56df1b3268f48b6346b5c5710e8044d7b0ecffc03b89f4a40a17049a9f929f9631bf6fbcec8cb35eadd521168d739085771fa8630e5f910

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.9MB

MD5
0429aba6f88a3068b8a3341c4eeb6212

SHA1
2569b184c0b6931e19dbf3cfd190fa359521cf93

SHA256
69653a317889cec7f2183525628131435d32b166594fb34daba708f4efa5c16a

SHA512
8732dd3622a586d235f0ba1f98df7f1e517588abdc9043f1c4ef80049595f6adc3b54f9a0c01fd16317d9e8cb3c5b9b887fb4f0f590032ed91efe86cfb747a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1c41ab70e6e5907330c398d5789b851

SHA1
39dbfc40fb75793d222369e59ae5d784f5c3b7a3

SHA256
90c7c4c7f4671b52194b8e5d5e43715003581b96ee6418ced8c3bab9329a1fad

SHA512
a5e07a6316a8142a0680d9ae73890daabb18de56540ed1025f1a7a463b7992854b7b31c537d8e1a32deaf8864dfacc88fb2203c22891643f9e1ddc713968c3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\20fa30ef-0119-4c98-b64d-f934b296f455.vbs

Filesize
709B

MD5
85b77573806c2264358ce3172cfc60b1

SHA1
9be1ccdce816ccaf34aa05bcf273b082c3c2ee7d

SHA256
d49b92dd95c67d98bfd5333ec2857ca2a6590a1cd943a9715081cf86e8205bba

SHA512
3780afc076e82022d1848803e006b2808ab62b91254b696ba172e07c4fb086eb080ccbdf23a7d9891d208dca9246966edf4c3a7d2f57e06633d5dc369e23884a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4080ac58-8a55-4ca4-886e-7f61faa4f651.vbs

Filesize
709B

MD5
6b67de7ab526dbda3c928ff8955989b0

SHA1
297c8201edb1ac0d9a1dd07afd8422590eae25db

SHA256
df547fb770ea037a235838f3a9e56b4d30ae183c4522dcfec59295de0bf5e7b5

SHA512
4568935e6925f3f6af66a508f15aad43748bd11691c698554ea8430d4fa3ab0215122785d02d01ca849f2f114e3243a3411fc4442d1f82278fcc8f8e6105dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\737832c0-9b00-47c3-8e8f-6fe2690bfd35.vbs

Filesize
709B

MD5
c3cd8a4f3aa836981f8b6b9585d7af31

SHA1
76cb8c8ff4b7e82e7ca490950e9bf852b2e24ad3

SHA256
3c124b767afb6e406958cf76bcf3cd15cc50187a70a94ed068b944240d312774

SHA512
22b8f9efcf8f396f1b8f8334c0274ce13214d7070f857b8c56c938ba421f979bc31c2fd4697c79915801ca4d22151989e78b2e5bba04389cc2d7a230b9cbb7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\91556756-96cf-4a28-b998-26845e4e6570.vbs

Filesize
708B

MD5
2c3b98ca8340dd3e1cd610b4e14c7d01

SHA1
469ab5217737586db0458b5e0d518b1b6b8e4398

SHA256
543ab72ec1c575f90e8ed1b3700536d0e3a184e0cb1af6d9d71c9889125062d4

SHA512
8aa2a4339e4ad632378348c4bc023057878ee3c8e3f6a44c357b3d18405226bcf08580372cfcd140232073ff180cd2d0deca23a0dae59f0a4e9bb4133be8b5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4r5wyk2j.l4x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac6739d0-561f-4eb3-8da5-c450da17ec39.vbs

Filesize
709B

MD5
e94547fcce4f58c39cbee019fbb5b132

SHA1
2ffb16c1342dbbc39dda3772647703506cb6294f

SHA256
a00ef32516312f570d60ebd900e37c10756cbedd06f756f66316bd686c664b07

SHA512
f0dd6ad6711860d652df5a2eba0728d0ee802a9c9f1fd8649a805791f9d4cd6d9ef2f0cd35040f4592250e699cf454f494bc1056bc0627e375aaf1f040bf8941

Download Submit
C:\Users\Admin\AppData\Local\Temp\af26b5e6-1ae4-45fa-94ed-c461fc560349.vbs

Filesize
709B

MD5
26f02b931734d02cd3d332ec480067c9

SHA1
8b0cf2762fda3f27097d5d9b9a63412f0026ad40

SHA256
fbadca4d807884916fa40da022c5b7e22c4d2aa23fd9249e2b945b4e2363bd9a

SHA512
fa79296beadfcc171fb9782bb0a7ff6464bbea27e9b5cfdf2cab1de16ddd10d87364970ecc099270d93d96e099d503debba2278d43c15d5a3c5bf2731eb5a938

Download Submit
C:\Users\Admin\AppData\Local\Temp\b115f944-4c97-48ec-91dd-01f4432e3605.vbs

Filesize
709B

MD5
ac8e527170d4a28912024d2413f4bc6e

SHA1
f3db84a76db5eb75d5e98fb7a966b25cb750994c

SHA256
2d344fbf47be6f5caf0351382316782d6205a510a50b9a1dcb276fdd8ab7dde0

SHA512
a84c7cb7b1c1078505680ccca94f7fa88726ceed6bfefeb4c1883aff987491ddbbac1bae38103239f6688dd58f508477a39cb68348fd903491ac5937478438c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2a41189-90c7-4f51-8260-160c07ba6326.vbs

Filesize
709B

MD5
b832267515fb549a44bd763ed98370c3

SHA1
d4205d4c5bb8d3d5eb79e7dc1b001c2a63328b53

SHA256
286535598c84238b9f834ac9854d63e2f5a250cc7322e5bbdaf9cf22320bfc8a

SHA512
707dd3a68a4c7242ae73db3e027d3ca453c4c8215dbf739ea66062525deacef925d53fb4e3f2dee0acd401fdca506bf039f3aec0c5b5940f7193cbf75acb5400

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb4c4951-b4bd-49e3-a661-16d11c58a98b.vbs

Filesize
485B

MD5
a4f0027e3b9fd5e4fb964ee5b83f12ad

SHA1
f75f62d24104ee17bd759687d3aac989f43034fb

SHA256
36510bcac4d7f4761f83b369a4bd42f123825536dc7f88ebf8688f48b9cb09c8

SHA512
8a7e5ca42e1d086491f595129edc10da496e8c736b25442ff8464013864b866a8756a8a571a9f552e33f3a29e488c814399fd173fbb9df80ee0a92465af222c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea3b5cce-84a5-45ef-903f-880a3e6bfd3a.vbs

Filesize
709B

MD5
f628209652266af4bacab8dfe6c022a4

SHA1
71068d8480cb2f69fd19ae5b3ba88b4176e5d5e6

SHA256
fa46421e46f0d9c739b08d589a34eb1cc1cd324cf6ce3cd9a987879b70781596

SHA512
066ffdd29def94864e485cd7a5dc136aa104626e70425928f8d32e6aa9b447b57ca860d271604c485e5240a32816dcea527195aa595679783cd03873fcca5e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ede9885c-45f6-42a4-a4cf-9486f089f1c2.vbs

Filesize
709B

MD5
3967ccb114ebae199c32dad0deebeef1

SHA1
380590b35b341d83430c32243a5ad0f26ab40701

SHA256
d61430e1705a78b29e33e0f3a29a639a3437e6254274d2b0ac30838ccdbfd960

SHA512
2d49716256c0af5b80f3b676e166396915a445de99db53c22f80002cf7885ddfe4a466d5cadfe26d41e9928a44ec3fb57620464a1771ac29127fbcc4d505e06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb62f2f9-acf5-4bb7-956a-e4c67e33a6b2.vbs

Filesize
709B

MD5
66ca9689608f01148c0fb4e76971c5db

SHA1
9c72ade01292b28ec1402e3a9a7c9066d06158c6

SHA256
1a570cb1bccc177808a9509197c32cf7645b2765167be5312404e0a719263582

SHA512
2d0d8336913f4d09d3d347e4b89fb0168cfbe719ace6b6663f937f4c6a5355c2df6b8ee285cbebc0fa0b476741942bc44d78ca8118f592b0a305179dddd9e7cc

Download Submit
C:\Users\Public\Documents\dllhost.exe

Filesize
1.9MB

MD5
64d667e6a2efcf69950607808131db3c

SHA1
a74bc34cb182648f819e446c3bbba30a9ec63a16

SHA256
2a48cdd152e0157aa858bc97df6dfccddbd7caae72711ba8a74119dd4dd19f3d

SHA512
83e57eace1817eac8023615d66ac9ae31869a0329cd476719e5766232175718baaac9a933dd6bb77ea6b1be59085f3380408336471fc10946d51e5ff53ba89f9

Download Submit
C:\Windows\de-DE\RuntimeBroker.exe

Filesize
1.9MB

MD5
a2700f714d92fb998acd0d44e2770cab

SHA1
7f8f8a642023005db1295703da81c021b0e3e111

SHA256
1d18a2ddf13bc0f736940b5844571967060459461c3c6eb11614f08d6d926128

SHA512
a4ab1bbf4cfc5ca63e11b01a41d20daa9a427e13fb1243641794539d06072838e659309ec26bf26f15c459dae2359b52211ac0c8c88cb031359f680c8d831939

Download Submit
memory/1080-481-0x000000001B8A0000-0x000000001B8B2000-memory.dmp

Filesize
72KB

Download
memory/2616-14-0x000000001CE20000-0x000000001D348000-memory.dmp

Filesize
5.2MB

Download
memory/2616-6-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/2616-202-0x00007FFC63CB0000-0x00007FFC64771000-memory.dmp

Filesize
10.8MB

Download
memory/2616-1-0x0000000000CD0000-0x0000000000EBA000-memory.dmp

Filesize
1.9MB

Download
memory/2616-20-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/2616-2-0x00007FFC63CB0000-0x00007FFC64771000-memory.dmp

Filesize
10.8MB

Download
memory/2616-391-0x00007FFC63CB0000-0x00007FFC64771000-memory.dmp

Filesize
10.8MB

Download
memory/2616-3-0x0000000002FC0000-0x0000000002FDC000-memory.dmp

Filesize
112KB

Download
memory/2616-16-0x000000001BD20000-0x000000001BD2A000-memory.dmp

Filesize
40KB

Download
memory/2616-17-0x000000001BD30000-0x000000001BD3E000-memory.dmp

Filesize
56KB

Download
memory/2616-18-0x000000001BD40000-0x000000001BD48000-memory.dmp

Filesize
32KB

Download
memory/2616-19-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/2616-0-0x00007FFC63CB3000-0x00007FFC63CB5000-memory.dmp

Filesize
8KB

Download
memory/2616-15-0x000000001BD10000-0x000000001BD1C000-memory.dmp

Filesize
48KB

Download
memory/2616-10-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

Filesize
48KB

Download
memory/2616-4-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/2616-11-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/2616-13-0x000000001BCE0000-0x000000001BCF2000-memory.dmp

Filesize
72KB

Download
memory/2616-7-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download
memory/2616-9-0x000000001BB10000-0x000000001BB66000-memory.dmp

Filesize
344KB

Download
memory/2616-8-0x000000001BB00000-0x000000001BB0A000-memory.dmp

Filesize
40KB

Download
memory/2616-5-0x0000000001770000-0x0000000001778000-memory.dmp

Filesize
32KB

Download
memory/2616-179-0x00007FFC63CB3000-0x00007FFC63CB5000-memory.dmp

Filesize
8KB

Download
memory/2972-392-0x000000001B990000-0x000000001B9E6000-memory.dmp

Filesize
344KB

Download
memory/2972-390-0x0000000000460000-0x000000000064A000-memory.dmp

Filesize
1.9MB

Download
memory/3936-469-0x000000001B100000-0x000000001B156000-memory.dmp

Filesize
344KB

Download
memory/4460-457-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/5252-434-0x000000001B3B0000-0x000000001B3C2000-memory.dmp

Filesize
72KB

Download
memory/5484-493-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/5672-254-0x000002617F090000-0x000002617F0B2000-memory.dmp

Filesize
136KB

Download
memory/6048-516-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download