e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
146s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Size

1.9MB
MD5

b0d62cfc43b2177c97816f2c622001be
SHA1

f2b812fc94891c55de5c752bc3773036a8dc9825
SHA256

c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1
SHA512

4f29e098a812519506f1dea7ded26fe82f5fcffd0795e4d1d7c35d89db1ccd91fa39cf6df692eff0295c7522791051a6e726866ae30f6a525b37497d006214c1
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2760	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2628	powershell.exe
2644	powershell.exe
1924	powershell.exe
2976	powershell.exe
2052	powershell.exe
1440	powershell.exe
2120	powershell.exe
2828	powershell.exe
2260	powershell.exe
2804	powershell.exe
1160	powershell.exe
2736	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Executes dropped EXE 10 IoCs

pid	Process
2208	taskhost.exe
2480	taskhost.exe
2288	taskhost.exe
2764	taskhost.exe
3052	taskhost.exe
1860	taskhost.exe
2304	taskhost.exe
624	taskhost.exe
2916	taskhost.exe
2868	taskhost.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\taskhost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXECB7.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\lsm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\101b941d020240	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\taskhost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\886983d96e3d3e	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXE234.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXE6AA.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXECB6.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\lsm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE02E.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE439.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXEAB2.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCXE6AB.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cc11b995f2a76d	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Microsoft.NET\b75386f1303e64	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\b75386f1303e64	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE02F.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXE233.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE438.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXEAB1.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sppsvc.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\system\0a1fd5f707cd16	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\system\RCXD3E4.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File opened for modification	C:\Windows\system\RCXD452.tmp	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
File created	C:\Windows\system\sppsvc.exe	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
1980	schtasks.exe
1140	schtasks.exe
2420	schtasks.exe
2996	schtasks.exe
1616	schtasks.exe
1064	schtasks.exe
2716	schtasks.exe
1624	schtasks.exe
776	schtasks.exe
2684	schtasks.exe
376	schtasks.exe
2832	schtasks.exe
696	schtasks.exe
1596	schtasks.exe
836	schtasks.exe
1900	schtasks.exe
2860	schtasks.exe
2788	schtasks.exe
1444	schtasks.exe
3000	schtasks.exe
2952	schtasks.exe
1604	schtasks.exe
2348	schtasks.exe
2480	schtasks.exe
1812	schtasks.exe
2504	schtasks.exe
2660	schtasks.exe
2636	schtasks.exe
372	schtasks.exe
3036	schtasks.exe
1848	schtasks.exe
2876	schtasks.exe
2892	schtasks.exe
3064	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
2120	powershell.exe
2804	powershell.exe
2260	powershell.exe
2628	powershell.exe
2052	powershell.exe
2644	powershell.exe
1440	powershell.exe
2828	powershell.exe
2976	powershell.exe
2668	powershell.exe
1160	powershell.exe
2736	powershell.exe
1924	powershell.exe
2208	taskhost.exe
2480	taskhost.exe
2288	taskhost.exe
2764	taskhost.exe
3052	taskhost.exe
1860	taskhost.exe
2304	taskhost.exe
624	taskhost.exe
2916	taskhost.exe
2868	taskhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2208	taskhost.exe
Token: SeDebugPrivilege	2480	taskhost.exe
Token: SeDebugPrivilege	2288	taskhost.exe
Token: SeDebugPrivilege	2764	taskhost.exe
Token: SeDebugPrivilege	3052	taskhost.exe
Token: SeDebugPrivilege	1860	taskhost.exe
Token: SeDebugPrivilege	2304	taskhost.exe
Token: SeDebugPrivilege	624	taskhost.exe
Token: SeDebugPrivilege	2916	taskhost.exe
Token: SeDebugPrivilege	2868	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2804	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	68
PID 2236 wrote to memory of 2804	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	68
PID 2236 wrote to memory of 2804	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	68
PID 2236 wrote to memory of 2644	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	69
PID 2236 wrote to memory of 2644	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	69
PID 2236 wrote to memory of 2644	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	69
PID 2236 wrote to memory of 2628	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	71
PID 2236 wrote to memory of 2628	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	71
PID 2236 wrote to memory of 2628	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	71
PID 2236 wrote to memory of 2668	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	72
PID 2236 wrote to memory of 2668	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	72
PID 2236 wrote to memory of 2668	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	72
PID 2236 wrote to memory of 2736	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	73
PID 2236 wrote to memory of 2736	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	73
PID 2236 wrote to memory of 2736	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	73
PID 2236 wrote to memory of 2260	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	74
PID 2236 wrote to memory of 2260	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	74
PID 2236 wrote to memory of 2260	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	74
PID 2236 wrote to memory of 2828	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	75
PID 2236 wrote to memory of 2828	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	75
PID 2236 wrote to memory of 2828	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	75
PID 2236 wrote to memory of 2120	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	76
PID 2236 wrote to memory of 2120	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	76
PID 2236 wrote to memory of 2120	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	76
PID 2236 wrote to memory of 1440	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	77
PID 2236 wrote to memory of 1440	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	77
PID 2236 wrote to memory of 1440	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	77
PID 2236 wrote to memory of 2052	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	78
PID 2236 wrote to memory of 2052	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	78
PID 2236 wrote to memory of 2052	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	78
PID 2236 wrote to memory of 1160	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	79
PID 2236 wrote to memory of 1160	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	79
PID 2236 wrote to memory of 1160	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	79
PID 2236 wrote to memory of 2976	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	80
PID 2236 wrote to memory of 2976	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	80
PID 2236 wrote to memory of 2976	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	80
PID 2236 wrote to memory of 1924	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	81
PID 2236 wrote to memory of 1924	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	81
PID 2236 wrote to memory of 1924	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	81
PID 2236 wrote to memory of 2208	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	94
PID 2236 wrote to memory of 2208	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	94
PID 2236 wrote to memory of 2208	2236	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe	94
PID 2208 wrote to memory of 2784	2208	taskhost.exe	95
PID 2208 wrote to memory of 2784	2208	taskhost.exe	95
PID 2208 wrote to memory of 2784	2208	taskhost.exe	95
PID 2208 wrote to memory of 2116	2208	taskhost.exe	96
PID 2208 wrote to memory of 2116	2208	taskhost.exe	96
PID 2208 wrote to memory of 2116	2208	taskhost.exe	96
PID 2784 wrote to memory of 2480	2784	WScript.exe	97
PID 2784 wrote to memory of 2480	2784	WScript.exe	97
PID 2784 wrote to memory of 2480	2784	WScript.exe	97
PID 2480 wrote to memory of 2964	2480	taskhost.exe	98
PID 2480 wrote to memory of 2964	2480	taskhost.exe	98
PID 2480 wrote to memory of 2964	2480	taskhost.exe	98
PID 2480 wrote to memory of 2840	2480	taskhost.exe	99
PID 2480 wrote to memory of 2840	2480	taskhost.exe	99
PID 2480 wrote to memory of 2840	2480	taskhost.exe	99
PID 2964 wrote to memory of 2288	2964	WScript.exe	100
PID 2964 wrote to memory of 2288	2964	WScript.exe	100
PID 2964 wrote to memory of 2288	2964	WScript.exe	100
PID 2288 wrote to memory of 2124	2288	taskhost.exe	101
PID 2288 wrote to memory of 2124	2288	taskhost.exe	101
PID 2288 wrote to memory of 2124	2288	taskhost.exe	101
PID 2288 wrote to memory of 544	2288	taskhost.exe	102

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe
"C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Program Files (x86)\Microsoft.NET\taskhost.exe
  "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6299ec5-3409-48b6-9c3e-afa255335f87.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Program Files (x86)\Microsoft.NET\taskhost.exe
      "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2480
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dede4008-51ee-484f-ba6d-270b0d96bf09.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b31968f3-4eed-4a0b-92a0-971fbe58523d.vbs"
        7⤵
        
        PID:2124
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51406da0-16ee-4bd2-a118-66d102478295.vbs"
        9⤵
        
        PID:2248
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\292ce50c-bba4-40cd-a93f-8f211c09c5e6.vbs"
        11⤵
        
        PID:688
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1d102ec-9c0a-45d7-ac63-85fa09dc0828.vbs"
        13⤵
        
        PID:1340
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69cac7e5-56ae-4913-8d64-2be7b1bcf9b3.vbs"
        15⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95bb0610-f36a-4be0-b15e-96ec97561039.vbs"
        17⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63089dd7-45d2-4b54-9af2-b395be694c34.vbs"
        19⤵
        
        PID:2272
        
        C:\Program Files (x86)\Microsoft.NET\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\taskhost.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a35c51ec-5f35-4228-bfb6-a1b533117bd5.vbs"
        21⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e498782-b99b-4f4e-a0ce-fc32c2106bfd.vbs"
        21⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a5a6c67-9e23-4695-bbf3-413f2fe9ff97.vbs"
        19⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1824aa1e-a9c6-4b22-ba1d-7e30e25005af.vbs"
        17⤵
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22661c4-5489-49f6-95fe-90504bdfe94e.vbs"
        15⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c24b29-3f1a-4325-8fb3-55200a1a563d.vbs"
        13⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e8ac34-1596-471d-8d93-fce23204fb6f.vbs"
        11⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ebe6d14-0e93-4724-be64-9b9161eed4bf.vbs"
        9⤵
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e369b824-3270-4c8e-b62a-cd98902f623c.vbs"
        7⤵
        
        PID:544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0118f755-b2ae-4032-bfe7-e13b0e2d1d0a.vbs"
        5⤵
        
        PID:2840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12d5e1ba-992f-4d13-b280-d0a49cc42ee7.vbs"
    3⤵
    PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\system\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\system\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
1.9MB

MD5
329cfab1d5dcf32aa72a9941f75b040b

SHA1
f609ccdd2932efd3bff92fb002b11c33204ac5fa

SHA256
6754df955b9b959ef34487d8b353a27b93c577efa2ef05fc824fbc15e126ff9b

SHA512
dfc296ee4928e7abad38904b717f4ea323baaa91e4a0c80982ac99f638114f261a8bb6f76ff28d54f8382359bfebdbd5cb2e9a64eb3e68f0397cd59057043f8e

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe

Filesize
1.9MB

MD5
b0d62cfc43b2177c97816f2c622001be

SHA1
f2b812fc94891c55de5c752bc3773036a8dc9825

SHA256
c0c57bb1953e9f0faeaa8c98bf4b7f8f0a46376a179af70eb0574bbb33c6c7b1

SHA512
4f29e098a812519506f1dea7ded26fe82f5fcffd0795e4d1d7c35d89db1ccd91fa39cf6df692eff0295c7522791051a6e726866ae30f6a525b37497d006214c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\12d5e1ba-992f-4d13-b280-d0a49cc42ee7.vbs

Filesize
501B

MD5
cc9c5234c6492f12dad94d7f60c3b3fd

SHA1
f7352c3b13fd64c3405bb474f6fdc89ba3e493ce

SHA256
b665d1d34417bc055cd8a2d0fd2594128727fb6fe4f121399d0ac54eae3c9d3a

SHA512
8409ca04ba82a434628f467bc76321384a70d3240b3e1b1f56f620b8a94cffdc94537f59d8d93668ef015f237a0aedd8cc30e4a873a5ce54421f50aa46a97964

Download Submit
C:\Users\Admin\AppData\Local\Temp\292ce50c-bba4-40cd-a93f-8f211c09c5e6.vbs

Filesize
725B

MD5
13f3258eef2dcd0b0a6f79fbb70fe6f8

SHA1
11126f5112454fd1ef0c694e43a20f15f7958f3b

SHA256
9defbf879823f9670194130714b960dac2a88154b49de61f286a2c2e7d8345cb

SHA512
1755d605cef84c37abaf6b8af12423bdbe5619cf2f3e0cff6e597f1b1c4c6a5e747c65c7bcd3a12d613de8539e463b3613d5e346c823cf0008bf827f0c4c356a

Download Submit
C:\Users\Admin\AppData\Local\Temp\51406da0-16ee-4bd2-a118-66d102478295.vbs

Filesize
725B

MD5
8790296c0c594bf4a2c03f1b4d05a90f

SHA1
0d50210d0ca4cb85c92bc7d509145f4ed06b10dd

SHA256
609b60df896a2f1225655a329755f2001850bbcbde229d245ed65a463a94098b

SHA512
d5bfd9a52505c250a09e6a01334a2132b6826f8e0e18a785a5d98ff260e8afbd8bfab1290c61c8145500ed7b8b256e704a989f90113cb7bde0eb7a4c5e84367f

Download Submit
C:\Users\Admin\AppData\Local\Temp\63089dd7-45d2-4b54-9af2-b395be694c34.vbs

Filesize
725B

MD5
1a07f53e7a50ca50d4dd9cdf07535ea0

SHA1
5256e79e376c9d21a0cb4350452fccbbb116e178

SHA256
792a43cc15a1c647a33f263071d49fc947836ffa91ef9ccaa3504c145fcde5c6

SHA512
c76030e24ba51aad0fc7ef4c6481332be31bfee118dd0b6b7f0bbcb4533106d3c83edbcc939206eddb4f5ed560c873b7e9b7d04e971a56c3b5eae4a48685c3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\69cac7e5-56ae-4913-8d64-2be7b1bcf9b3.vbs

Filesize
725B

MD5
28eea048af129b71a94958050b194250

SHA1
9db3d83ede75be55d4ef465a5719fbba5ebc290f

SHA256
227bfdd90ae8c95679e41413d6aaa8074648cc8c092eafba816a4fafa91adbb4

SHA512
6c1966738bd7b8c5a0e09b5d80f48064770d57407612dd07147a310b922b5303d076537f76ced86983c69ca3d2b94a9543c9eb634b35f8f5787e2f781fc2f2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\95bb0610-f36a-4be0-b15e-96ec97561039.vbs

Filesize
724B

MD5
fa63fdd196d656224921633933d3d473

SHA1
e30433ee9fddcf76921f85e8b007150e15e3c483

SHA256
036818b5d0f9c0dc5f17cc6aabdb4584ca2d5814a1351159d29afc33756e7a8a

SHA512
ff757c1008d9ee57d3066333c91990872b498d7371fa312b361f66605057ff39d9c3cb702a82a3ed7881db6d767ba875dba230ad814b7a32576e6b6efe57498f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a35c51ec-5f35-4228-bfb6-a1b533117bd5.vbs

Filesize
725B

MD5
192bb923f099b935aea916bcaf0f64f8

SHA1
11ce6d4978288b669106dcb064103fdab45900e8

SHA256
2ff8c471ffd69f32002c99f882ccdd241eeedbfc0ea86585a4d944250f586d05

SHA512
a9070220017d293d2a2e17beb6864fc31f1d67ef564c5735a6c17673a589ab807a2d957acc14071cf1e5b36e0decbf27e716d14094efd8897b634df79b66c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\b31968f3-4eed-4a0b-92a0-971fbe58523d.vbs

Filesize
725B

MD5
c0b1d8701075e36c5d4a41772f42c34e

SHA1
097e714ce1e4dd65f81ae16afbc3773d53def6e2

SHA256
18185068173c0576b228c88c82ea19ea81b3b184a042ccad52b5f4d942d922f7

SHA512
dc5dbe4f553d0b520eea3a2ff095ebf82904b2f23c627eb686f9a4d7947578cfe067ddca27838b692d2074dfcbb9cf7077c97fc5010b363faec9a9cb812d4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6299ec5-3409-48b6-9c3e-afa255335f87.vbs

Filesize
725B

MD5
5acd14b9b2e9018c5ff6254b9c8e600c

SHA1
3d1ca2a6963aa6fbb9a0e7a77c094d02d8b7044f

SHA256
7273cef479931509fdf4a7456aab8e8708aee44af39baf8fd955e5a8358f8454

SHA512
aeb444c620c6a16c728f874c3c511963fbbdd516d8ace81b29ae7ae7ce3a000107d4fc14dc2ffea22473df249b76e21a881c78354bca44d5e9bcad6001da8201

Download Submit
C:\Users\Admin\AppData\Local\Temp\dede4008-51ee-484f-ba6d-270b0d96bf09.vbs

Filesize
725B

MD5
6177d1d8b50045baa1fbd5e50f115681

SHA1
16213719b8eec1565d352442d5418a03eda37cf4

SHA256
25e090dd83815beb86dcab393db862269790375404c72b0bee8eb89ba50f4c99

SHA512
6e9044fb7d5916747b98932a279405f5c341d6a9969d0683e4941833bb9caa2ecee93e639016a7f476c0110dbb556b244e410ceae0ba72b91d884d203a693ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1d102ec-9c0a-45d7-ac63-85fa09dc0828.vbs

Filesize
725B

MD5
577b6b7670b80f127e67e5a08c5652a3

SHA1
a982362e567626c63758537f754f3eccc87d904a

SHA256
be0565bb66c95bf2e105c4f25a66b6d24173366225524b6eb61e67a8d54ed22f

SHA512
c6207f2e4b4da2b2a5a1fab8b27e9a2fa4424d20c3f7846b275c6fd020d637e65d4ab8d3323431961f0cc019d132a371dbc8de8587b1ec07ce8deccf403438d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
78ac46ed80838d3ca0cfbd25c102dee8

SHA1
b00c45535f9799c4a20bad93befc8de32fcb7176

SHA256
cb9497bdca316bf92fcab32949010951d70bcdc4070d726c74e7dc1ccc14853f

SHA512
c44c323f8a9d696757741810753353047daa2df8d26d166bb86d50385e1a2b49ceea40e12974d70f937c0b2eb3a82eb79108ed9e053cab42a2f2ff3b4dd052a5

Download Submit
C:\Windows\system\sppsvc.exe

Filesize
1.9MB

MD5
9da53485d750d74b85a556d36414efba

SHA1
bfaae0dee9e7a03ed2896098542ccbcd81de8933

SHA256
c65df13baf551bed1abec54481deb898ec0ab5ce51b21128cdefbb5dd949f8e8

SHA512
cabb480cfaf6b8161b8b860747460f3429aa21accab0b5c8508cd91c74455c49c2cbf35253062dcad4a8dc9f79d3a5eab7d764baec314e72b8e1c5ec24bd9acc

Download Submit
memory/624-337-0x0000000002200000-0x0000000002212000-memory.dmp

Filesize
72KB

Download
memory/624-336-0x0000000000140000-0x000000000032A000-memory.dmp

Filesize
1.9MB

Download
memory/2120-199-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2120-198-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2208-254-0x00000000021A0000-0x00000000021B2000-memory.dmp

Filesize
72KB

Download
memory/2208-200-0x0000000000AB0000-0x0000000000C9A000-memory.dmp

Filesize
1.9MB

Download
memory/2208-253-0x0000000000A60000-0x0000000000AB6000-memory.dmp

Filesize
344KB

Download
memory/2236-18-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

Filesize
48KB

Download
memory/2236-6-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/2236-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2236-10-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2236-14-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2236-15-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/2236-16-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/2236-17-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/2236-1-0x0000000001010000-0x00000000011FA000-memory.dmp

Filesize
1.9MB

Download
memory/2236-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-13-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2236-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2236-7-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2236-12-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2236-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2236-8-0x000000001A980000-0x000000001A9D6000-memory.dmp

Filesize
344KB

Download
memory/2236-212-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2288-277-0x00000000000C0000-0x00000000002AA000-memory.dmp

Filesize
1.9MB

Download
memory/2304-324-0x0000000001050000-0x000000000123A000-memory.dmp

Filesize
1.9MB

Download
memory/2480-265-0x0000000000B90000-0x0000000000D7A000-memory.dmp

Filesize
1.9MB

Download
memory/2764-290-0x0000000000450000-0x00000000004A6000-memory.dmp

Filesize
344KB

Download
memory/2764-289-0x0000000001020000-0x000000000120A000-memory.dmp

Filesize
1.9MB

Download
memory/2868-362-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2916-349-0x0000000001160000-0x000000000134A000-memory.dmp

Filesize
1.9MB

Download
memory/2916-350-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download