8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
125s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea78193c0a312343dc3d6ecf4c9709a1.exe
Size

1.9MB
MD5

ea78193c0a312343dc3d6ecf4c9709a1
SHA1

a0ef53ffbda9e058034c460dcf924971da8dedcb
SHA256

af910cca03f917e9f66f2928480d463c358ae42246e32b0900e5572a09920cb2
SHA512

835efc748beddcdf0ca2a8203d9f461e5a6f831dec65a6f0fa56f158b947ce53228ed0c89a688bd0fcd2883cae89bb86a88ab3f9b8a9d98d5f96a46759fc913a
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5616	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	4192	schtasks.exe	88

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5428	powershell.exe
3068	powershell.exe
3376	powershell.exe
4228	powershell.exe
1456	powershell.exe
4864	powershell.exe
5016	powershell.exe
1612	powershell.exe
6056	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ea78193c0a312343dc3d6ecf4c9709a1.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	ea78193c0a312343dc3d6ecf4c9709a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 9 IoCs

pid	Process
3472	smss.exe
3060	smss.exe
5956	smss.exe
2360	smss.exe
4464	smss.exe
324	smss.exe
5892	smss.exe
1736	smss.exe
3200	smss.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea78193c0a312343dc3d6ecf4c9709a1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\RCX851D.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\Windows Mail\winlogon.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\Windows Mail\winlogon.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Program Files\Windows Mail\cc11b995f2a76d	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Program Files\Windows Mail\RCX851C.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\fontdrvhost.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\es-ES\RCX7C1C.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\es-ES\fontdrvhost.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\schemas\Provisioning\RCX8027.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\schemas\Provisioning\RCX8095.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\schemas\Provisioning\smss.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Windows\es-ES\5b884080fd4f94	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Windows\schemas\Provisioning\smss.exe	ea78193c0a312343dc3d6ecf4c9709a1.exe
File created	C:\Windows\schemas\Provisioning\69ddcba757bf72	ea78193c0a312343dc3d6ecf4c9709a1.exe
File opened for modification	C:\Windows\es-ES\RCX7C1B.tmp	ea78193c0a312343dc3d6ecf4c9709a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ea78193c0a312343dc3d6ecf4c9709a1.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4900	schtasks.exe
4804	schtasks.exe
1608	schtasks.exe
4680	schtasks.exe
1648	schtasks.exe
5004	schtasks.exe
2244	schtasks.exe
4676	schtasks.exe
4596	schtasks.exe
4820	schtasks.exe
4760	schtasks.exe
3428	schtasks.exe
5836	schtasks.exe
4716	schtasks.exe
4620	schtasks.exe
4816	schtasks.exe
3560	schtasks.exe
1896	schtasks.exe
1812	schtasks.exe
5104	schtasks.exe
4920	schtasks.exe
4628	schtasks.exe
4020	schtasks.exe
5616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
640	ea78193c0a312343dc3d6ecf4c9709a1.exe
4228	powershell.exe
4228	powershell.exe
1612	powershell.exe
1612	powershell.exe
3068	powershell.exe
3068	powershell.exe
5428	powershell.exe
5428	powershell.exe
1456	powershell.exe
4864	powershell.exe
4864	powershell.exe
1456	powershell.exe
5016	powershell.exe
5016	powershell.exe
6056	powershell.exe
6056	powershell.exe
3376	powershell.exe
3376	powershell.exe
5428	powershell.exe
4864	powershell.exe
3376	powershell.exe
4228	powershell.exe
5016	powershell.exe
1612	powershell.exe
6056	powershell.exe
3068	powershell.exe
1456	powershell.exe
3472	smss.exe
3060	smss.exe
5956	smss.exe
2360	smss.exe
4464	smss.exe
324	smss.exe
5892	smss.exe
1736	smss.exe
3200	smss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	ea78193c0a312343dc3d6ecf4c9709a1.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	3472	smss.exe
Token: SeDebugPrivilege	3060	smss.exe
Token: SeDebugPrivilege	5956	smss.exe
Token: SeDebugPrivilege	2360	smss.exe
Token: SeDebugPrivilege	4464	smss.exe
Token: SeDebugPrivilege	324	smss.exe
Token: SeDebugPrivilege	5892	smss.exe
Token: SeDebugPrivilege	1736	smss.exe
Token: SeDebugPrivilege	3200	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1612	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	120
PID 640 wrote to memory of 1612	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	120
PID 640 wrote to memory of 5016	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	121
PID 640 wrote to memory of 5016	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	121
PID 640 wrote to memory of 4864	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	122
PID 640 wrote to memory of 4864	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	122
PID 640 wrote to memory of 1456	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	124
PID 640 wrote to memory of 1456	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	124
PID 640 wrote to memory of 4228	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	125
PID 640 wrote to memory of 4228	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	125
PID 640 wrote to memory of 3376	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	127
PID 640 wrote to memory of 3376	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	127
PID 640 wrote to memory of 3068	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	128
PID 640 wrote to memory of 3068	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	128
PID 640 wrote to memory of 6056	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	130
PID 640 wrote to memory of 6056	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	130
PID 640 wrote to memory of 5428	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	131
PID 640 wrote to memory of 5428	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	131
PID 640 wrote to memory of 3472	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	139
PID 640 wrote to memory of 3472	640	ea78193c0a312343dc3d6ecf4c9709a1.exe	139
PID 3472 wrote to memory of 3288	3472	smss.exe	140
PID 3472 wrote to memory of 3288	3472	smss.exe	140
PID 3472 wrote to memory of 2596	3472	smss.exe	141
PID 3472 wrote to memory of 2596	3472	smss.exe	141
PID 3288 wrote to memory of 3060	3288	WScript.exe	144
PID 3288 wrote to memory of 3060	3288	WScript.exe	144
PID 3060 wrote to memory of 1432	3060	smss.exe	145
PID 3060 wrote to memory of 1432	3060	smss.exe	145
PID 3060 wrote to memory of 2848	3060	smss.exe	146
PID 3060 wrote to memory of 2848	3060	smss.exe	146
PID 1432 wrote to memory of 5956	1432	WScript.exe	150
PID 1432 wrote to memory of 5956	1432	WScript.exe	150
PID 5956 wrote to memory of 1276	5956	smss.exe	151
PID 5956 wrote to memory of 1276	5956	smss.exe	151
PID 5956 wrote to memory of 4108	5956	smss.exe	152
PID 5956 wrote to memory of 4108	5956	smss.exe	152
PID 1276 wrote to memory of 2360	1276	WScript.exe	153
PID 1276 wrote to memory of 2360	1276	WScript.exe	153
PID 2360 wrote to memory of 5820	2360	smss.exe	154
PID 2360 wrote to memory of 5820	2360	smss.exe	154
PID 2360 wrote to memory of 3836	2360	smss.exe	155
PID 2360 wrote to memory of 3836	2360	smss.exe	155
PID 5820 wrote to memory of 4464	5820	WScript.exe	156
PID 5820 wrote to memory of 4464	5820	WScript.exe	156
PID 4464 wrote to memory of 1512	4464	smss.exe	157
PID 4464 wrote to memory of 1512	4464	smss.exe	157
PID 4464 wrote to memory of 5848	4464	smss.exe	158
PID 4464 wrote to memory of 5848	4464	smss.exe	158
PID 1512 wrote to memory of 324	1512	WScript.exe	160
PID 1512 wrote to memory of 324	1512	WScript.exe	160
PID 324 wrote to memory of 5668	324	smss.exe	161
PID 324 wrote to memory of 5668	324	smss.exe	161
PID 324 wrote to memory of 872	324	smss.exe	162
PID 324 wrote to memory of 872	324	smss.exe	162
PID 5668 wrote to memory of 5892	5668	WScript.exe	163
PID 5668 wrote to memory of 5892	5668	WScript.exe	163
PID 5892 wrote to memory of 2448	5892	smss.exe	164
PID 5892 wrote to memory of 2448	5892	smss.exe	164
PID 5892 wrote to memory of 1944	5892	smss.exe	165
PID 5892 wrote to memory of 1944	5892	smss.exe	165
PID 2448 wrote to memory of 1736	2448	WScript.exe	166
PID 2448 wrote to memory of 1736	2448	WScript.exe	166
PID 1736 wrote to memory of 4680	1736	smss.exe	167
PID 1736 wrote to memory of 4680	1736	smss.exe	167

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ea78193c0a312343dc3d6ecf4c9709a1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe
"C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ea78193c0a312343dc3d6ecf4c9709a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\Provisioning\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Music\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\schemas\Provisioning\smss.exe
  "C:\Windows\schemas\Provisioning\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88367b68-f5ec-411d-8279-1cefe9812182.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\schemas\Provisioning\smss.exe
      C:\Windows\schemas\Provisioning\smss.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f779836-fb6c-4316-9f7a-349609a7a779.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d501d3a-42ee-406f-86b0-06451fcad299.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69552960-f9ca-44dc-b109-8fde6597fbe7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5820
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea9d0e37-bb38-4d13-851b-6e7702554709.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df8e7033-3649-43ad-876d-94718a0eff10.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5668
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5a8905-083c-4d3f-a99c-3c12c715ef7a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba32e3a8-024d-4ec4-b850-3eb5bc48e5e1.vbs"
        17⤵
        
        PID:4680
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e926eba0-89e0-4dec-833e-35695796b90e.vbs"
        19⤵
        
        PID:3744
        
        C:\Windows\schemas\Provisioning\smss.exe
        
        C:\Windows\schemas\Provisioning\smss.exe
        20⤵
        
        PID:5456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11f6b17f-221e-49d0-94c8-5d2ed5856afa.vbs"
        21⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\085a5811-fe9f-4978-8f5c-44c5b7b1817a.vbs"
        21⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc66cf08-c3a0-40c1-ab66-0cc30f33037f.vbs"
        19⤵
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c54a7b-ee37-4362-a189-851738d16f8f.vbs"
        17⤵
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1846d16-d512-479c-984e-09909ec93661.vbs"
        15⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5faba07c-b214-4ad9-9386-4010bf1a453b.vbs"
        13⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a54ed2ca-766d-4bee-b8c4-0db25659bfd8.vbs"
        11⤵
        
        PID:5848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3057f70-b8e7-4aca-8655-54015795ad68.vbs"
        9⤵
        
        PID:3836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e77dfa-867e-410e-96db-1c8ebfc43d89.vbs"
        7⤵
        
        PID:4108
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3ea60b9-7c28-4bfc-a493-f55f25266207.vbs"
        5⤵
        
        PID:2848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b40c929d-671d-4aaf-98a7-0702fbfcbfea.vbs"
    3⤵
    PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\Provisioning\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\Provisioning\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\My Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
084d49c16a0db5a169356315e8e97d83

SHA1
af662c8666ef7c52c9711c0f143e0b8620f27d19

SHA256
a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2

SHA512
c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abc61b7a532b5a8ab5bede2f413c1a71

SHA1
82ed1d78231b408bd8c072b7e08ac0aec0c43a7e

SHA256
43027d7e917d7dc6caa6621eec3187dbfb8c2d3d02f3e0b4c8cf0a37505c9a51

SHA512
2ebe7180da937c44f332dfec8e1b0e5a6b00a8825555829ad6a631d7e54252d3254b9c544370717042cc6c118b83f21f09798d5891d3919363c69439af956adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d501d3a-42ee-406f-86b0-06451fcad299.vbs

Filesize
716B

MD5
813f6a533b6235e48461f3a11716467c

SHA1
cdf69d95e0e500c5834e23e2a372b993ded3cb1b

SHA256
c43278e248424a29447fb1481d8001d80999c5a476ccf32377f28cf71b9f311d

SHA512
9855358c25860147bf1b312d5e6244c3280e2cc6476cc15679fded19b68f6a4d528f70e810da6cfd97b8a7cab1a3d4369b4226bfe8262f59c7b2973eee60e7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\11f6b17f-221e-49d0-94c8-5d2ed5856afa.vbs

Filesize
716B

MD5
1e37178c7ecd498192471a0f8e9c0e90

SHA1
20c326fc39cfe591bb82ce4c5113e27d08b7971e

SHA256
0fa7fe9da6311da8937f9d293d461273a6ff1461408d78ec9d0807d4f85f1846

SHA512
6e7235a8073b4566d46e4cf0b0d7ab9978d63f55467f208a8c357396a0c492578d3ccaafb494366ebd9ad359f1f3cfd42ab1c4e18256a5d25e7b226e9b56a516

Download Submit
C:\Users\Admin\AppData\Local\Temp\69552960-f9ca-44dc-b109-8fde6597fbe7.vbs

Filesize
716B

MD5
bb2f4f4d991190224b2de5c01c404e76

SHA1
93d9ad75784d8149fe0453f1599763515d964791

SHA256
0e9982dca69102ddc1e844280b579e657daa6a205a1a6ed8b057ddb92c74152f

SHA512
eba19921a36abd3bc573f25bc36da6cc6076cd5f7a05e7b11f8fe1d24a5604deaf99cb25b21901aee41c865b5635d5a30ba4a79b9b1266a35e9a28e3964641f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\88367b68-f5ec-411d-8279-1cefe9812182.vbs

Filesize
716B

MD5
6173d96b273fdc35b03a81b214640b34

SHA1
00842581ab72f901801d207c2a6b20a73b39af99

SHA256
460b7b892ae8eb77c76b5703366bd751514d49b4d5b86f0cf9d7d740075a7313

SHA512
6dcb317e47f8316aedbb1c96ec9bce18d48ef994ae9d267b1a239ec7ee067a130bcc8240e097b11827002237676a66b2a674aab2398ee992188144231bcb4aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f779836-fb6c-4316-9f7a-349609a7a779.vbs

Filesize
716B

MD5
20534138fd89c287e3ba5d8fdff3f7b3

SHA1
0a6d84f9aabee53923b762c153753d980a887cd0

SHA256
03c9ba1184f252cf9926890909a2a0fa01d66ee5fbb14783d19994dde3bb31a3

SHA512
b5dc37f411bb85d00acc59ccfe0ac707923d53229733797f9a57500479892fdc20a03b9faea5a9089579ab51bce6fe71972bc781d7f2ec0b167bab1b89ac3d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y13eka1v.h0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40c929d-671d-4aaf-98a7-0702fbfcbfea.vbs

Filesize
492B

MD5
889bbc1a459aceca0cef0d41c5ddaacc

SHA1
6e9e1bda55cc3421f0f6454fdab4f159cf20274f

SHA256
c1202c919daf2d22b6c86e19224f484430cd8b360f5808378f0f0959df81697d

SHA512
8307606875880369f709ee323eba7029524de95ad8f50f7ee9620472ec0646853bedf6fa4a5d72458c644cb1a3afdabf652c4a2569d38ce5c20ed7b6e3be5457

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba32e3a8-024d-4ec4-b850-3eb5bc48e5e1.vbs

Filesize
716B

MD5
36616211479a12f8e1f5eaf1fbce823a

SHA1
b9f7135ad6590bd170b71cfd4046464f4fd3b321

SHA256
00899418e606441b9fff443ce4e5c4416d395635c13072255b133a52728069da

SHA512
9ff3b0c8ebb139331233941964ca4062115082f62359c77e39f9185e85ef8ea224cc4360780bb0f3b88014afa36f1885d4235d00f1bdb9fb52991482a2e4a7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\df8e7033-3649-43ad-876d-94718a0eff10.vbs

Filesize
715B

MD5
ede05e09f711a23c6606a043e6049ff0

SHA1
9fa12d691571d225aea9d49ce69970168ba6a12b

SHA256
7143ab73ee529874565851218e9ef0e1f6f42702134cce638fa64f87b3112338

SHA512
b69a6fd9fabf1792e22d126aa322b605e677b6e96b655c2ad05708076e3fad8dd5b41447eb2cf166a31607cf9f388851f7203a9f859fd253d07b9aabba5e6cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e926eba0-89e0-4dec-833e-35695796b90e.vbs

Filesize
716B

MD5
5192951c895dc8f7ec87488da3aa6202

SHA1
9ff5601646e9adc7a5c4b18bedcfa6141e06a1af

SHA256
f59752bd7d41100964a5f220b2ef14595fe6b3e97f8c2356eeab299282e3eeb7

SHA512
c7ef2b6b8f3c76579883e89eb130f7ed0749051f385082ffb11cb9b901d84326117476f127f8487d5be1d1ce66f047e136bfb2c274c00037979446d3fbeb36fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea5a8905-083c-4d3f-a99c-3c12c715ef7a.vbs

Filesize
716B

MD5
8fe9e1a033faaa49b14d8c65a483d6ec

SHA1
a64831dd419c317e49d8819ac05fabe26b60a12d

SHA256
2a504d4fcc6eb21c44d426dedf48e18d8e7c98b65e8635315d50d19b81af7c4e

SHA512
53018afd701e8d308cad5a5815709368af88b8a1fc2c6a62f279d0b3d697db06f1204a70302b7887c338f9632a3ca516da0aa037dc75802c82932bbe9c0f6dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea9d0e37-bb38-4d13-851b-6e7702554709.vbs

Filesize
716B

MD5
2a66395f0909f50ad0036bfdbffd33ce

SHA1
ba7fdba3a7846ebde055283a288603f342cf7ed0

SHA256
b4541f778005d5455bd8e83403be97893aa2f7b01beb59787c82319791c77f6f

SHA512
197705a689fac823726b5ed26043e4ece6d3a84e65b179a9734b76546f1469b2019fe9726cb0e7b3aab9196cba91bcb6db5487d19cc57eb9a43186fd9faef660

Download Submit
C:\Windows\schemas\Provisioning\smss.exe

Filesize
1.9MB

MD5
ea78193c0a312343dc3d6ecf4c9709a1

SHA1
a0ef53ffbda9e058034c460dcf924971da8dedcb

SHA256
af910cca03f917e9f66f2928480d463c358ae42246e32b0900e5572a09920cb2

SHA512
835efc748beddcdf0ca2a8203d9f461e5a6f831dec65a6f0fa56f158b947ce53228ed0c89a688bd0fcd2883cae89bb86a88ab3f9b8a9d98d5f96a46759fc913a

Download Submit
C:\Windows\schemas\Provisioning\smss.exe

Filesize
1.9MB

MD5
d84e1fbeb3b41439abbdbfadec9c963f

SHA1
245a528601c68c89d0ebc0f1f06e60342e6a2c84

SHA256
290063b5d95762a8a17a973242f2525c0e80b57a2c35e2018a959ce9ea9d1a6d

SHA512
64b35c0084dcd3e6ef833a693674f16603cff392789513bca53a23b93a3eddc94013da7c2f1583e344a932150bb7420b7b3a6337f3a429534667dd4b31ed362d

Download Submit
memory/640-20-0x000000001C520000-0x000000001C52C000-memory.dmp

Filesize
48KB

Download
memory/640-13-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

Filesize
72KB

Download
memory/640-0-0x00007FFE587A3000-0x00007FFE587A5000-memory.dmp

Filesize
8KB

Download
memory/640-16-0x000000001BE20000-0x000000001BE2A000-memory.dmp

Filesize
40KB

Download
memory/640-17-0x000000001BE30000-0x000000001BE3E000-memory.dmp

Filesize
56KB

Download
memory/640-11-0x000000001BDD0000-0x000000001BDD8000-memory.dmp

Filesize
32KB

Download
memory/640-18-0x000000001BE40000-0x000000001BE48000-memory.dmp

Filesize
32KB

Download
memory/640-3-0x00000000031E0000-0x00000000031FC000-memory.dmp

Filesize
112KB

Download
memory/640-19-0x000000001C510000-0x000000001C51C000-memory.dmp

Filesize
48KB

Download
memory/640-14-0x000000001CEA0000-0x000000001D3C8000-memory.dmp

Filesize
5.2MB

Download
memory/640-10-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/640-277-0x00007FFE587A0000-0x00007FFE59261000-memory.dmp

Filesize
10.8MB

Download
memory/640-1-0x0000000000ED0000-0x00000000010BA000-memory.dmp

Filesize
1.9MB

Download
memory/640-15-0x000000001BE10000-0x000000001BE1C000-memory.dmp

Filesize
48KB

Download
memory/640-9-0x0000000003240000-0x0000000003296000-memory.dmp

Filesize
344KB

Download
memory/640-8-0x0000000003230000-0x000000000323A000-memory.dmp

Filesize
40KB

Download
memory/640-4-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/640-7-0x0000000003210000-0x0000000003226000-memory.dmp

Filesize
88KB

Download
memory/640-2-0x00007FFE587A0000-0x00007FFE59261000-memory.dmp

Filesize
10.8MB

Download
memory/640-6-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/640-5-0x00000000031C0000-0x00000000031C8000-memory.dmp

Filesize
32KB

Download
memory/1612-201-0x0000026DDF9F0000-0x0000026DDFA12000-memory.dmp

Filesize
136KB

Download
memory/2360-333-0x000000001D0B0000-0x000000001D0C2000-memory.dmp

Filesize
72KB

Download
memory/3472-278-0x0000000000790000-0x000000000097A000-memory.dmp

Filesize
1.9MB

Download
memory/3472-298-0x000000001D100000-0x000000001D156000-memory.dmp

Filesize
344KB

Download
memory/4464-345-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download