5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Size

1.9MB
MD5

34655ac11b4f6a8d6f1ea8e2fbbe0676
SHA1

d17ed388047ec77145ef4c96e3760ea94985caa7
SHA256

75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688
SHA512

2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5692	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6080	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4348	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4348	schtasks.exe	88

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3108	powershell.exe
1376	powershell.exe
5076	powershell.exe
1216	powershell.exe
2244	powershell.exe
2364	powershell.exe
4308	powershell.exe
4784	powershell.exe
4972	powershell.exe
5976	powershell.exe
2888	powershell.exe
212	powershell.exe
5344	powershell.exe
2592	powershell.exe
1808	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 11 IoCs

pid	Process
3560	System.exe
5732	System.exe
1840	System.exe
1532	System.exe
4972	System.exe
3032	System.exe
4020	System.exe
892	System.exe
4308	System.exe
2432	System.exe
4736	System.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX8626.tmp	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX86A4.tmp	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\unsecapp.exe	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File created	C:\Windows\Resources\Ease of Access Themes\29c1c3cc0f7685	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX7CC7.tmp	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX7CC8.tmp	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\unsecapp.exe	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe
4556	schtasks.exe
4828	schtasks.exe
4940	schtasks.exe
4936	schtasks.exe
3068	schtasks.exe
2480	schtasks.exe
4580	schtasks.exe
4692	schtasks.exe
5032	schtasks.exe
4896	schtasks.exe
6080	schtasks.exe
2496	schtasks.exe
3600	schtasks.exe
3104	schtasks.exe
4748	schtasks.exe
3948	schtasks.exe
5060	schtasks.exe
4948	schtasks.exe
5560	schtasks.exe
3688	schtasks.exe
2008	schtasks.exe
5092	schtasks.exe
4740	schtasks.exe
4496	schtasks.exe
5068	schtasks.exe
4808	schtasks.exe
4848	schtasks.exe
4876	schtasks.exe
4844	schtasks.exe
2220	schtasks.exe
6076	schtasks.exe
4716	schtasks.exe
3556	schtasks.exe
516	schtasks.exe
3568	schtasks.exe
4880	schtasks.exe
5692	schtasks.exe
5784	schtasks.exe
1420	schtasks.exe
4460	schtasks.exe
4900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
4784	powershell.exe
4784	powershell.exe
1808	powershell.exe
1808	powershell.exe
4308	powershell.exe
4308	powershell.exe
2888	powershell.exe
2888	powershell.exe
1216	powershell.exe
1216	powershell.exe
2244	powershell.exe
2244	powershell.exe
4972	powershell.exe
4972	powershell.exe
2592	powershell.exe
2592	powershell.exe
2364	powershell.exe
2364	powershell.exe
5344	powershell.exe
5344	powershell.exe
5976	powershell.exe
5976	powershell.exe
3108	powershell.exe
3108	powershell.exe
5076	powershell.exe
5076	powershell.exe
212	powershell.exe
212	powershell.exe
1808	powershell.exe
1376	powershell.exe
1376	powershell.exe
212	powershell.exe
1376	powershell.exe
4784	powershell.exe
4784	powershell.exe
4308	powershell.exe
2888	powershell.exe
2244	powershell.exe
5344	powershell.exe
1216	powershell.exe
2592	powershell.exe
4972	powershell.exe
5076	powershell.exe
2364	powershell.exe
5976	powershell.exe
3108	powershell.exe
3560	System.exe
5732	System.exe
1840	System.exe
1532	System.exe
4972	System.exe
3032	System.exe
4020	System.exe
892	System.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	3560	System.exe
Token: SeDebugPrivilege	5732	System.exe
Token: SeDebugPrivilege	1840	System.exe
Token: SeDebugPrivilege	1532	System.exe
Token: SeDebugPrivilege	4972	System.exe
Token: SeDebugPrivilege	3032	System.exe
Token: SeDebugPrivilege	4020	System.exe
Token: SeDebugPrivilege	892	System.exe
Token: SeDebugPrivilege	4308	System.exe
Token: SeDebugPrivilege	2432	System.exe
Token: SeDebugPrivilege	4736	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1216	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	136
PID 1692 wrote to memory of 1216	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	136
PID 1692 wrote to memory of 4308	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	137
PID 1692 wrote to memory of 4308	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	137
PID 1692 wrote to memory of 4784	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	138
PID 1692 wrote to memory of 4784	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	138
PID 1692 wrote to memory of 2592	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	139
PID 1692 wrote to memory of 2592	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	139
PID 1692 wrote to memory of 2888	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	140
PID 1692 wrote to memory of 2888	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	140
PID 1692 wrote to memory of 2244	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	141
PID 1692 wrote to memory of 2244	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	141
PID 1692 wrote to memory of 1808	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	142
PID 1692 wrote to memory of 1808	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	142
PID 1692 wrote to memory of 4972	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	143
PID 1692 wrote to memory of 4972	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	143
PID 1692 wrote to memory of 2364	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	144
PID 1692 wrote to memory of 2364	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	144
PID 1692 wrote to memory of 3108	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	145
PID 1692 wrote to memory of 3108	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	145
PID 1692 wrote to memory of 1376	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	146
PID 1692 wrote to memory of 1376	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	146
PID 1692 wrote to memory of 5976	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	147
PID 1692 wrote to memory of 5976	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	147
PID 1692 wrote to memory of 212	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	148
PID 1692 wrote to memory of 212	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	148
PID 1692 wrote to memory of 5344	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	149
PID 1692 wrote to memory of 5344	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	149
PID 1692 wrote to memory of 5076	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	150
PID 1692 wrote to memory of 5076	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	150
PID 1692 wrote to memory of 4592	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	166
PID 1692 wrote to memory of 4592	1692	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe	166
PID 4592 wrote to memory of 4536	4592	cmd.exe	168
PID 4592 wrote to memory of 4536	4592	cmd.exe	168
PID 4592 wrote to memory of 3560	4592	cmd.exe	170
PID 4592 wrote to memory of 3560	4592	cmd.exe	170
PID 3560 wrote to memory of 1884	3560	System.exe	171
PID 3560 wrote to memory of 1884	3560	System.exe	171
PID 3560 wrote to memory of 4572	3560	System.exe	172
PID 3560 wrote to memory of 4572	3560	System.exe	172
PID 1884 wrote to memory of 5732	1884	WScript.exe	174
PID 1884 wrote to memory of 5732	1884	WScript.exe	174
PID 5732 wrote to memory of 6000	5732	System.exe	178
PID 5732 wrote to memory of 6000	5732	System.exe	178
PID 5732 wrote to memory of 5284	5732	System.exe	179
PID 5732 wrote to memory of 5284	5732	System.exe	179
PID 6000 wrote to memory of 1840	6000	WScript.exe	184
PID 6000 wrote to memory of 1840	6000	WScript.exe	184
PID 1840 wrote to memory of 6120	1840	System.exe	185
PID 1840 wrote to memory of 6120	1840	System.exe	185
PID 1840 wrote to memory of 1752	1840	System.exe	186
PID 1840 wrote to memory of 1752	1840	System.exe	186
PID 6120 wrote to memory of 1532	6120	WScript.exe	187
PID 6120 wrote to memory of 1532	6120	WScript.exe	187
PID 1532 wrote to memory of 6076	1532	System.exe	188
PID 1532 wrote to memory of 6076	1532	System.exe	188
PID 1532 wrote to memory of 4256	1532	System.exe	189
PID 1532 wrote to memory of 4256	1532	System.exe	189
PID 6076 wrote to memory of 4972	6076	WScript.exe	190
PID 6076 wrote to memory of 4972	6076	WScript.exe	190
PID 4972 wrote to memory of 928	4972	System.exe	191
PID 4972 wrote to memory of 928	4972	System.exe	191
PID 4972 wrote to memory of 1836	4972	System.exe	192
PID 4972 wrote to memory of 1836	4972	System.exe	192

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
"C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dBsYsZOatK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4536
- - C:\7e20f84d5244aba7145631d4073af8\System.exe
    "C:\7e20f84d5244aba7145631d4073af8\System.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3560
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19c01adb-737f-4475-88b1-158a0991d424.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5732
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d050752-2817-4cbd-8abc-679be6a54816.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:6000
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c073657-cd57-406c-805e-c1f6872bc640.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22de7162-3e70-4ad2-9433-035283731719.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df68d39-a7a1-45d1-898b-fc6ee5458f04.vbs"
        12⤵
        
        PID:928
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dba33ab-1835-4224-b666-b37d2311e7a1.vbs"
        14⤵
        
        PID:4984
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\423a78b9-baf8-4c0d-abbd-5771d51e80f9.vbs"
        16⤵
        
        PID:2368
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5d3f893-232d-4168-8c5b-a721daa9cfad.vbs"
        18⤵
        
        PID:5452
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ecd4305-cea4-4bd2-818c-274fbeffb284.vbs"
        20⤵
        
        PID:5088
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c4d9ed1-b970-4e03-989e-40926098c63d.vbs"
        22⤵
        
        PID:2596
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        
        C:\7e20f84d5244aba7145631d4073af8\System.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3160ac3-ecc6-47fe-a1ec-ce3287c2eeb1.vbs"
        22⤵
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\624af6ad-32c8-43fb-bc53-bf3febe773a9.vbs"
        20⤵
        
        PID:4868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f003f05d-b10d-4a64-8c09-d6a5e772f961.vbs"
        18⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef59cd8-a9ce-4e73-9f79-b862737a541f.vbs"
        16⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2e38d58-b423-48f3-a2a6-8e689253ba42.vbs"
        14⤵
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341c0763-d76b-49b9-a0e2-a5d0f19cfb18.vbs"
        12⤵
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c25ad22a-f0b1-4252-969e-89384ee0cd02.vbs"
        10⤵
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e586022c-eb16-4fc6-b259-153f2737a614.vbs"
        8⤵
        
        PID:1752
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ffe2823-2f0d-47c6-919e-cbb7467d66d3.vbs"
        6⤵
        
        PID:5284
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e070499-23df-4bcd-a491-13228992c9d2.vbs"
      4⤵
      PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe06763" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe0676" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe06763" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe06763" /sc MINUTE /mo 14 /tr "'C:\Users\Default\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe0676" /sc ONLOGON /tr "'C:\Users\Default\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "34655ac11b4f6a8d6f1ea8e2fbbe06763" /sc MINUTE /mo 14 /tr "'C:\Users\Default\34655ac11b4f6a8d6f1ea8e2fbbe0676.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\Network Sharing\RuntimeBroker.exe

Filesize
1.9MB

MD5
e41ccd046c9e5335a8a26381eb476c79

SHA1
943d4628c21c014ed6d345207c697aac12483052

SHA256
d843d8de712fdecf8ab729037036e14eb5c2eaf7ca75e685873afffa6c347149

SHA512
f9e5ebe060e29acb135c61bd540b8368bfaea9b28a767b1a53bb0157795f95ba1f1e2752041ab52db1070c3af3a1aa10051a4daf1d54afda84509755dd26ee5b

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\System.exe

Filesize
1.9MB

MD5
285a2ad41840210025d881cc5ce1f6ee

SHA1
bc5f64f97dca89e0aafd931600dcf40c2935ce52

SHA256
597f14ac6d6d8c65747b313d044fc58f04913fd10f3270121d3195c3f1166ee4

SHA512
c2f46f92a1753203bb39a4c835a8ae533b9da8cb15f24e33a76b644adda880c2eb86a450b3f1d81968e929ffaf98596ec69435eee60341c2ce248232f810ac17

Download Submit
C:\Recovery\WindowsRE\RCX7840.tmp

Filesize
1.9MB

MD5
e784262fad6a0dff1d0c11fc4ebd2b60

SHA1
57cf856845fb6d6d0b27ace04b8ee40c3ff7e80f

SHA256
cdcae105e82e2a9b8a78e86e663e7dd37792f86eb075286433bafe35c47cd207

SHA512
3a96a008e54f6505c02fe99ca768389a4f8882729d5bf016f7b26e8c7f78b5802f0510786f28ae1fadcd7a505867dcdb81ec9f5260e25531c65c661006581919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5298af510096b88490b00b468206c966

SHA1
afc8d92a832bf530001e9d7bce0a917067b1a753

SHA256
d1dae534bb9fc91682d16c2a30657cf3eafa4db82fec8d1477dde2d0e9af5a18

SHA512
9653df3b73599ad282259e3990d18b4e56f556d6fbc33697293503cc88738473245f7507b571059460ce57e6267219bc7b95ed1e90c198d0726a13b91427419e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
452593747a6f6f0b2e08d8502e1ec6e7

SHA1
027c3a7f5f18e7a1e96bbf2a3d3c267e72821836

SHA256
495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d

SHA512
17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b70364cff9735f7d75ce300231e34b76

SHA1
774a0bd71ac7c49f7362f2f172348d1a7a2fb149

SHA256
d2e89ceb2b3c76f4df5c8ff31271cb8587bb50e55c292dcef5175ebd2ac7432b

SHA512
e6de0e6bbb63042230f317b9b3c2ba09d5b3eb56281f7bbd2f5bb4a898313b9f1467bc63f88aa6dd97fbcd307198fdce6d63e8751f3b9c31811f2946b8800b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
18426832d86135e22d650ff3ea187f44

SHA1
8a5784bc968874fc74dbff9abad1f77dbf63090f

SHA256
214813307e986c89e441a5444af870be3237b414e451a5dc32bb819b0f379242

SHA512
ab0328e5455c8542b25cc47129283c6ccd3823bff49732d5d77728bb352409b7464bedf23dbe235c88bfedf65341a5fc425c7ec98e2018fb4da2762b1436b560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
228b9cb390ee9d451e59c46314690427

SHA1
3749fb123e1c7d2b3d1578e30742779d999912d1

SHA256
f705563c09820d596048324d7132f80573f736690e1abfb25cf0bc884d08f544

SHA512
691ab3653f2a844929d1699539dfb96495ac57aa98edb3f12cf8eb763ca1e3b9373ad944ce8352a2faed49450cc6c6bc83c58ef2df88e0b9b6b5d7134a74ffa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\19c01adb-737f-4475-88b1-158a0991d424.vbs

Filesize
720B

MD5
a1fa3d19682ba8aaf255e2d17a3e3ce1

SHA1
730d4b4acec5109bff2b1c1ca2f1bf50c04a2a10

SHA256
c560875d81ff125956e7cf7271305162ffaddf60510f3014662bd8a3fe0a67a5

SHA512
fd8a0b4fddad608e64ed485260ea3f87ea28eed62c52584d53627bc82b68906862c10b99af062ea71dee10151e99a57ac4ce116bbe381655c08767b67027c205

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d050752-2817-4cbd-8abc-679be6a54816.vbs

Filesize
720B

MD5
91450e87af5f2df1ff53c485c726a72b

SHA1
df9a30d989a1c9712b6467e821a888039705da3d

SHA256
99a1b01c5b1fad9e8df46e282448c988db162203afa5d0a72a2e1c408e9e3a74

SHA512
98ba152d3ad42933d65c57f15719b49c2268c5d8389b15109bb419d409b65f8783809583bf9dcd37a1b9a41d8178bbaeae429e24d7fa685f48ab854952e850f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e070499-23df-4bcd-a491-13228992c9d2.vbs

Filesize
496B

MD5
d9b4db1ef521a837c6da02b626336e44

SHA1
551ca3a96ffade55bc0a8b4a8dd4b232f20ea0c0

SHA256
a049ad5b1911359c9cfdb609cc999875c4dca1868dd3e03f9de067906071fb11

SHA512
6a9c55e7c391806f93916943ec805fe40b7dee4e67f5ed89592bbd9e0209994b4551d9d00cebdc1c17e69f8954e0d24a739ae70257acd94ec17a269c949ddb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\22de7162-3e70-4ad2-9433-035283731719.vbs

Filesize
720B

MD5
cbc8cda4f9e931e3ec9d47df84afedd5

SHA1
95759f1b7bf345b6b2f6dd7fdfbde0548d6a9fe8

SHA256
798b62f2027dbf13288167c3aedfced06453c4156c748d28c1b1efd044f8c162

SHA512
bfcca3e0f520416c4ce754b88e8e7a7b63418486237c4b3a2193c9ebb7ff78dfcecddbfd5bc6e6f6be69cc895cad76e55b57590967062cee6d887005f4c17000

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dba33ab-1835-4224-b666-b37d2311e7a1.vbs

Filesize
720B

MD5
237c530d9c91df88217ba78d5c80ea06

SHA1
fd50c5cef6edfd15e96c7f69932ca1411fc4eb46

SHA256
4a5e009de4f85d33163e1c25b40e057125541036fbf641d99bbe86e148da1d77

SHA512
ffce848b5ef4a656be282d673d9f0984ebc1071e4982cf31e88995035724dfd32623a24c7285afaf1e15982988ac94732e377b248ccaea9737ecdc2a0533b944

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c073657-cd57-406c-805e-c1f6872bc640.vbs

Filesize
720B

MD5
d1b1f98b1b61092add7a83ac94112a33

SHA1
04095c82b48d8bfca2b57e03684391b4de3b2650

SHA256
0177e74c11740e82e594f5371f6d6269008ae2f482bc65d01812aed020854e31

SHA512
401325258c1ead54f0167244f4f31b9ce5b366da4b20d3a2a17732cee7554bfb86bb16d4c0513a3a375c696a207071a8aad306f39e894158927f4aacb0827500

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c4d9ed1-b970-4e03-989e-40926098c63d.vbs

Filesize
720B

MD5
b3c19bf651006e48c1676c24d92bd232

SHA1
f2f54675d7f0793842fcfbf2872b274b9461f364

SHA256
7c2b9cba9246f827b1c8f3e80f8c6e0e9ad8ce5dd4546294a2f5fe2510aa1ffd

SHA512
e64e27656e78bdcae70acecb1568430a9e67cba461b01f9741545c47c7f4cd3023fef2b46821335462aa96cb7d8924dad66b53f34c38183479ab5bb8d52e075d

Download Submit
C:\Users\Admin\AppData\Local\Temp\423a78b9-baf8-4c0d-abbd-5771d51e80f9.vbs

Filesize
720B

MD5
b183c28d3ab211d12e6bd4f2eabf959b

SHA1
22b5b84c75bbf080bd4929c749dfefdfde38b082

SHA256
7f164e5a134daf08d885653ece44b586f1d94c3b9ff3220e00beecc304405999

SHA512
07acb8e22d70e64affd515fc4f83a03fc30165728fc8a395db9c1dca7aae929eef8cfeb81840bb857294383f51ca87fbaa3cad1dc40788cba69935c8df48dac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5df68d39-a7a1-45d1-898b-fc6ee5458f04.vbs

Filesize
720B

MD5
f9279eaf1f784ac58e0b7463f94c5d19

SHA1
dc8a7cc20aeff50741953067f7af5060359e6f65

SHA256
e8cfc3c7b9cf157e196a6081aeb97d859a4e9d28a15749559300d1f252e4f21b

SHA512
3479108323da98ef17d73a36de1b5b8d3f9f36f8e27f5688a6005ab36473f92e6b3ede962665125079d994bcd562aebdabfe2eee8705bb4bffa14a36a92c88e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ecd4305-cea4-4bd2-818c-274fbeffb284.vbs

Filesize
720B

MD5
57c6dca589357b4982966936e69a1c69

SHA1
ad812ef1b37a50e0625aa94073ece99a85345729

SHA256
30fa5e2df48b04ff8545c764e851448e9a326a6ac29c43f5181aaf12be3f1092

SHA512
87abd4792224e8e80920b70779c3fb044b2cc9c7b51fb5f0f7d59c613f5e566b90e1315640010385741b42e9b0dd615a5f7989375b7a7faf290dd9325efd4bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\752d71c15bba02f2a864b40fcf28367fd84c4bdf.exe

Filesize
1.9MB

MD5
8f799f67226b59e7def61ef4643d8234

SHA1
2015796f49a4a0bd3ef35d665f552be217d00bc1

SHA256
f410c6cc23855dfe98686babbc2e66b659b50301094eda7865d8a60e5493e111

SHA512
a838dfdde57b0f7b74de30243fde7bc800ba50b37c99adae05b2842ed2b433878210da0dd469c623f953cc56cfd33c2875183bec5dddcd19b116eebcdffa11bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgekzyaz.vvc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5d3f893-232d-4168-8c5b-a721daa9cfad.vbs

Filesize
719B

MD5
c8e2750654b2e468fdabad2ac2c51925

SHA1
3625571898cad90adcff46866fb3a27244da1c32

SHA256
d406aca9071886025a2bd0a848aa362cc4cb5a1bb3167e15d8303c280ab5d803

SHA512
7522a52a388a4846ba931b9319e9327073602991f35ef27a7e672bab99db3bd4b0689860be12e4cc74c7d27be7e51960703e4fc7a850d7205ebf295646676c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dBsYsZOatK.bat

Filesize
209B

MD5
b68809845cf01fab378a677f86b84a5c

SHA1
8ca817286f6cb2c1164ca0d522cec7c0d2c110fe

SHA256
8c96f411e21d5e6e15549f019963155891ef5890cea24821f6057e245f7382a8

SHA512
fbe12e4574a9de4e018eae990f0a9b2d80a3ee7005bed52e584366d42e80a6f3962d2320b1b7c91931ad15511321517e3b3affbb5f6f3251a0c18df1b2b8ed7d

Download Submit
C:\Users\Default\explorer.exe

Filesize
1.9MB

MD5
34655ac11b4f6a8d6f1ea8e2fbbe0676

SHA1
d17ed388047ec77145ef4c96e3760ea94985caa7

SHA256
75b2e0c469d7b50ea3a5f022b84db475f4009e17265ead71e5a68a9a90a44688

SHA512
2c2bf7b06e1a6ddfc2bbfe21a9c1a21cea9a33015ad62837dd1dee81e8a096b951c1dae3f3a95ae052f014e563b040da9d3ee9c96565116933603a99ab9e61e2

Download Submit
C:\Users\Default\explorer.exe

Filesize
1.9MB

MD5
264e531e19ff4b00e3d06da911f67c03

SHA1
9fce2c95fe5c2e536acbde1e13866d8054518d59

SHA256
c59b0de0ba2cb7321382160f8ee7ff7d4d60cbc96912400124c6a7fee110a6c0

SHA512
1af3ee6b7ce614c0ac9178e025844e9cda4c5b0a676e9cb218650a9861a42bab5515eb5f0db87820ace5169a98c9581a9142cea899d7d60fb1f57fb0d395e663

Download Submit
C:\Users\Public\Music\dllhost.exe

Filesize
1.9MB

MD5
fbcfbce628027c8d810ac7296ef2e8fb

SHA1
a06fe4bec03d945094e19cf03b79bb65009aab6c

SHA256
7b92ac83c4d6f422c6cbde658e68a26ddfa2ae0e82e74ec91ae257f5dfd2dffe

SHA512
02ebff27f111fb2f174f760dd46f7521988ef0386c1803d0eaabd3c270a65f5888fc7fbb8dc4ffa651c820d9b3cf59866a0c4a119ecc703b26e346a842dadee0

Download Submit
memory/1532-428-0x000000001B890000-0x000000001B8A2000-memory.dmp

Filesize
72KB

Download
memory/1692-17-0x000000001C2E0000-0x000000001C2EE000-memory.dmp

Filesize
56KB

Download
memory/1692-11-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

Filesize
32KB

Download
memory/1692-1-0x0000000000CC0000-0x0000000000EAA000-memory.dmp

Filesize
1.9MB

Download
memory/1692-204-0x00007FF915C00000-0x00007FF9166C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-180-0x00007FF915C03000-0x00007FF915C05000-memory.dmp

Filesize
8KB

Download
memory/1692-16-0x000000001C2D0000-0x000000001C2DA000-memory.dmp

Filesize
40KB

Download
memory/1692-18-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

Filesize
32KB

Download
memory/1692-19-0x000000001C300000-0x000000001C30C000-memory.dmp

Filesize
48KB

Download
memory/1692-20-0x000000001C310000-0x000000001C31C000-memory.dmp

Filesize
48KB

Download
memory/1692-0-0x00007FF915C03000-0x00007FF915C05000-memory.dmp

Filesize
8KB

Download
memory/1692-15-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/1692-14-0x000000001CBC0000-0x000000001D0E8000-memory.dmp

Filesize
5.2MB

Download
memory/1692-2-0x00007FF915C00000-0x00007FF9166C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-232-0x00007FF915C00000-0x00007FF9166C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-3-0x00000000017C0000-0x00000000017DC000-memory.dmp

Filesize
112KB

Download
memory/1692-13-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

Filesize
72KB

Download
memory/1692-10-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/1692-9-0x000000001C080000-0x000000001C0D6000-memory.dmp

Filesize
344KB

Download
memory/1692-5-0x00000000017F0000-0x00000000017F8000-memory.dmp

Filesize
32KB

Download
memory/1692-6-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/1692-4-0x0000000003040000-0x0000000003090000-memory.dmp

Filesize
320KB

Download
memory/1692-8-0x0000000003020000-0x000000000302A000-memory.dmp

Filesize
40KB

Download
memory/1692-7-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download
memory/1840-416-0x000000001B100000-0x000000001B112000-memory.dmp

Filesize
72KB

Download
memory/3032-451-0x0000000003310000-0x0000000003366000-memory.dmp

Filesize
344KB

Download
memory/4308-485-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/4784-231-0x0000022F1E9C0000-0x0000022F1E9E2000-memory.dmp

Filesize
136KB

Download
memory/5732-404-0x000000001B060000-0x000000001B072000-memory.dmp

Filesize
72KB

Download