1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Size

1.9MB
MD5

28e39f9d02ebd13216c240dff7276a30
SHA1

255206f138148168b57856ecff22fa1d08e857eb
SHA256

0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26
SHA512

fb4d52179efa3bd1aa83ffc9bc592393a999b2c6c847365e0e4108b10000c6bed9f621bc584650b66a5ecb165b8b372f15d7b780ef5ee9ea99f6dcb502f42d6a
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2936	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2936	schtasks.exe	87

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3184	powershell.exe
6004	powershell.exe
912	powershell.exe
452	powershell.exe
1512	powershell.exe
2488	powershell.exe
2148	powershell.exe
2540	powershell.exe
2952	powershell.exe
5168	powershell.exe
5516	powershell.exe
876	powershell.exe
4276	powershell.exe
1936	powershell.exe
5492	powershell.exe
1684	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 9 IoCs

pid	Process
5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
5892	WmiPrvSE.exe
4604	WmiPrvSE.exe
2340	WmiPrvSE.exe
1936	WmiPrvSE.exe
1048	WmiPrvSE.exe
3000	WmiPrvSE.exe
3164	WmiPrvSE.exe
5644	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4732_595216890\121e5b5079f7c0	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX6894.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCX6B16.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RuntimeBroker.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\edge_BITS_4516_456106204\22eafd247d37c3	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\eddb19405b7ce1	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Java\jre-1.8\9e8d7a4ca61bd9	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX6893.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RCX6FAE.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Java\jre-1.8\RuntimeBroker.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4516_456106204\RCX63DC.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Java\jre-1.8\RCX702C.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4516_456106204\RCX63ED.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCX6B17.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\sysmon.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\edge_BITS_4732_595216890\sysmon.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\WmiPrvSE.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\Cursors\WmiPrvSE.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Windows\Cursors\24dbde2999530e	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	WmiPrvSE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4592	schtasks.exe
4716	schtasks.exe
4708	schtasks.exe
4840	schtasks.exe
4520	schtasks.exe
436	schtasks.exe
4720	schtasks.exe
3504	schtasks.exe
1200	schtasks.exe
2144	schtasks.exe
2140	schtasks.exe
4044	schtasks.exe
4784	schtasks.exe
5052	schtasks.exe
864	schtasks.exe
4964	schtasks.exe
4684	schtasks.exe
4008	schtasks.exe
5052	schtasks.exe
4628	schtasks.exe
5756	schtasks.exe
4428	schtasks.exe
5712	schtasks.exe
4696	schtasks.exe
4872	schtasks.exe
632	schtasks.exe
3172	schtasks.exe
2144	schtasks.exe
1888	schtasks.exe
4548	schtasks.exe
4528	schtasks.exe
4688	schtasks.exe
4708	schtasks.exe
4860	schtasks.exe
4896	schtasks.exe
4044	schtasks.exe
5024	schtasks.exe
3500	schtasks.exe
5028	schtasks.exe
4844	schtasks.exe
2780	schtasks.exe
4820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
1512	powershell.exe
1512	powershell.exe
3184	powershell.exe
3184	powershell.exe
6004	powershell.exe
6004	powershell.exe
2540	powershell.exe
2540	powershell.exe
1936	powershell.exe
1936	powershell.exe
2952	powershell.exe
2952	powershell.exe
2488	powershell.exe
2488	powershell.exe
1684	powershell.exe
1684	powershell.exe
1936	powershell.exe
1512	powershell.exe
2488	powershell.exe
2540	powershell.exe
2952	powershell.exe
3184	powershell.exe
6004	powershell.exe
1684	powershell.exe
5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
5492	powershell.exe
5492	powershell.exe
912	powershell.exe
912	powershell.exe
452	powershell.exe
452	powershell.exe
4276	powershell.exe
4276	powershell.exe
2148	powershell.exe
2148	powershell.exe
5168	powershell.exe
5168	powershell.exe
876	powershell.exe
876	powershell.exe
5516	powershell.exe
5516	powershell.exe
4276	powershell.exe
452	powershell.exe
5492	powershell.exe
912	powershell.exe
5516	powershell.exe
5168	powershell.exe
876	powershell.exe
2148	powershell.exe
5892	WmiPrvSE.exe
4604	WmiPrvSE.exe
2340	WmiPrvSE.exe
1936	WmiPrvSE.exe
1048	WmiPrvSE.exe
3000	WmiPrvSE.exe
3164	WmiPrvSE.exe
5644	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	6004	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	5892	WmiPrvSE.exe
Token: SeDebugPrivilege	4604	WmiPrvSE.exe
Token: SeDebugPrivilege	2340	WmiPrvSE.exe
Token: SeDebugPrivilege	1936	WmiPrvSE.exe
Token: SeDebugPrivilege	1048	WmiPrvSE.exe
Token: SeDebugPrivilege	3000	WmiPrvSE.exe
Token: SeDebugPrivilege	3164	WmiPrvSE.exe
Token: SeDebugPrivilege	5644	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1684	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	113
PID 1432 wrote to memory of 1684	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	113
PID 1432 wrote to memory of 2952	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	114
PID 1432 wrote to memory of 2952	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	114
PID 1432 wrote to memory of 2540	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	115
PID 1432 wrote to memory of 2540	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	115
PID 1432 wrote to memory of 1936	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	116
PID 1432 wrote to memory of 1936	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	116
PID 1432 wrote to memory of 6004	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	118
PID 1432 wrote to memory of 6004	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	118
PID 1432 wrote to memory of 2488	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	119
PID 1432 wrote to memory of 2488	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	119
PID 1432 wrote to memory of 1512	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	121
PID 1432 wrote to memory of 1512	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	121
PID 1432 wrote to memory of 3184	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	122
PID 1432 wrote to memory of 3184	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	122
PID 1432 wrote to memory of 5924	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	129
PID 1432 wrote to memory of 5924	1432	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	129
PID 5924 wrote to memory of 5168	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	153
PID 5924 wrote to memory of 5168	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	153
PID 5924 wrote to memory of 912	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	154
PID 5924 wrote to memory of 912	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	154
PID 5924 wrote to memory of 5516	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	155
PID 5924 wrote to memory of 5516	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	155
PID 5924 wrote to memory of 2148	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	156
PID 5924 wrote to memory of 2148	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	156
PID 5924 wrote to memory of 452	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	157
PID 5924 wrote to memory of 452	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	157
PID 5924 wrote to memory of 4276	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	158
PID 5924 wrote to memory of 4276	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	158
PID 5924 wrote to memory of 876	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	159
PID 5924 wrote to memory of 876	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	159
PID 5924 wrote to memory of 5492	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	160
PID 5924 wrote to memory of 5492	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	160
PID 5924 wrote to memory of 4540	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	169
PID 5924 wrote to memory of 4540	5924	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	169
PID 4540 wrote to memory of 3352	4540	cmd.exe	171
PID 4540 wrote to memory of 3352	4540	cmd.exe	171
PID 4540 wrote to memory of 5892	4540	cmd.exe	172
PID 4540 wrote to memory of 5892	4540	cmd.exe	172
PID 5892 wrote to memory of 3304	5892	WmiPrvSE.exe	173
PID 5892 wrote to memory of 3304	5892	WmiPrvSE.exe	173
PID 5892 wrote to memory of 5328	5892	WmiPrvSE.exe	174
PID 5892 wrote to memory of 5328	5892	WmiPrvSE.exe	174
PID 3304 wrote to memory of 4604	3304	WScript.exe	177
PID 3304 wrote to memory of 4604	3304	WScript.exe	177
PID 4604 wrote to memory of 4520	4604	WmiPrvSE.exe	178
PID 4604 wrote to memory of 4520	4604	WmiPrvSE.exe	178
PID 4604 wrote to memory of 4896	4604	WmiPrvSE.exe	179
PID 4604 wrote to memory of 4896	4604	WmiPrvSE.exe	179
PID 4520 wrote to memory of 2340	4520	WScript.exe	186
PID 4520 wrote to memory of 2340	4520	WScript.exe	186
PID 2340 wrote to memory of 2000	2340	WmiPrvSE.exe	187
PID 2340 wrote to memory of 2000	2340	WmiPrvSE.exe	187
PID 2340 wrote to memory of 5800	2340	WmiPrvSE.exe	188
PID 2340 wrote to memory of 5800	2340	WmiPrvSE.exe	188
PID 2000 wrote to memory of 1936	2000	WScript.exe	189
PID 2000 wrote to memory of 1936	2000	WScript.exe	189
PID 1936 wrote to memory of 5812	1936	WmiPrvSE.exe	190
PID 1936 wrote to memory of 5812	1936	WmiPrvSE.exe	190
PID 1936 wrote to memory of 1984	1936	WmiPrvSE.exe	191
PID 1936 wrote to memory of 1984	1936	WmiPrvSE.exe	191
PID 5812 wrote to memory of 1048	5812	WScript.exe	193
PID 5812 wrote to memory of 1048	5812	WScript.exe	193

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
"C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
  "C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\TrustedInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\Registry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3352
  - - C:\Windows\Cursors\WmiPrvSE.exe
      "C:\Windows\Cursors\WmiPrvSE.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5892
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d303c3dc-b495-4b26-b4af-1cd2b2d331b3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c09ebc9a-7d38-48ab-be77-6ff18ded08f5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\596b3e8e-1f94-4965-9052-6374f001b117.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f59a03-5d40-49df-a42f-e24d76bb4582.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d5fb27d-545e-410d-b535-69c6e22a5f97.vbs"
        13⤵
        
        PID:5540
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01deb874-4fa5-40ef-ad7f-8873042e8785.vbs"
        15⤵
        
        PID:4544
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67236146-5e0e-4803-9172-76c2f7d27572.vbs"
        17⤵
        
        PID:3108
        
        C:\Windows\Cursors\WmiPrvSE.exe
        
        C:\Windows\Cursors\WmiPrvSE.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c4425ec-2ee1-4999-9634-c2cbf91547f7.vbs"
        17⤵
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09a4601d-aa64-43fe-ac22-697db7435969.vbs"
        15⤵
        
        PID:5432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d57c68ca-31ab-48f1-9487-97704a84486d.vbs"
        13⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156a6241-8dc6-4d47-ba9a-b88911b70005.vbs"
        11⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5ffc62e-221b-4bbb-9c20-a0dbb799e715.vbs"
        9⤵
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeef5e2d-07a6-4214-87ce-0813ac330ad7.vbs"
        7⤵
        
        PID:4896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab6a6d1-b3eb-41ba-9d9a-2445fcc8f2b0.vbs"
        5⤵
        
        PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4516_456106204\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4732_595216890\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4732_595216890\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\RuntimeBroker.exe

Filesize
1.9MB

MD5
86039028e62a3f50de37a7d56b797073

SHA1
a71804f9441e01826b9e6cc68442fedd1c1ea4d2

SHA256
9ba3aef31f7c9ec9939a5ce1cb50fb72174c31dcf9046364f2eaf66ed30fb229

SHA512
4508c98dc95292085137f2fa04221967aec1a4c8bdf73e28167917513992dcc024eacb68d71ceaf0b9aec39149041e712de16184e256d84bed526ee944a80fe5

Download Submit
C:\Recovery\WindowsRE\SearchApp.exe

Filesize
1.9MB

MD5
28e39f9d02ebd13216c240dff7276a30

SHA1
255206f138148168b57856ecff22fa1d08e857eb

SHA256
0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26

SHA512
fb4d52179efa3bd1aa83ffc9bc592393a999b2c6c847365e0e4108b10000c6bed9f621bc584650b66a5ecb165b8b372f15d7b780ef5ee9ea99f6dcb502f42d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
984eb66ab76d3a57f9ec4642c1334404

SHA1
99601e707cf36b395ed084b2ba6c895c2c6ffc7a

SHA256
92cf7154efc40b025c009df572acf404151aa9966a205559930324904124c48f

SHA512
c74d68ea69101ff4374ab42e9fac26c24cc90b19eb1c962b47901523a627e1c00afb81bcfbfc268d1f6654115ede59ecf657604941c6fb4e245d48a1c285293d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f26021db51b2ceb0c03baf5665a86386

SHA1
5487265d705c72daa8495c543f2182a64b373da3

SHA256
56a4d25798b8d3102fec5025892dd6ff79500aee72db311e82b1308f1783db6f

SHA512
e09f018d22c3dee7ff7dbd6d79182e5c94be1aba0ceaeef3652d254712fa8393dc81002e20de3749abd3420ce0ed23dee176fa50eeaf80d6ee09a9dae2a1a49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Temp\00f59a03-5d40-49df-a42f-e24d76bb4582.vbs

Filesize
707B

MD5
b85ca2552d5e46780ae12d84f24c618d

SHA1
fa4f111cb5f63076691bf80e04bf683ee715ca20

SHA256
561d5fd14c9522e92b041dbf086851e651fc3d7c1c797ad021a32fccc4fae13f

SHA512
d3d0b69f8676d7a3b98f42ae9e272db43bef7f1b088950facadbcca437e91ba28d22b46f76456160391b1d4df09327005785bdce67957aa1722c55aa88c3f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\01deb874-4fa5-40ef-ad7f-8873042e8785.vbs

Filesize
707B

MD5
3549407faf2750a3d8ffe7341666c90f

SHA1
122a176e8d5f1aab175b6e605ea42242e9c6ea6e

SHA256
a174e031354e76553ac34b6c4bdb82a44ec29750638db45495849d5e9ac58830

SHA512
0aba0bef95064665e0b18541d2630ac2d4601beec4b564efc5375329616f48073052ae00049b9447b4c90fce36d76bc70d294f7c1b2e82773230f45b8ad53d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d5fb27d-545e-410d-b535-69c6e22a5f97.vbs

Filesize
707B

MD5
5ce16c2779b5b42f192598543d03370b

SHA1
35daf21622406aa3b790d676c12d787522109f22

SHA256
c06235defd8d2a2a76a3c7deae040d62e9d702496b36066f5b93bcc9d1edb37c

SHA512
7e582c83496d21fa58fd70b0c4179b44b8c93a4b29e6c9c2f72b95586a0b9bf4cac1b364c6a2d410541a84d999ef1b4097e612a37181cd75d58514d5f39a4e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\596b3e8e-1f94-4965-9052-6374f001b117.vbs

Filesize
707B

MD5
43a14bda806c89a64dd64f5e531912c8

SHA1
c4f38cc47ddb9ee925f70a3ccd06838107f8ccbf

SHA256
48fc62eb731c17410ffb17dbb8a356a837915a48f8fe3546e3d8f2ad797dac3d

SHA512
728e6298cc93e187c2b0b41834ac890b330271ce6cd8146d095c4603ea6702f76ca5c68fbc89f92d94f170702d1e13c40b4b5135eaa515ed1b1159fcdd67d56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\67236146-5e0e-4803-9172-76c2f7d27572.vbs

Filesize
707B

MD5
a891f3d46c51c3e0b64426911e838d4d

SHA1
558052db39d8c8d94ebeb83cfcfb522e1e8918eb

SHA256
1f86fdfc697e82e37a8f5973df7709444a52b5b35b80dbdf918ea1400138f0da

SHA512
a1ce3a3db46b2f019af31914a25868cd7d232df22b27ca3887d6c27bdb2cb4a012cd0b8637553c675e01c2c6b84a7621c4b69c48b440ba29b6afdca4ba78eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXzTWsAaM8.bat

Filesize
196B

MD5
c388fd673a6723396e986a5908532bbf

SHA1
bf651e36bb6e92b73fc83efb02d6405cebb6b126

SHA256
8996c8fcb2bc5ae699adcbae887405e8724fac6380c5aebf9d74d1286965f872

SHA512
e794fa4ef6c14dcd6bdb28a4073348ba2041ea3d05fd0dc4392fe07f638d49ae4406b44fab2236d11ca7815d293eead4e6406c9b59424c702f7519d48c2cce0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_325e3hf2.2os.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c09ebc9a-7d38-48ab-be77-6ff18ded08f5.vbs

Filesize
707B

MD5
371592e3caeccf727660244a8a3ffed7

SHA1
20d645cd3896b462340b5d362309aec14f1731a9

SHA256
b503f444d7bab4792fcbcf77dda1ccca1e50248e46e836f5926dea6365e69f5b

SHA512
e6618884345ae027b90ee4941ca50d263d2f0f43500a8c17f63f1a90b5206df37adac6dbe273c77d7d153594f08e93455b095ac25f49188c6ec748497d225aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cab6a6d1-b3eb-41ba-9d9a-2445fcc8f2b0.vbs

Filesize
483B

MD5
b0c713c217cdbe328f0e9ad83cb7c3c3

SHA1
e77e10eeb6f191b27ee6248e840864bd12607434

SHA256
591def59ec0babbfda8b2c7fbab71143cb7e4aa7bcc65e49326044d0a558256e

SHA512
fe1e568320e8434e424a2473e0adf9604405906bb50941743baea3ae5d767e4bf2a64d2e72f6e7c4666c0e40dd9b7fae49820b02737aa02ac45a02faba04bb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d303c3dc-b495-4b26-b4af-1cd2b2d331b3.vbs

Filesize
707B

MD5
0d01cc80133f326ffbfdbbdf85479b7e

SHA1
e9a7188c36877d6a20674ba20def4582d29fb50c

SHA256
d5b75574f507cca2db4044c8b60e725fd9bda07ad7230e3100beac0ec0ed1720

SHA512
2901102a7b6efe3415c6026cd24e0f09762877bd7d538d919b45b1840cc62e736c0ac80a9e4fee7c177ea73b2ed961d8f0da820e7ed90955d9d61b8e30a8f759

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
712B

MD5
1532bd95883714810e568620dc415d76

SHA1
e95e626e8ec35d3efd6886ecb7036e053b2a3516

SHA256
90c6261111391e8150bdd3d9a0851d75df9a9e51edfe429d1efc3304e9a13718

SHA512
b57b27643cdb43b52e1966c245548e4373596820e5b3b3186d9f93454d587217464f1269a89f291435a44152956404f40944e4ad37627124aa9616137c8cc36d

Download Submit
C:\Users\Default\TextInputHost.exe

Filesize
1.9MB

MD5
ca5d568db97d93b1a94853c0d76076d2

SHA1
20c9f231f822a083a17318b19115557e1a323940

SHA256
cd98f77bc5540c3e7d864f6e485cda531b9582673ce93ffe3d9fc3d515e35567

SHA512
8f50fc9e2677bb6ec840722ce46fcb575257a4a189b5e03a37adc7dbe664cc7c4564cb4103f51b13a3c764369caa59a36aaf3c098b23afb492daeff6e41e3ddc

Download Submit
memory/1432-2-0x00007FFC650A0000-0x00007FFC65B61000-memory.dmp

Filesize
10.8MB

Download
memory/1432-0-0x00007FFC650A3000-0x00007FFC650A5000-memory.dmp

Filesize
8KB

Download
memory/1432-9-0x000000001B110000-0x000000001B166000-memory.dmp

Filesize
344KB

Download
memory/1432-8-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/1432-7-0x0000000002870000-0x0000000002886000-memory.dmp

Filesize
88KB

Download
memory/1432-15-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/1432-6-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1432-196-0x00007FFC650A0000-0x00007FFC65B61000-memory.dmp

Filesize
10.8MB

Download
memory/1432-5-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/1432-14-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

Filesize
5.2MB

Download
memory/1432-4-0x000000001B0B0000-0x000000001B100000-memory.dmp

Filesize
320KB

Download
memory/1432-17-0x000000001B950000-0x000000001B95E000-memory.dmp

Filesize
56KB

Download
memory/1432-10-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/1432-16-0x000000001B940000-0x000000001B94A000-memory.dmp

Filesize
40KB

Download
memory/1432-3-0x0000000000DD0000-0x0000000000DEC000-memory.dmp

Filesize
112KB

Download
memory/1432-11-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/1432-13-0x000000001B090000-0x000000001B0A2000-memory.dmp

Filesize
72KB

Download
memory/1432-1-0x0000000000330000-0x000000000051A000-memory.dmp

Filesize
1.9MB

Download
memory/1432-20-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/1432-19-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/1432-18-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/1512-126-0x000002604CEB0000-0x000002604CED2000-memory.dmp

Filesize
136KB

Download
memory/1936-378-0x000000001B970000-0x000000001B982000-memory.dmp

Filesize
72KB

Download
memory/2340-366-0x000000001B5E0000-0x000000001B636000-memory.dmp

Filesize
344KB

Download
memory/3164-412-0x000000001C090000-0x000000001C0E6000-memory.dmp

Filesize
344KB

Download
memory/4604-354-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/5924-206-0x000000001BD40000-0x000000001BD52000-memory.dmp

Filesize
72KB

Download