000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
147s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7cbc882298f639d31191a03ec81bd3.exe
Size

1.9MB
MD5

0d7cbc882298f639d31191a03ec81bd3
SHA1

93124a821e8fe02c1736cb62e9a613c8dc8379e6
SHA256

56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913
SHA512

5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5692	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6004	5444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	5444	schtasks.exe	89

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3260	powershell.exe
4284	powershell.exe
5552	powershell.exe
1088	powershell.exe
1608	powershell.exe
5060	powershell.exe
5044	powershell.exe
5272	powershell.exe
5032	powershell.exe
5112	powershell.exe
2592	powershell.exe
8	powershell.exe
1360	powershell.exe
388	powershell.exe
5020	powershell.exe
5028	powershell.exe
5096	powershell.exe
1164	powershell.exe
4384	powershell.exe
1832	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0d7cbc882298f639d31191a03ec81bd3.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	0d7cbc882298f639d31191a03ec81bd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

pid	Process
3680	SearchApp.exe
2820	SearchApp.exe
916	SearchApp.exe
3988	SearchApp.exe
4800	SearchApp.exe
2076	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXB1F2.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files\edge_BITS_4704_879384995\0a1fd5f707cd16	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files\edge_BITS_4704_879384995\RCXADB8.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXB1E1.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXCC86.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXCC97.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\c5b4cb5e9653cc	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Program Files\edge_BITS_4704_879384995\RCXADB7.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe	0d7cbc882298f639d31191a03ec81bd3.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\ea1d8f6d871115	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Cursors\ee2ad38f3d4382	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\diagnostics\smss.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Downloaded Program Files\38384e6a620884	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\RCXAFCC.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\dllhost.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\it-IT\RCXB698.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Cursors\RCXB8ED.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Downloaded Program Files\dllhost.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Downloaded Program Files\SearchApp.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXB494.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Cursors\Registry.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\SearchApp.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Downloaded Program Files\5940a34987c991	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\RCXAFCD.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\it-IT\RCXB6B8.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\it-IT\upfc.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXD3C0.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\886983d96e3d3e	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\it-IT\upfc.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File created	C:\Windows\Cursors\Registry.exe	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXB416.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Cursors\RCXB8CD.tmp	0d7cbc882298f639d31191a03ec81bd3.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXD3C1.tmp	0d7cbc882298f639d31191a03ec81bd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	0d7cbc882298f639d31191a03ec81bd3.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5692	schtasks.exe
4976	schtasks.exe
2868	schtasks.exe
5232	schtasks.exe
2436	schtasks.exe
3004	schtasks.exe
3440	schtasks.exe
3476	schtasks.exe
2860	schtasks.exe
4076	schtasks.exe
5744	schtasks.exe
6092	schtasks.exe
3036	schtasks.exe
3312	schtasks.exe
2188	schtasks.exe
5096	schtasks.exe
5044	schtasks.exe
1692	schtasks.exe
1312	schtasks.exe
3688	schtasks.exe
2136	schtasks.exe
440	schtasks.exe
2848	schtasks.exe
6048	schtasks.exe
1824	schtasks.exe
4312	schtasks.exe
5304	schtasks.exe
6004	schtasks.exe
388	schtasks.exe
552	schtasks.exe
404	schtasks.exe
5344	schtasks.exe
1936	schtasks.exe
1956	schtasks.exe
984	schtasks.exe
5164	schtasks.exe
4796	schtasks.exe
2292	schtasks.exe
1704	schtasks.exe
5708	schtasks.exe
5456	schtasks.exe
1052	schtasks.exe
1832	schtasks.exe
5748	schtasks.exe
1472	schtasks.exe
2300	schtasks.exe
5032	schtasks.exe
1532	schtasks.exe
5084	schtasks.exe
5492	schtasks.exe
4224	schtasks.exe
316	schtasks.exe
3176	schtasks.exe
2076	schtasks.exe
5648	schtasks.exe
2592	schtasks.exe
3996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
220	0d7cbc882298f639d31191a03ec81bd3.exe
5096	powershell.exe
5096	powershell.exe
5272	powershell.exe
4384	powershell.exe
4384	powershell.exe
5272	powershell.exe
5044	powershell.exe
5044	powershell.exe
1832	powershell.exe
1832	powershell.exe
4284	powershell.exe
4284	powershell.exe
1608	powershell.exe
1608	powershell.exe
5032	powershell.exe
5032	powershell.exe
1360	powershell.exe
1360	powershell.exe
5060	powershell.exe
5060	powershell.exe
2592	powershell.exe
2592	powershell.exe
1088	powershell.exe
1088	powershell.exe
3260	powershell.exe
3260	powershell.exe
1164	powershell.exe
1164	powershell.exe
5020	powershell.exe
5020	powershell.exe
8	powershell.exe
8	powershell.exe
5552	powershell.exe
5552	powershell.exe
5028	powershell.exe
5028	powershell.exe
5112	powershell.exe
5112	powershell.exe
388	powershell.exe
388	powershell.exe
5112	powershell.exe
5028	powershell.exe
1164	powershell.exe
4384	powershell.exe
5272	powershell.exe
5272	powershell.exe
5096	powershell.exe
5096	powershell.exe
1832	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	0d7cbc882298f639d31191a03ec81bd3.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	5552	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	3680	SearchApp.exe
Token: SeDebugPrivilege	2820	SearchApp.exe
Token: SeDebugPrivilege	916	SearchApp.exe
Token: SeDebugPrivilege	3988	SearchApp.exe
Token: SeDebugPrivilege	4800	SearchApp.exe
Token: SeDebugPrivilege	2076	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 5096	220	0d7cbc882298f639d31191a03ec81bd3.exe	153
PID 220 wrote to memory of 5096	220	0d7cbc882298f639d31191a03ec81bd3.exe	153
PID 220 wrote to memory of 5028	220	0d7cbc882298f639d31191a03ec81bd3.exe	154
PID 220 wrote to memory of 5028	220	0d7cbc882298f639d31191a03ec81bd3.exe	154
PID 220 wrote to memory of 5020	220	0d7cbc882298f639d31191a03ec81bd3.exe	155
PID 220 wrote to memory of 5020	220	0d7cbc882298f639d31191a03ec81bd3.exe	155
PID 220 wrote to memory of 5044	220	0d7cbc882298f639d31191a03ec81bd3.exe	156
PID 220 wrote to memory of 5044	220	0d7cbc882298f639d31191a03ec81bd3.exe	156
PID 220 wrote to memory of 388	220	0d7cbc882298f639d31191a03ec81bd3.exe	158
PID 220 wrote to memory of 388	220	0d7cbc882298f639d31191a03ec81bd3.exe	158
PID 220 wrote to memory of 5060	220	0d7cbc882298f639d31191a03ec81bd3.exe	159
PID 220 wrote to memory of 5060	220	0d7cbc882298f639d31191a03ec81bd3.exe	159
PID 220 wrote to memory of 5032	220	0d7cbc882298f639d31191a03ec81bd3.exe	160
PID 220 wrote to memory of 5032	220	0d7cbc882298f639d31191a03ec81bd3.exe	160
PID 220 wrote to memory of 5112	220	0d7cbc882298f639d31191a03ec81bd3.exe	162
PID 220 wrote to memory of 5112	220	0d7cbc882298f639d31191a03ec81bd3.exe	162
PID 220 wrote to memory of 5272	220	0d7cbc882298f639d31191a03ec81bd3.exe	163
PID 220 wrote to memory of 5272	220	0d7cbc882298f639d31191a03ec81bd3.exe	163
PID 220 wrote to memory of 1608	220	0d7cbc882298f639d31191a03ec81bd3.exe	164
PID 220 wrote to memory of 1608	220	0d7cbc882298f639d31191a03ec81bd3.exe	164
PID 220 wrote to memory of 1360	220	0d7cbc882298f639d31191a03ec81bd3.exe	166
PID 220 wrote to memory of 1360	220	0d7cbc882298f639d31191a03ec81bd3.exe	166
PID 220 wrote to memory of 1832	220	0d7cbc882298f639d31191a03ec81bd3.exe	167
PID 220 wrote to memory of 1832	220	0d7cbc882298f639d31191a03ec81bd3.exe	167
PID 220 wrote to memory of 1088	220	0d7cbc882298f639d31191a03ec81bd3.exe	168
PID 220 wrote to memory of 1088	220	0d7cbc882298f639d31191a03ec81bd3.exe	168
PID 220 wrote to memory of 8	220	0d7cbc882298f639d31191a03ec81bd3.exe	170
PID 220 wrote to memory of 8	220	0d7cbc882298f639d31191a03ec81bd3.exe	170
PID 220 wrote to memory of 5552	220	0d7cbc882298f639d31191a03ec81bd3.exe	171
PID 220 wrote to memory of 5552	220	0d7cbc882298f639d31191a03ec81bd3.exe	171
PID 220 wrote to memory of 4384	220	0d7cbc882298f639d31191a03ec81bd3.exe	172
PID 220 wrote to memory of 4384	220	0d7cbc882298f639d31191a03ec81bd3.exe	172
PID 220 wrote to memory of 1164	220	0d7cbc882298f639d31191a03ec81bd3.exe	173
PID 220 wrote to memory of 1164	220	0d7cbc882298f639d31191a03ec81bd3.exe	173
PID 220 wrote to memory of 4284	220	0d7cbc882298f639d31191a03ec81bd3.exe	174
PID 220 wrote to memory of 4284	220	0d7cbc882298f639d31191a03ec81bd3.exe	174
PID 220 wrote to memory of 3260	220	0d7cbc882298f639d31191a03ec81bd3.exe	175
PID 220 wrote to memory of 3260	220	0d7cbc882298f639d31191a03ec81bd3.exe	175
PID 220 wrote to memory of 2592	220	0d7cbc882298f639d31191a03ec81bd3.exe	176
PID 220 wrote to memory of 2592	220	0d7cbc882298f639d31191a03ec81bd3.exe	176
PID 220 wrote to memory of 948	220	0d7cbc882298f639d31191a03ec81bd3.exe	193
PID 220 wrote to memory of 948	220	0d7cbc882298f639d31191a03ec81bd3.exe	193
PID 948 wrote to memory of 1708	948	cmd.exe	195
PID 948 wrote to memory of 1708	948	cmd.exe	195
PID 948 wrote to memory of 3680	948	cmd.exe	197
PID 948 wrote to memory of 3680	948	cmd.exe	197
PID 3680 wrote to memory of 4948	3680	SearchApp.exe	198
PID 3680 wrote to memory of 4948	3680	SearchApp.exe	198
PID 3680 wrote to memory of 5532	3680	SearchApp.exe	199
PID 3680 wrote to memory of 5532	3680	SearchApp.exe	199
PID 4948 wrote to memory of 2820	4948	WScript.exe	205
PID 4948 wrote to memory of 2820	4948	WScript.exe	205
PID 2820 wrote to memory of 2284	2820	SearchApp.exe	206
PID 2820 wrote to memory of 2284	2820	SearchApp.exe	206
PID 2820 wrote to memory of 3464	2820	SearchApp.exe	207
PID 2820 wrote to memory of 3464	2820	SearchApp.exe	207
PID 2284 wrote to memory of 916	2284	WScript.exe	209
PID 2284 wrote to memory of 916	2284	WScript.exe	209
PID 916 wrote to memory of 2552	916	SearchApp.exe	210
PID 916 wrote to memory of 2552	916	SearchApp.exe	210
PID 916 wrote to memory of 5872	916	SearchApp.exe	211
PID 916 wrote to memory of 5872	916	SearchApp.exe	211
PID 2552 wrote to memory of 3988	2552	WScript.exe	212
PID 2552 wrote to memory of 3988	2552	WScript.exe	212

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0d7cbc882298f639d31191a03ec81bd3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0d7cbc882298f639d31191a03ec81bd3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe
"C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d7cbc882298f639d31191a03ec81bd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S4B5cy6pxl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1708
- - C:\Recovery\WindowsRE\SearchApp.exe
    "C:\Recovery\WindowsRE\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aae81d7-d872-457e-bf49-b912dbf83248.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0cf66e1-e575-4472-995e-c49cec53b977.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a704a8d1-ad20-427a-96a2-7805246e66b4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3a1b024-421d-4c56-8447-f5090fb3b81e.vbs"
        10⤵
        
        PID:5664
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bef9981-4ebe-4d3d-b421-63a381911ba7.vbs"
        12⤵
        
        PID:3140
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c11ad495-d25c-4bf7-8256-86399821dce7.vbs"
        14⤵
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bec4d0f-c1b4-45a6-9cee-5e34c77c4104.vbs"
        14⤵
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a53e71f-ede9-467e-a177-7bd51d244c27.vbs"
        12⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c0c110b-d136-4913-af9a-82a59080393a.vbs"
        10⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d31bd748-77b2-4668-be1b-5ef5873da4d7.vbs"
        8⤵
        
        PID:5872
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26811ef7-3c77-4080-97c9-706eb83dc97a.vbs"
        6⤵
        
        PID:3464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e77a6ea-56a0-4dba-81a8-76bf0a40afa4.vbs"
      4⤵
      PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4704_879384995\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57366c231de00746064dfc343609469e

SHA1
d0d9eba222fe7063cb8ff5684a513a0519cf8716

SHA256
6f0b61076b750e5aa238970758c9a1b5389bde8bd94c4a367e00b32d414238c9

SHA512
acc3612494d35a63fe2e110296dad850aaafd3c8327c89468a2573535ba0664350d3bfdf45338e4677dcc0553fd9cb84c81b2f88b3ce2e4836458c234db817ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
309f0051b04adbbef61aaabf270c7268

SHA1
d46326702e032281e62189901485aac6dce617d9

SHA256
07006d24b00ea173a30d6badaa92f10f79d5b82ed8bd1e2d95fe5b9da8aa839c

SHA512
4bec40bcdcd4da44e48f2c3938351f3ee197b37c3b0a949cf3bb44f3433103c6ed5c8cdf29e4c774d950c3c2f376df2a0aefba194691eac2a15f5b05ef17642a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
48b2b59bd1016475be4de4e087bb8169

SHA1
ecf9263187e29dc612224a6e1a4c5243ed110040

SHA256
df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209

SHA512
2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ea4fdbf8bad883929456091a1e50194

SHA1
fc3b6026729ad36729c2cc4349b8e7a94255ad71

SHA256
ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

SHA512
27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1324e7a4e3e6cfc7ee7add0391f0b9

SHA1
19117163248a95e5ceb83b6dc8c21e396f33bcaf

SHA256
a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52

SHA512
6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b25365534f6e80f784bf0e0d4059973

SHA1
c599ef0f1d9ba1265eeb3bb02db8ea30eebee19c

SHA256
ea3d1a91d3248163412b2df35c0fcafbdc2ad4754c82e202b8f3b142af2b760c

SHA512
96deef1eba434a1784105a51888ca0cedd460bf05743e91e06a2b3dfff690099a5c3aad8b15297d3f84a10d8ddc24cfafa622217139ac1356fe40f18fd410c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bef9981-4ebe-4d3d-b421-63a381911ba7.vbs

Filesize
711B

MD5
7a04cd12afacbdd627cc6bd67b3b751b

SHA1
8a087a9931f753bcbdc5b86385622d0ef437a864

SHA256
1da2c85fffef86d67a13af72517f8cb8578cbb6fc49f2b1a4f83b08210cc4854

SHA512
39974ad97396531dc27230bd5478a5d703370d08ad6db19ca42cc21a8b3cea24a5cab2ce82dd22794ec3a8b452799a3057cf8fb90224028c1f70986ec279e3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aae81d7-d872-457e-bf49-b912dbf83248.vbs

Filesize
711B

MD5
4b5fa81f06326149f0b8b922dd8ca481

SHA1
d8cd88cdc9f10028a401861715eb5e6b54dffe92

SHA256
3e3d9babbe3bd7f2ba37e10dfa5c57975a09f0844a4aabf6b29a2e50a1008168

SHA512
063b3c165285a7289e3a4851fa911d9221d87bfdec8bc99b8a096f7822f94b7b12ef5a46a75c69d78224bcc08e683ac35a1db4eac301a701d2d4538f49256585

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e77a6ea-56a0-4dba-81a8-76bf0a40afa4.vbs

Filesize
487B

MD5
6dfaa243ff80a59952a2f5886dfb6eb5

SHA1
7bb0aaed5f2c2e5830cccc326e79ad96e3d7c3df

SHA256
4d099fb78d8b30c50d3020b6e7b2e0fdc8d1f9cd6968fd44182011a22a338b66

SHA512
dd35aad20eadca43b6ca8f3cdba5c07c467172b199d8914cbf9c0cda6dc43dd59136e9d9dc5dc95e09518bf062319b854bef2d1dce6497b33644c3341e6507c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S4B5cy6pxl.bat

Filesize
200B

MD5
fad020cbf3a67cc3fad0000e92914078

SHA1
d4fea2f270044a070c767f524c4cda4726f110bb

SHA256
0d2c0fb4b649fba180b019d124274242bc853cf5137c8961b2d0e80bdddcd213

SHA512
12e1b5537ba792e474bd8ec519918b9e59e438018c453e5f0b6780e88b0ba53b6c82f0bd437b9c5094df1420d717217416281f9c324044d0797d8a5ca0835fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwsf3jdu.w0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a704a8d1-ad20-427a-96a2-7805246e66b4.vbs

Filesize
710B

MD5
73005a7a0fa7e3697708253d14d10107

SHA1
35a434d922e090437766fcecda7f219da0924a31

SHA256
8eb52f05aa35199b3692ed2e40b475836ef769983f6cd0cd2c9237689c8c237b

SHA512
e5a6220721a55bcc660e09cc210270a43a6d7c231a36d6c14d8139996c111aba272b6854728d2b1a5964043ec8813375d838b4ad120af8a573e9f4a31429a0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c11ad495-d25c-4bf7-8256-86399821dce7.vbs

Filesize
711B

MD5
6de03ec0c6d2603900d0839dae4bf14b

SHA1
54994d85a2ed180b6c2f67c01ecc70099c672618

SHA256
5d6ce114f0df65ade2930d3698aceb09cf464f0264451e476e152f9463097493

SHA512
6e09593076b9629735057773e7a49a136c4d1a3b13bf8077c41408e01796ccf0c0d2b9e8dcfe882db7d4422f5bc3ab464509cb1c753ff3b1e5dc5ec2505bea0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3a1b024-421d-4c56-8447-f5090fb3b81e.vbs

Filesize
711B

MD5
c92bafc35f832fe09d7be6f4d6389950

SHA1
36f3a7a5b84a49e0a8d244ac3ba063b95bd54d46

SHA256
8b4764dde2d0183c52a860556ae56ec4239664075b6736bf746e301bddd8473e

SHA512
47029c7228ac58a254b787dcf42fde88472d431f3a8e718b7b9465b408145ba4ed1cb758725ebfba5b6b54b1f7b56369807c9f4b26e2f7015a1e829fd53a63af

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cf66e1-e575-4472-995e-c49cec53b977.vbs

Filesize
711B

MD5
d5aeb65357bc5a1499a3a8742406c970

SHA1
ac33f70010b329244e7947cdb755a782c65a3fef

SHA256
97886c6137a0f0e5c42031b8e1911c35813c2df2705cff479f0dca799b4b99fa

SHA512
d4681d034fbf391b67a2a4a524f1e78b7ed2f314a75494c3ab40621e18ae36fca1bad948396421ccc010c7b72fd695960f96880ae25a5f666323b675ba2051e2

Download Submit
C:\Windows\Downloaded Program Files\dllhost.exe

Filesize
1.9MB

MD5
c69c684c3e935fcf789f11ab6c513ac3

SHA1
4fb907a704d2606af4c3e538a90814579ebf2ecc

SHA256
725d24cb28af2de144fd4df780b7d23ddae3e7f0f2939ae0fb6ab2960498792c

SHA512
03168276eee3edd42056dabeee85e3182d0c07f3ddcf2eac4d27df4429695b77f4ea2bf5e006fbde16a7d5da1d72cf8d04bbe15218f7b39149bd414dfb4ac923

Download Submit
C:\Windows\it-IT\upfc.exe

Filesize
1.9MB

MD5
0d7cbc882298f639d31191a03ec81bd3

SHA1
93124a821e8fe02c1736cb62e9a613c8dc8379e6

SHA256
56d64aaeab87dad048e08ea98237bcc727bbab88d97cc126e328ea1adf7fc913

SHA512
5bfbbefb14b200ded88943b685b22e5ac26ea281c9948d8a5fae49f3d19899d82730d52c8034c0b5d5c1b5fe1da1cb583d26b4d2ce3264903e5416d5480b3cf9

Download Submit
memory/220-10-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/220-13-0x0000000002900000-0x0000000002912000-memory.dmp

Filesize
72KB

Download
memory/220-184-0x00007FF9692F3000-0x00007FF9692F5000-memory.dmp

Filesize
8KB

Download
memory/220-208-0x00007FF9692F0000-0x00007FF969DB1000-memory.dmp

Filesize
10.8MB

Download
memory/220-19-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/220-1-0x0000000000570000-0x000000000075A000-memory.dmp

Filesize
1.9MB

Download
memory/220-315-0x00007FF9692F0000-0x00007FF969DB1000-memory.dmp

Filesize
10.8MB

Download
memory/220-20-0x000000001BD30000-0x000000001BD3C000-memory.dmp

Filesize
48KB

Download
memory/220-18-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/220-16-0x000000001B4C0000-0x000000001B4CA000-memory.dmp

Filesize
40KB

Download
memory/220-15-0x0000000002910000-0x000000000291C000-memory.dmp

Filesize
48KB

Download
memory/220-14-0x000000001C690000-0x000000001CBB8000-memory.dmp

Filesize
5.2MB

Download
memory/220-0-0x00007FF9692F3000-0x00007FF9692F5000-memory.dmp

Filesize
8KB

Download
memory/220-17-0x000000001BD00000-0x000000001BD0E000-memory.dmp

Filesize
56KB

Download
memory/220-11-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/220-9-0x0000000002970000-0x00000000029C6000-memory.dmp

Filesize
344KB

Download
memory/220-2-0x00007FF9692F0000-0x00007FF969DB1000-memory.dmp

Filesize
10.8MB

Download
memory/220-7-0x00000000028A0000-0x00000000028B6000-memory.dmp

Filesize
88KB

Download
memory/220-8-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/220-4-0x0000000002920000-0x0000000002970000-memory.dmp

Filesize
320KB

Download
memory/220-3-0x0000000002870000-0x000000000288C000-memory.dmp

Filesize
112KB

Download
memory/220-6-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/220-5-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2076-582-0x000000001B8C0000-0x000000001B916000-memory.dmp

Filesize
344KB

Download
memory/2820-537-0x000000001AF90000-0x000000001AFA2000-memory.dmp

Filesize
72KB

Download
memory/2820-536-0x000000001B100000-0x000000001B156000-memory.dmp

Filesize
344KB

Download
memory/3680-523-0x000000001C220000-0x000000001C276000-memory.dmp

Filesize
344KB

Download
memory/4384-301-0x000001F525CB0000-0x000001F525CD2000-memory.dmp

Filesize
136KB

Download