ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Size

1.9MB
MD5

464a05553b5bd47c84618761d07b32a6
SHA1

4947299420a124b29d359513690e92574d67f87d
SHA256

4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b
SHA512

526fe406c9b68ac5bcb1dedf49d90e2f4bfab3a46141b8b4e2c71eff294681ae0c4a5cce0e467856fdb46251dc65cabd40b23ca490e81045bb340f39e919f509
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1936	schtasks.exe	30

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1652	powershell.exe
1692	powershell.exe
2068	powershell.exe
1656	powershell.exe
2148	powershell.exe
2508	powershell.exe
2704	powershell.exe
2084	powershell.exe
2108	powershell.exe
2228	powershell.exe
1108	powershell.exe
480	powershell.exe
1552	powershell.exe
1532	powershell.exe
1772	powershell.exe
2468	powershell.exe
2412	powershell.exe
2104	powershell.exe
1960	powershell.exe
1744	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Executes dropped EXE 6 IoCs

pid	Process
2528	smss.exe
2992	smss.exe
1796	smss.exe
448	smss.exe
1632	smss.exe
2304	smss.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\slmgr\0409\RCXD907.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\System32\slmgr\0409\RCXD908.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\System32\slmgr\0409\dllhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\System32\slmgr\0409\dllhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\System32\slmgr\0409\5940a34987c991	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\dllhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCXC6BF.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD28C.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD28D.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\Windows Mail\it-IT\1610b97d3ab4a7	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXBDD2.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\Internet Explorer\5940a34987c991	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXBDD1.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\dllhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCXC72D.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\services.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\taskhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\ModemLogs\smss.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCXC249.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\fr-FR\RCXCE16.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\Boot\Fonts\lsass.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\ModemLogs\RCXAF25.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\ModemLogs\RCXAF94.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\fr-FR\RCXCDA8.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\ModemLogs\smss.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\LiveKernelReports\taskhost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\LiveKernelReports\b75386f1303e64	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\fr-FR\System.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXD704.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\ModemLogs\69ddcba757bf72	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\cc11b995f2a76d	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\fr-FR\System.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\fr-FR\27d1bcfc3c54e0	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCXC248.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXD695.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
1692	schtasks.exe
1316	schtasks.exe
2984	schtasks.exe
2508	schtasks.exe
2872	schtasks.exe
1992	schtasks.exe
1784	schtasks.exe
1772	schtasks.exe
2876	schtasks.exe
2440	schtasks.exe
580	schtasks.exe
2320	schtasks.exe
1740	schtasks.exe
2868	schtasks.exe
3024	schtasks.exe
2328	schtasks.exe
652	schtasks.exe
1160	schtasks.exe
1016	schtasks.exe
872	schtasks.exe
1632	schtasks.exe
2740	schtasks.exe
1984	schtasks.exe
2188	schtasks.exe
2616	schtasks.exe
2724	schtasks.exe
3048	schtasks.exe
2168	schtasks.exe
2412	schtasks.exe
1540	schtasks.exe
1948	schtasks.exe
284	schtasks.exe
2676	schtasks.exe
3020	schtasks.exe
2248	schtasks.exe
1756	schtasks.exe
1616	schtasks.exe
3032	schtasks.exe
1916	schtasks.exe
712	schtasks.exe
2580	schtasks.exe
2008	schtasks.exe
2232	schtasks.exe
1636	schtasks.exe
1996	schtasks.exe
2796	schtasks.exe
2084	schtasks.exe
1484	schtasks.exe
2672	schtasks.exe
2820	schtasks.exe
2104	schtasks.exe
1908	schtasks.exe
904	schtasks.exe
720	schtasks.exe
3052	schtasks.exe
1860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
1960	powershell.exe
480	powershell.exe
2228	powershell.exe
1772	powershell.exe
1552	powershell.exe
1744	powershell.exe
1108	powershell.exe
2468	powershell.exe
2068	powershell.exe
1656	powershell.exe
2148	powershell.exe
2084	powershell.exe
2104	powershell.exe
1692	powershell.exe
2108	powershell.exe
2508	powershell.exe
2412	powershell.exe
1652	powershell.exe
1532	powershell.exe
2704	powershell.exe
2528	smss.exe
2992	smss.exe
1796	smss.exe
448	smss.exe
1632	smss.exe
2304	smss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2528	smss.exe
Token: SeDebugPrivilege	2992	smss.exe
Token: SeDebugPrivilege	1796	smss.exe
Token: SeDebugPrivilege	448	smss.exe
Token: SeDebugPrivilege	1632	smss.exe
Token: SeDebugPrivilege	2304	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2704	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	89
PID 2360 wrote to memory of 2704	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	89
PID 2360 wrote to memory of 2704	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	89
PID 2360 wrote to memory of 1744	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	90
PID 2360 wrote to memory of 1744	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	90
PID 2360 wrote to memory of 1744	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	90
PID 2360 wrote to memory of 2468	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	91
PID 2360 wrote to memory of 2468	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	91
PID 2360 wrote to memory of 2468	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	91
PID 2360 wrote to memory of 1552	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	92
PID 2360 wrote to memory of 1552	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	92
PID 2360 wrote to memory of 1552	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	92
PID 2360 wrote to memory of 1772	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	94
PID 2360 wrote to memory of 1772	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	94
PID 2360 wrote to memory of 1772	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	94
PID 2360 wrote to memory of 480	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	95
PID 2360 wrote to memory of 480	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	95
PID 2360 wrote to memory of 480	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	95
PID 2360 wrote to memory of 1108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	97
PID 2360 wrote to memory of 1108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	97
PID 2360 wrote to memory of 1108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	97
PID 2360 wrote to memory of 1960	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	98
PID 2360 wrote to memory of 1960	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	98
PID 2360 wrote to memory of 1960	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	98
PID 2360 wrote to memory of 2508	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	99
PID 2360 wrote to memory of 2508	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	99
PID 2360 wrote to memory of 2508	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	99
PID 2360 wrote to memory of 2148	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	100
PID 2360 wrote to memory of 2148	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	100
PID 2360 wrote to memory of 2148	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	100
PID 2360 wrote to memory of 2228	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	101
PID 2360 wrote to memory of 2228	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	101
PID 2360 wrote to memory of 2228	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	101
PID 2360 wrote to memory of 1656	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	102
PID 2360 wrote to memory of 1656	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	102
PID 2360 wrote to memory of 1656	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	102
PID 2360 wrote to memory of 2068	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	107
PID 2360 wrote to memory of 2068	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	107
PID 2360 wrote to memory of 2068	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	107
PID 2360 wrote to memory of 2104	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	136
PID 2360 wrote to memory of 2104	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	136
PID 2360 wrote to memory of 2104	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	136
PID 2360 wrote to memory of 2108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	110
PID 2360 wrote to memory of 2108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	110
PID 2360 wrote to memory of 2108	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	110
PID 2360 wrote to memory of 1692	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	112
PID 2360 wrote to memory of 1692	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	112
PID 2360 wrote to memory of 1692	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	112
PID 2360 wrote to memory of 1652	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	113
PID 2360 wrote to memory of 1652	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	113
PID 2360 wrote to memory of 1652	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	113
PID 2360 wrote to memory of 2412	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	115
PID 2360 wrote to memory of 2412	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	115
PID 2360 wrote to memory of 2412	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	115
PID 2360 wrote to memory of 1532	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	117
PID 2360 wrote to memory of 1532	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	117
PID 2360 wrote to memory of 1532	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	117
PID 2360 wrote to memory of 2084	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	118
PID 2360 wrote to memory of 2084	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	118
PID 2360 wrote to memory of 2084	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	118
PID 2360 wrote to memory of 2612	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	127
PID 2360 wrote to memory of 2612	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	127
PID 2360 wrote to memory of 2612	2360	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	127
PID 2612 wrote to memory of 2416	2612	cmd.exe	131

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
"C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\slmgr\0409\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ebbrynYr4Y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2416
- - C:\Windows\ModemLogs\smss.exe
    "C:\Windows\ModemLogs\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f278774a-a77f-4152-ad05-3debaa08b4cc.vbs"
      4⤵
      PID:2096
    - - C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c5055ca-03ed-4ada-ab72-641196b64a09.vbs"
        6⤵
        
        PID:2104
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41f94566-034d-4520-8261-b3a653e9e524.vbs"
        8⤵
        
        PID:1908
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d05d23bc-5ebb-43d3-8ea3-fb0a076a15cd.vbs"
        10⤵
        
        PID:2796
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b95eae6d-94e6-465f-bc02-0185e93c5c36.vbs"
        12⤵
        
        PID:1988
        
        C:\Windows\ModemLogs\smss.exe
        
        C:\Windows\ModemLogs\smss.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f8d4d9-5f1a-41a6-9e5b-54c5784093f0.vbs"
        14⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02706696-6f4c-4106-9453-dfb7da4c248a.vbs"
        14⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955eadc4-c3d4-4455-b008-b4fa5b5d6970.vbs"
        12⤵
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f324a89-378f-41fb-8efc-f17c45c6ab72.vbs"
        10⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b583bcf9-51ed-4800-aaae-7e67247d8335.vbs"
        8⤵
        
        PID:628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b47931a-2ac3-43af-879f-567b1fe33387.vbs"
        6⤵
        
        PID:2196
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1da409e9-53fc-4f5b-9300-53be88f8ddc3.vbs"
      4⤵
      PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\slmgr\0409\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\slmgr\0409\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\slmgr\0409\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.9MB

MD5
e6a2a78a7811695c6c55a75891b4c5e1

SHA1
5b42fca2823712e6bb8685631d5fb3285b663858

SHA256
303b999462eda183c5f6d8059745569bc89f0a8635b0a99b53a03d20f33f112e

SHA512
7e90eba7c7e301739e7d4ab225340d4c068ab63e161f9e24a22e4b7d8a179fa5a8faa610f35a1b67076b89c63cd6299daf0a65125dfad1da20390e34dd7defef

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe

Filesize
1.9MB

MD5
e93acc91189253cf0f652c10147604a1

SHA1
64836b80a649953940a088b7d9b1e8fd476dbbc9

SHA256
8643c4321ec7ca7939235ad76a87c8287b7d0dbcbf021e6a5bd2a813d1fd6fb6

SHA512
f202f4788b7318395fcfa03fde733964aeb794faee4cccae19a49088741bb574aed574947cef40cb51e471a112d7f5442ce50b0f2d629a736b7492f902b9f6f1

Download Submit
C:\Program Files\Windows Mail\it-IT\OSPPSVC.exe

Filesize
1.9MB

MD5
f731541aa025ef88b92220f56705babc

SHA1
907f1eacf98f79194885a3fd3681f86666518565

SHA256
3a1eb6144a321f4aae8f2c81ae49771d6f4700b9d0f6937cad1be8c9c2baf074

SHA512
b2683fc9c856562783b8274878c36bfc58396d6410f7d2edf311bb9540e21dd778f37c24be6b5c6ab322d9815b9541d3f0e8436384d7565115c28c2b0ed4eb91

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe

Filesize
1.9MB

MD5
d43eb982afaf89c9e01c89a96ef7d406

SHA1
7799a32ebf741125469b920f009df8b585a91761

SHA256
289d5598f07321c57ba86746840fcbd46ce09b218ea3817673929c60554dc1c3

SHA512
38f952dec28163254c02aba2757fe288b12065a326deb8d4496fc22a85e14ca76c544ad8ab6206e02e8648c5a06ac4e48747612b6b20d238ff8cc8ad50debea6

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe

Filesize
1.9MB

MD5
464a05553b5bd47c84618761d07b32a6

SHA1
4947299420a124b29d359513690e92574d67f87d

SHA256
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b

SHA512
526fe406c9b68ac5bcb1dedf49d90e2f4bfab3a46141b8b4e2c71eff294681ae0c4a5cce0e467856fdb46251dc65cabd40b23ca490e81045bb340f39e919f509

Download Submit
C:\Users\Admin\AppData\Local\Temp\1da409e9-53fc-4f5b-9300-53be88f8ddc3.vbs

Filesize
481B

MD5
71c5d4a81d28bc0cff7a0994ddb96c42

SHA1
0cfa0df2bd61e0fb9f2864376f90861b701e9de8

SHA256
de7c2a5a8b2cd6af4079e9b5916c86e6a7407df501cd6964538642a85311a9de

SHA512
8006b5fdc52635e647387d4c3091371db4e4f11c406311bbf7257d1fe1ef5edc38db2e7ba850f9cf5390b48e33dadb76193f08917ef111456fd38cd6b95ae94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\41f94566-034d-4520-8261-b3a653e9e524.vbs

Filesize
705B

MD5
5772c5d10924ee7e849228d6d53495f4

SHA1
014354ecff62e76353ae0066189a59313230bb98

SHA256
69aeb158f51520e799718ce574c356cebb2e2500546c7ec8aa8ecaceed4a563d

SHA512
9cb8481b71d5f16d300d91a28548d116882b17ea49138140789731f015a45a63b0f29a7096ccd8bf3a6bd45108f37583441a69087a96f1489b8ecd3977651701

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f8d4d9-5f1a-41a6-9e5b-54c5784093f0.vbs

Filesize
705B

MD5
7ea2b077084d9a88d84418a81d88142a

SHA1
fb3ca04aeb73a7fd28d789594555219b8002f7ad

SHA256
5a2efe90808d9e0315aec9c098538bcf47c85315f1c6522140c21556a293c517

SHA512
f0725286c5c31e9bd89844b9626a0ca8aa874f265d3b8ed2e88e74897b9b98210325896a5601bde004737c1dee253e96442809b82ca2904d7111238cd9d8ade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c5055ca-03ed-4ada-ab72-641196b64a09.vbs

Filesize
705B

MD5
932db408f659413668a4311e407f710f

SHA1
174300387b1d1ce37bbeb1cc96d74b44da669284

SHA256
8a097233d43eb98ea5d564212a7aebc82a5dfbbf1d1329858bb8f0a75e301332

SHA512
8b030da0029570f25fbb7dd746497a318139eca558f28a86de9f21f2af8fd7e180a62a99ebf9adc412a2893d34601c2ea1f2c57c8e6710ad2d139ad7d5d3963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b95eae6d-94e6-465f-bc02-0185e93c5c36.vbs

Filesize
705B

MD5
f840039e33ab3e4c045f4dfbb15d0abf

SHA1
f8748d87334f76329ccc0076a0874cbc20a021b5

SHA256
399ab8deee5521718fb9fc1f4b2ce12972f73b44c9e6e3c84c053e66b44f69b0

SHA512
d489132ccd099b4857911e67a46e2e31e9f102cdd96e13d993cf7c0b202c40c062f6e39b325d32b0062eed1654b0cb290ef7beef1197ab1a55828ce71fad0cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d05d23bc-5ebb-43d3-8ea3-fb0a076a15cd.vbs

Filesize
704B

MD5
930c89b617df7d19a861a8f324577390

SHA1
06e0d95deb7edbfbbb9a9e8940c837e0e90a450d

SHA256
9bec486ce49bc40bf594e6c8c8a6bb88007297282749e2062526e81804550b35

SHA512
0c760f1aba49f07c5d6627cb70e732cd76a74f03d58c5aeb15dd7020f6ec50b0aa8029942b879ee06db2dd9f1bea6bc5af1cc8012e375137ec904a860ed11fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebbrynYr4Y.bat

Filesize
194B

MD5
e4171fcf91aa61ff59e024db9696a806

SHA1
77d60a6a0caae28436a32cb6c2ec480830a27f89

SHA256
4b37aa4ef56ac9af51b10fc1fe9916ae046e2dbdfe14823c5ba3c0329357604f

SHA512
da9446c068d6d4db27ad74ce64a74510456fcb21a5cc182e556653cc1b38c7e104533f307daa3d28de9a22b7ec6739385afde6dbc6436fa8ed3b10f579c50666

Download Submit
C:\Users\Admin\AppData\Local\Temp\f278774a-a77f-4152-ad05-3debaa08b4cc.vbs

Filesize
705B

MD5
61486bff95299ee07e43cf26521dde39

SHA1
18ff589f5924f2ee5749511c1f004f66a4faa35e

SHA256
c469e05cd203f662de1c700d829b99b7c230a46957bb56f2afc7b4aec12b7872

SHA512
5c4961e3dda3fc9bf4062520c128e1b683700e2d5525b98a8091ef86a721d3ac1e1483190f2cb29e4916bd07ebc7cd82621ad31371fa919286be3c7a19a940a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce24531e31ae08b05d344bef79870ff4

SHA1
74463e00d1186480414e9d633b8320294c09f109

SHA256
92b8e36d796edfd41f486c7b8caecc42b3c0b6dde1aa4d4ff731371d74545545

SHA512
fc4a3c65ea3c34ad361c9d1ca71a3ba2b15bef0891955ca429f41167ebeed6bcc4dd41bbd8407be8878f5cf475a50594ad63a7013bab20ba4cea489f2b0459cf

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
1.9MB

MD5
dc281c6cf7ca7af0cae2d8ec632cc983

SHA1
d06969ff4976d7702a700513ade08821bd839547

SHA256
651090031045e241470c34a9944600fcacba7c9b5af9e327b2c04fdb5cd78da4

SHA512
85684949a7b75e5cc96bcecbb9bc410a833585d45959ffaa93f7447749c593c2dc9161a145c5f6402c314877120c06e890126de02791508df73bf870cd9b99e7

Download Submit
C:\Windows\LiveKernelReports\taskhost.exe

Filesize
1.9MB

MD5
8746228aa0d7387444e53a782c3182a5

SHA1
86cf721f00eb78d967294bcf6005f0a4766b2670

SHA256
0c068988d1d6be54ecc52d113a2e48b154905db66af3000dcb86708c7d89a546

SHA512
d34c033d564536ed147d71e78efb607179dbff6176cdc4b014b0c132cbe4d7fd6a54cde4238c6e1e5f77890a79716cc8efc76b666ee089e21774c262b2262892

Download Submit
C:\Windows\ModemLogs\smss.exe

Filesize
1.9MB

MD5
e33fd3e4b589e9dd0a227afcebb8793d

SHA1
b8a19ac7685125a7f58008352fc42b166bc97618

SHA256
cfba60b9678445bae417ca1d14ad3fc3949244935b71be5ec6b2de8e8f9e74a8

SHA512
de18dce34cce3174275aa70c67d844ded983ad0da7de7a88ca9505d1ddd6ac38a981847add23b8310578358f56c36a43a638e1a6ace59e5c93cdd912fc4828d7

Download Submit
C:\Windows\fr-FR\System.exe

Filesize
1.9MB

MD5
8b25adc18aeb2cfab68b1fda017fc47e

SHA1
142fb54cf0d75ebd49b365ed454b662afebc4495

SHA256
faa56f45b0455ce06627d6b910c68b9669cfdb5bae1927039e0c9a961dba67ac

SHA512
b8efdec4e05c5221d3248e15038e6455d73f9c4f0bfd2cfb38bd5313c1956c3f9838eb0db2551537cedbe4609ac8b3d45df1ae2f72bdf0ae012a931ff56280e0

Download Submit
memory/448-424-0x0000000000110000-0x00000000002FA000-memory.dmp

Filesize
1.9MB

Download
memory/1632-436-0x0000000000950000-0x0000000000B3A000-memory.dmp

Filesize
1.9MB

Download
memory/1960-296-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1960-301-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2304-448-0x0000000001020000-0x000000000120A000-memory.dmp

Filesize
1.9MB

Download
memory/2360-13-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2360-4-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2360-197-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/2360-295-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-221-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-18-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/2360-14-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/2360-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2360-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/2360-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2360-16-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/2360-1-0x0000000001370000-0x000000000155A000-memory.dmp

Filesize
1.9MB

Download
memory/2360-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2360-15-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/2360-12-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2360-7-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2360-17-0x0000000001330000-0x000000000133C000-memory.dmp

Filesize
48KB

Download
memory/2360-8-0x0000000000A70000-0x0000000000AC6000-memory.dmp

Filesize
344KB

Download
memory/2360-5-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2360-10-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2360-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-390-0x0000000000CB0000-0x0000000000E9A000-memory.dmp

Filesize
1.9MB

Download
memory/2992-401-0x00000000010A0000-0x000000000128A000-memory.dmp

Filesize
1.9MB

Download