ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Size

1.9MB
MD5

464a05553b5bd47c84618761d07b32a6
SHA1

4947299420a124b29d359513690e92574d67f87d
SHA256

4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b
SHA512

526fe406c9b68ac5bcb1dedf49d90e2f4bfab3a46141b8b4e2c71eff294681ae0c4a5cce0e467856fdb46251dc65cabd40b23ca490e81045bb340f39e919f509
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6052	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5636	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5996	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2756	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	2756	schtasks.exe	87

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6032	powershell.exe
836	powershell.exe
2612	powershell.exe
1164	powershell.exe
2840	powershell.exe
4312	powershell.exe
5080	powershell.exe
5052	powershell.exe
232	powershell.exe
4336	powershell.exe
4324	powershell.exe
2628	powershell.exe
2152	powershell.exe
5500	powershell.exe
5208	powershell.exe
3012	powershell.exe
4332	powershell.exe
2844	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 6 IoCs

pid	Process
3764	Idle.exe
5712	Idle.exe
3616	Idle.exe
3084	Idle.exe
5352	Idle.exe
3844	Idle.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4468_491706080\Idle.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\Internet Explorer\ja-JP\121e5b5079f7c0	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX834E.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX83CC.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\edge_BITS_4468_491706080\RCX8CFA.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\Internet Explorer\ja-JP\sysmon.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\edge_BITS_4468_491706080\Idle.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6EC9.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX7A1F.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX85D0.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows Portable Devices\51484fe3159bb6	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\22eafd247d37c3	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\edge_BITS_4468_491706080\6ccacd8608530f	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX864E.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\56085415360792	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\22eafd247d37c3	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6EDA.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79A1.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\edge_BITS_4468_491706080\RCX8D69.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\RuntimeBroker.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX771E.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX771F.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\sysmon.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\csrss.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\Tasks\886983d96e3d3e	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Tasks\RCX94D0.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Tasks\RCX94D1.tmp	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File opened for modification	C:\Windows\Tasks\csrss.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
File created	C:\Windows\LanguageOverlayCache\unsecapp.exe	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5636	schtasks.exe
4052	schtasks.exe
4756	schtasks.exe
4768	schtasks.exe
5064	schtasks.exe
4800	schtasks.exe
4960	schtasks.exe
4932	schtasks.exe
3076	schtasks.exe
2904	schtasks.exe
4848	schtasks.exe
5000	schtasks.exe
3396	schtasks.exe
4856	schtasks.exe
1212	schtasks.exe
2800	schtasks.exe
4592	schtasks.exe
4700	schtasks.exe
6052	schtasks.exe
1976	schtasks.exe
5400	schtasks.exe
860	schtasks.exe
6092	schtasks.exe
5356	schtasks.exe
4176	schtasks.exe
2616	schtasks.exe
3620	schtasks.exe
4528	schtasks.exe
4468	schtasks.exe
4828	schtasks.exe
3284	schtasks.exe
2060	schtasks.exe
2248	schtasks.exe
2924	schtasks.exe
4500	schtasks.exe
5560	schtasks.exe
5412	schtasks.exe
2676	schtasks.exe
4284	schtasks.exe
3696	schtasks.exe
5996	schtasks.exe
4124	schtasks.exe
4568	schtasks.exe
4872	schtasks.exe
4900	schtasks.exe
3936	schtasks.exe
832	schtasks.exe
2984	schtasks.exe
3504	schtasks.exe
516	schtasks.exe
3712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
6032	powershell.exe
6032	powershell.exe
5052	powershell.exe
5052	powershell.exe
2628	powershell.exe
2628	powershell.exe
4324	powershell.exe
4324	powershell.exe
2844	powershell.exe
2844	powershell.exe
3012	powershell.exe
5208	powershell.exe
3012	powershell.exe
5208	powershell.exe
5500	powershell.exe
5500	powershell.exe
232	powershell.exe
232	powershell.exe
2840	powershell.exe
2840	powershell.exe
5080	powershell.exe
5080	powershell.exe
1164	powershell.exe
1164	powershell.exe
4332	powershell.exe
4332	powershell.exe
2612	powershell.exe
2612	powershell.exe
4336	powershell.exe
4336	powershell.exe
4312	powershell.exe
4312	powershell.exe
2152	powershell.exe
2152	powershell.exe
2612	powershell.exe
2152	powershell.exe
6032	powershell.exe
6032	powershell.exe
5052	powershell.exe
5052	powershell.exe
2628	powershell.exe
2628	powershell.exe
5208	powershell.exe
4324	powershell.exe
4324	powershell.exe
4336	powershell.exe
5080	powershell.exe
3012	powershell.exe
2840	powershell.exe
1164	powershell.exe
4332	powershell.exe
2844	powershell.exe
5500	powershell.exe
4312	powershell.exe
232	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3764	Idle.exe
Token: SeDebugPrivilege	5712	Idle.exe
Token: SeDebugPrivilege	3616	Idle.exe
Token: SeDebugPrivilege	3084	Idle.exe
Token: SeDebugPrivilege	5352	Idle.exe
Token: SeDebugPrivilege	3844	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5720 wrote to memory of 4324	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	144
PID 5720 wrote to memory of 4324	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	144
PID 5720 wrote to memory of 1164	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	145
PID 5720 wrote to memory of 1164	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	145
PID 5720 wrote to memory of 3012	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	146
PID 5720 wrote to memory of 3012	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	146
PID 5720 wrote to memory of 2628	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	147
PID 5720 wrote to memory of 2628	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	147
PID 5720 wrote to memory of 2840	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	148
PID 5720 wrote to memory of 2840	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	148
PID 5720 wrote to memory of 2844	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	149
PID 5720 wrote to memory of 2844	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	149
PID 5720 wrote to memory of 6032	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	150
PID 5720 wrote to memory of 6032	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	150
PID 5720 wrote to memory of 836	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	151
PID 5720 wrote to memory of 836	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	151
PID 5720 wrote to memory of 4312	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	152
PID 5720 wrote to memory of 4312	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	152
PID 5720 wrote to memory of 4332	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	153
PID 5720 wrote to memory of 4332	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	153
PID 5720 wrote to memory of 2152	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	154
PID 5720 wrote to memory of 2152	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	154
PID 5720 wrote to memory of 4336	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	155
PID 5720 wrote to memory of 4336	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	155
PID 5720 wrote to memory of 232	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	156
PID 5720 wrote to memory of 232	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	156
PID 5720 wrote to memory of 5052	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	157
PID 5720 wrote to memory of 5052	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	157
PID 5720 wrote to memory of 5208	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	158
PID 5720 wrote to memory of 5208	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	158
PID 5720 wrote to memory of 2612	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	159
PID 5720 wrote to memory of 2612	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	159
PID 5720 wrote to memory of 5080	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	161
PID 5720 wrote to memory of 5080	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	161
PID 5720 wrote to memory of 5500	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	162
PID 5720 wrote to memory of 5500	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	162
PID 5720 wrote to memory of 3764	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	180
PID 5720 wrote to memory of 3764	5720	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe	180
PID 3764 wrote to memory of 3440	3764	Idle.exe	182
PID 3764 wrote to memory of 3440	3764	Idle.exe	182
PID 3764 wrote to memory of 3528	3764	Idle.exe	183
PID 3764 wrote to memory of 3528	3764	Idle.exe	183
PID 3440 wrote to memory of 5712	3440	WScript.exe	185
PID 3440 wrote to memory of 5712	3440	WScript.exe	185
PID 5712 wrote to memory of 5960	5712	Idle.exe	186
PID 5712 wrote to memory of 5960	5712	Idle.exe	186
PID 5712 wrote to memory of 432	5712	Idle.exe	187
PID 5712 wrote to memory of 432	5712	Idle.exe	187
PID 5960 wrote to memory of 3616	5960	WScript.exe	195
PID 5960 wrote to memory of 3616	5960	WScript.exe	195
PID 3616 wrote to memory of 4012	3616	Idle.exe	196
PID 3616 wrote to memory of 4012	3616	Idle.exe	196
PID 3616 wrote to memory of 1512	3616	Idle.exe	197
PID 3616 wrote to memory of 1512	3616	Idle.exe	197
PID 4012 wrote to memory of 3084	4012	WScript.exe	199
PID 4012 wrote to memory of 3084	4012	WScript.exe	199
PID 3084 wrote to memory of 4392	3084	Idle.exe	200
PID 3084 wrote to memory of 4392	3084	Idle.exe	200
PID 3084 wrote to memory of 5044	3084	Idle.exe	201
PID 3084 wrote to memory of 5044	3084	Idle.exe	201
PID 4392 wrote to memory of 5352	4392	WScript.exe	202
PID 4392 wrote to memory of 5352	4392	WScript.exe	202
PID 5352 wrote to memory of 4616	5352	Idle.exe	203
PID 5352 wrote to memory of 4616	5352	Idle.exe	203

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
"C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4468_491706080\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
  "C:\4d7dcf6448637544ea7e961be1ad\Idle.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f0fce7f-2e45-4e35-a3a0-899902a32a77.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
      C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3669c403-d415-4ba3-9de5-b5555af5a480.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5960
      - C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4172927d-24ec-4673-886a-4ac937120df1.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19d0c330-d9ec-4348-9f26-afc87c3ac570.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b1411e-bab0-42c9-931f-8631a39f84a8.vbs"
        11⤵
        
        PID:4616
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\Idle.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78714ba0-f081-4007-add8-c2aff4afaacb.vbs"
        13⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b79f53e3-03f8-4e5d-b584-7021ce3b5776.vbs"
        13⤵
        
        PID:5708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\018adc25-a27b-43ab-8b2e-987972d75bea.vbs"
        11⤵
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f466ab9f-261a-41d8-b8d4-de4d6e0f3c9d.vbs"
        9⤵
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1316135a-047c-44bc-8586-e880c2a9ff41.vbs"
        7⤵
        
        PID:1512
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daab1c4c-9e5d-446e-8bc0-b1d34bd24104.vbs"
        5⤵
        
        PID:432
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4237965-cae6-4dd8-900f-2712481c83da.vbs"
    3⤵
    PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b4" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b4" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\4d7dcf6448637544ea7e961be1ad\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4468_491706080\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4468_491706080\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4468_491706080\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\TextInputHost.exe

Filesize
1.9MB

MD5
922d287d763f501dcc29f40865b9e768

SHA1
1c9fef3b48d636a43a4bd6b085c3e7a90ba50932

SHA256
5a7d85ccc0287c7e013c3e18cf5cecf3aaaf33594cff0785dc6981252080ad12

SHA512
cbef9a3b4a47deb6b7c9c9ee1b999384a7d0a88ae58ef53174e0b887faf5cffed8a61a074e32c4314840ec9cd81d3b2ff774f343df4226bab0ed79470bcdbe88

Download Submit
C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe

Filesize
1.9MB

MD5
87e9d4afe8c6822f905db18f6ad27a0b

SHA1
4c16914675bada6a5fd8ce61d25b79c4933e2894

SHA256
4afe40b5a623c2f72a705dce17c702636d1aa94c12b413b5d14ad2690ac85a81

SHA512
db4c4c5ee92cbe0330e9b1cd1c7cc3d75ef94d04f887b0bd9257702e8e885ecac63eda52d8c4525787c5ddb33bcc2fd717cdefba49e694a1df4258d451d84361

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX864E.tmp

Filesize
1.9MB

MD5
1f78f5503a3c32d44bb9b431c218f1fc

SHA1
1c30ebeb19225b931baa8286f0820f3105dbd1a2

SHA256
2996321badec141b4a46fbb2d77abed19e64d8bf824b7ed8ee7e60bdbc191443

SHA512
147bef35de30d48919749c7e12ae9aca2a4ac2dd6b40da7873a0308c0cc76469a263bcbfde47f49e0cfec4878081046cb923f0ca2f76e14a0ad3ca2b7b91dd27

Download Submit
C:\Program Files\Internet Explorer\ja-JP\sysmon.exe

Filesize
1.9MB

MD5
464a05553b5bd47c84618761d07b32a6

SHA1
4947299420a124b29d359513690e92574d67f87d

SHA256
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b

SHA512
526fe406c9b68ac5bcb1dedf49d90e2f4bfab3a46141b8b4e2c71eff294681ae0c4a5cce0e467856fdb46251dc65cabd40b23ca490e81045bb340f39e919f509

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.9MB

MD5
ea66ddae629a05d1fbf140b8afcaedd8

SHA1
fbee3cd5249fd658ddd02dd3f24380c2e4ddba83

SHA256
a5df1a0f46e1812c0c120fafeb085baa3229bd27e932387e412e4402614633a7

SHA512
5f7eaab74784315919d2f38329cbd0d6d8a44f6e20481e88849476a01ce9fcd8b8b2266a033292982a80e3fadfd53b81ab2b08355954881fc4e2a1097700a49a

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.9MB

MD5
0d3e726ba03ee87643e50d2de18bbae7

SHA1
64c2b613121c88d2a30db79f87124caca93bf0f7

SHA256
63f6ab8d5f344257b9d5cd994e65d04ca5e5d59db64c87cd011e1f55fd402c0e

SHA512
f8cebd28ab955c7a8102f35e5ae7cdf853e1eda836265b893ac91ee591d6ec1c16f983eb78617e9951546a09b3597f96a7bc2cde37b0a91da453f136584d7bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0a8d028aff6c7a73fdc07e7933ac0634

SHA1
3c12673446b9c2760c6bc14535ad51a98ddb9b49

SHA256
db361782ee327d59ac6206af44383b5d5974be305424aa340e04b1c0e6939c8d

SHA512
d198584f39111d47296b2835d543f0b3992da5f0ca09a39c60748f391aedae364cdf592dc72338d0608a76c2c8d0d019c6470079ff53dc18e2806ecbde866c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
309f0051b04adbbef61aaabf270c7268

SHA1
d46326702e032281e62189901485aac6dce617d9

SHA256
07006d24b00ea173a30d6badaa92f10f79d5b82ed8bd1e2d95fe5b9da8aa839c

SHA512
4bec40bcdcd4da44e48f2c3938351f3ee197b37c3b0a949cf3bb44f3433103c6ed5c8cdf29e4c774d950c3c2f376df2a0aefba194691eac2a15f5b05ef17642a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd3836b9dfd35d27a1995a2fd22e3d69

SHA1
db2b529de5bc342001e1345cb080a6d4e37d4bbb

SHA256
68319d7a4938108026a325379c349b37812234bcfa2d20273c3190f7858f5e5e

SHA512
76faa047525920891f6ae4c25f86ebde4861a0fa3122bd697d8c7d6d84866495bb8344af15f53ebb60bec1a39df59b81cb245b213a0788465a20e501de9387b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a822dfe702436e366414e8ddb6fb41d0

SHA1
db35e49e01a1baf69d51d52375fb26da32b12ddf

SHA256
929a0a2762a94d0f949b0bec034d141a00c1653d8dec84ff994d32e6e115a3b2

SHA512
67d023275898ba86b0f1bc67b0868b0a31038ce366b1ade6e433c1785d4150c8b630462afd2af2479d2268351d1e7dd5a6e99042020cfbfa1490d04420bd296c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
001f81f763ebc3f7926c3835567069f1

SHA1
fe1c924ca3ddd061f1725654518a4c22856488e4

SHA256
8d717486dee617b16e6c9690fdce46e461327584598d674f7fd82f40ce6d5f81

SHA512
58b6632616d68e49ef7133d26e815382d002e98589de47175d5f05172e5efe2c35f952feaeeb944528bf3c94ed6fbc95cee51b901815654d969b0a133dbbf2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\19d0c330-d9ec-4348-9f26-afc87c3ac570.vbs

Filesize
716B

MD5
5dfbc9c28dcc24e7888e726114db0a2b

SHA1
0f62214be09ca55f27804329d546fb0033b2b46e

SHA256
ab46ae5bf5dcdb54ce2e107a0ff8ecec7f4708d766ff9b6569d20a743592691e

SHA512
18afa49d6539be65e43ed1b73b59791e8140e4d7cf42e4d2b6b40118be8b4029b79991ed901baf97a8c5b867cf3392dedf7f5ba887aa093fe8d825b91bd65c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\3669c403-d415-4ba3-9de5-b5555af5a480.vbs

Filesize
716B

MD5
907ae71646be756b67fad6d6d87a2871

SHA1
f30296f84551cd3d34a614159ab587414d186495

SHA256
74e939443ce7f38847ae2e18b358a791eeb615a436161f7d75c8a61b97fba31c

SHA512
888fd295ac1b1b9c59174ebba3e986ce9b8c95f2b2f998332bbe4ee850deceb0d793e0f452d44e03a98cce0f034f6723ac57f90a5d9b511acdf35da5186f546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4172927d-24ec-4673-886a-4ac937120df1.vbs

Filesize
716B

MD5
55554ba1f5c7d3066ea417eb9ef858a9

SHA1
349369395dc64f87a80c5687ba6997f65350bd2b

SHA256
c8e472eeae741e9fc67676da35e5c1bb769035afafa306edc622f465ccdcccdb

SHA512
847540c237a16f3de567ab5d0c13e3dfdadf78280f7403bc1f6d49c82704876321c3680159105d6975e0bf33c0460d36ab413458e85fefd4e197c2596e667d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\78714ba0-f081-4007-add8-c2aff4afaacb.vbs

Filesize
716B

MD5
b07a8260c51c07ba8fc0b52aa58a8cbb

SHA1
d56c24b1549c0601e9ba14c0268ff419093d58a1

SHA256
ae5d6f2f0a2074a9098cb96ec1284442d25e8998cb191a12875752ce195e08a4

SHA512
d360b372ce768755e2943b90c48cbed95c96ce60e2bb14a1ec952bb862ee6086053e723d7a37d5ffb3cd967d3d01c15215648baea4cbf0d539da3ec2b5f95aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\86b1411e-bab0-42c9-931f-8631a39f84a8.vbs

Filesize
716B

MD5
265a2a6ec136bf249ae06f9876ea2c9d

SHA1
00e83a409dc17d1ebe5977c8a05f78052a13f729

SHA256
6286d9d3d5dbf97215215d3de2eee21240a3a15e0dd98c5fb92f9d306b452f12

SHA512
58878345be2fb7da35aca2ee5a42d5ecd65b44a91f67d85f14292a31e0ab864f40ffadffccf4945e434bcb40845e64b2aaca4cc1f4f6f480cb97b706531d1d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f0fce7f-2e45-4e35-a3a0-899902a32a77.vbs

Filesize
716B

MD5
7c2e942b7f195d94a9441bc5e25f3966

SHA1
00b76af9699e3ba51baf51959bd27de80a6d9a19

SHA256
b4577754be892eb0ed3b32a17f5c8b800119e3ddf92d049dae60639fce6e939c

SHA512
70cd9be05f47dd3dac3bcdc4d2c2924f793a44f1ebbb6cca2164e64a3f175c42be9e1a2f2508d56701ce0c65c92f5626584d1a6b3b742ce898e79d4d73ffb462

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhpbg5rj.hkd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4237965-cae6-4dd8-900f-2712481c83da.vbs

Filesize
492B

MD5
bc485df2633b04bebb866acd39670e60

SHA1
71a535eb5264207bda86779b41b64727877858e2

SHA256
2da063fd3e4bb9ac0f878ea5c5e8fcd3b8a28ef65d7a9282e6ee2624364eafa4

SHA512
9986afed95d20528786ebdc4e09310ff593b2ac171de542aed362ae03b43967af7ff3ce3f3e6cc0ce06ab72d9d5dbfd50138705b3545fa8bf2a1b637cdc83798

Download Submit
memory/3084-542-0x000000001B540000-0x000000001B552000-memory.dmp

Filesize
72KB

Download
memory/3764-516-0x000000001B0C0000-0x000000001B0D6000-memory.dmp

Filesize
88KB

Download
memory/3764-514-0x000000001B0C0000-0x000000001B0D6000-memory.dmp

Filesize
88KB

Download
memory/3764-471-0x000000001B140000-0x000000001B152000-memory.dmp

Filesize
72KB

Download
memory/5712-519-0x000000001B210000-0x000000001B222000-memory.dmp

Filesize
72KB

Download
memory/5720-14-0x000000001C900000-0x000000001CE28000-memory.dmp

Filesize
5.2MB

Download
memory/5720-0-0x00007FF908BB3000-0x00007FF908BB5000-memory.dmp

Filesize
8KB

Download
memory/5720-470-0x00007FF908BB0000-0x00007FF909671000-memory.dmp

Filesize
10.8MB

Download
memory/5720-211-0x00007FF908BB0000-0x00007FF909671000-memory.dmp

Filesize
10.8MB

Download
memory/5720-187-0x00007FF908BB3000-0x00007FF908BB5000-memory.dmp

Filesize
8KB

Download
memory/5720-17-0x000000001BFF0000-0x000000001BFFE000-memory.dmp

Filesize
56KB

Download
memory/5720-18-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/5720-19-0x000000001C010000-0x000000001C01C000-memory.dmp

Filesize
48KB

Download
memory/5720-20-0x000000001C020000-0x000000001C02C000-memory.dmp

Filesize
48KB

Download
memory/5720-15-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/5720-16-0x000000001BFE0000-0x000000001BFEA000-memory.dmp

Filesize
40KB

Download
memory/5720-1-0x00000000009D0000-0x0000000000BBA000-memory.dmp

Filesize
1.9MB

Download
memory/5720-11-0x000000001B770000-0x000000001B778000-memory.dmp

Filesize
32KB

Download
memory/5720-13-0x000000001B780000-0x000000001B792000-memory.dmp

Filesize
72KB

Download
memory/5720-10-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/5720-9-0x000000001BDC0000-0x000000001BE16000-memory.dmp

Filesize
344KB

Download
memory/5720-8-0x000000001B700000-0x000000001B70A000-memory.dmp

Filesize
40KB

Download
memory/5720-7-0x000000001B6E0000-0x000000001B6F6000-memory.dmp

Filesize
88KB

Download
memory/5720-6-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/5720-4-0x000000001B710000-0x000000001B760000-memory.dmp

Filesize
320KB

Download
memory/5720-5-0x000000001B6C0000-0x000000001B6C8000-memory.dmp

Filesize
32KB

Download
memory/5720-3-0x000000001B6A0000-0x000000001B6BC000-memory.dmp

Filesize
112KB

Download
memory/5720-2-0x00007FF908BB0000-0x00007FF909671000-memory.dmp

Filesize
10.8MB

Download
memory/6032-319-0x000002C7F8170000-0x000002C7F8192000-memory.dmp

Filesize
136KB

Download