4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Size

1.9MB
MD5

0a63e063ab8eb5d26764d60214cc718e
SHA1

5fd444ff88f9cbe1f31109a1332de2958ad8428a
SHA256

508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e
SHA512

f06131120f27e8c9e8138c7cce521ece72ad3c7187c1866a05f743caa11c32c4f9927838599d129d82d583dd5f1af5a5eaa91a6cbedd10adbcfd6db7f3633e2a
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2976	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2976	schtasks.exe	30

UAC bypass 3 TTPs 18 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1888	powershell.exe
2132	powershell.exe
1724	powershell.exe
1412	powershell.exe
2852	powershell.exe
2124	powershell.exe
2820	powershell.exe
2004	powershell.exe
884	powershell.exe
2268	powershell.exe
2928	powershell.exe
1924	powershell.exe
2308	powershell.exe
1644	powershell.exe
1276	powershell.exe
536	powershell.exe
2720	powershell.exe
696	powershell.exe
1484	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

Executes dropped EXE 5 IoCs

pid	Process
1940	lsass.exe
1896	lsass.exe
2336	lsass.exe
2960	lsass.exe
2016	lsass.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\f3b6ecef712a24	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX9351.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\spoolsv.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXAD5D.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAF70.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAF71.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Uninstall Information\smss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX8E8B.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX8E8C.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA132.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCXAD1D.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\winlogon.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXB679.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXA7CC.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\RCXB1E2.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\0a1fd5f707cd16	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\0a1fd5f707cd16	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX9350.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX9EC0.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\1610b97d3ab4a7	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Microsoft Games\Chess\winlogon.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA5C7.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA5C8.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\RCXB250.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXB678.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX9EBF.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Microsoft Games\Chess\cc11b995f2a76d	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA0C4.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\0846daeece355a	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXA83A.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\886983d96e3d3e	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Windows\fr-FR\taskhost.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Windows\fr-FR\b75386f1303e64	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\ja-JP\RCXA336.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\fr-FR\RCXAA7D.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\fr-FR\RCXAA7E.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\fr-FR\taskhost.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File created	C:\Windows\ja-JP\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\ja-JP\RCXA3A4.tmp	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
File opened for modification	C:\Windows\ja-JP\csrss.exe	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
536	schtasks.exe
2640	schtasks.exe
1072	schtasks.exe
2860	schtasks.exe
3028	schtasks.exe
3016	schtasks.exe
816	schtasks.exe
1128	schtasks.exe
1768	schtasks.exe
1728	schtasks.exe
1640	schtasks.exe
1848	schtasks.exe
2748	schtasks.exe
2372	schtasks.exe
1520	schtasks.exe
2728	schtasks.exe
2284	schtasks.exe
2004	schtasks.exe
928	schtasks.exe
2724	schtasks.exe
2828	schtasks.exe
692	schtasks.exe
1504	schtasks.exe
1944	schtasks.exe
1140	schtasks.exe
2000	schtasks.exe
2556	schtasks.exe
2184	schtasks.exe
2100	schtasks.exe
2016	schtasks.exe
1300	schtasks.exe
1860	schtasks.exe
848	schtasks.exe
2360	schtasks.exe
1776	schtasks.exe
2180	schtasks.exe
1964	schtasks.exe
2296	schtasks.exe
1448	schtasks.exe
1972	schtasks.exe
2512	schtasks.exe
1440	schtasks.exe
1724	schtasks.exe
1116	schtasks.exe
1252	schtasks.exe
1948	schtasks.exe
2328	schtasks.exe
2680	schtasks.exe
876	schtasks.exe
2428	schtasks.exe
1388	schtasks.exe
840	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
884	powershell.exe
2720	powershell.exe
2124	powershell.exe
1644	powershell.exe
696	powershell.exe
1724	powershell.exe
2852	powershell.exe
2268	powershell.exe
2132	powershell.exe
1412	powershell.exe
1276	powershell.exe
2820	powershell.exe
2928	powershell.exe
1924	powershell.exe
1888	powershell.exe
536	powershell.exe
2308	powershell.exe
1484	powershell.exe
2004	powershell.exe
1940	lsass.exe
1896	lsass.exe
2336	lsass.exe
2960	lsass.exe
2016	lsass.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1940	lsass.exe
Token: SeDebugPrivilege	1896	lsass.exe
Token: SeDebugPrivilege	2336	lsass.exe
Token: SeDebugPrivilege	2960	lsass.exe
Token: SeDebugPrivilege	2016	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1412	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	85
PID 2936 wrote to memory of 1412	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	85
PID 2936 wrote to memory of 1412	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	85
PID 2936 wrote to memory of 884	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	86
PID 2936 wrote to memory of 884	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	86
PID 2936 wrote to memory of 884	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	86
PID 2936 wrote to memory of 2720	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	88
PID 2936 wrote to memory of 2720	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	88
PID 2936 wrote to memory of 2720	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	88
PID 2936 wrote to memory of 696	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	90
PID 2936 wrote to memory of 696	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	90
PID 2936 wrote to memory of 696	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	90
PID 2936 wrote to memory of 2852	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	91
PID 2936 wrote to memory of 2852	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	91
PID 2936 wrote to memory of 2852	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	91
PID 2936 wrote to memory of 1484	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	93
PID 2936 wrote to memory of 1484	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	93
PID 2936 wrote to memory of 1484	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	93
PID 2936 wrote to memory of 1644	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	94
PID 2936 wrote to memory of 1644	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	94
PID 2936 wrote to memory of 1644	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	94
PID 2936 wrote to memory of 1276	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	96
PID 2936 wrote to memory of 1276	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	96
PID 2936 wrote to memory of 1276	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	96
PID 2936 wrote to memory of 2268	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	97
PID 2936 wrote to memory of 2268	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	97
PID 2936 wrote to memory of 2268	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	97
PID 2936 wrote to memory of 1724	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	98
PID 2936 wrote to memory of 1724	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	98
PID 2936 wrote to memory of 1724	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	98
PID 2936 wrote to memory of 1888	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	99
PID 2936 wrote to memory of 1888	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	99
PID 2936 wrote to memory of 1888	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	99
PID 2936 wrote to memory of 2820	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	100
PID 2936 wrote to memory of 2820	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	100
PID 2936 wrote to memory of 2820	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	100
PID 2936 wrote to memory of 2124	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	101
PID 2936 wrote to memory of 2124	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	101
PID 2936 wrote to memory of 2124	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	101
PID 2936 wrote to memory of 2132	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	102
PID 2936 wrote to memory of 2132	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	102
PID 2936 wrote to memory of 2132	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	102
PID 2936 wrote to memory of 2928	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	105
PID 2936 wrote to memory of 2928	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	105
PID 2936 wrote to memory of 2928	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	105
PID 2936 wrote to memory of 2004	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	115
PID 2936 wrote to memory of 2004	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	115
PID 2936 wrote to memory of 2004	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	115
PID 2936 wrote to memory of 1924	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	117
PID 2936 wrote to memory of 1924	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	117
PID 2936 wrote to memory of 1924	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	117
PID 2936 wrote to memory of 2308	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	118
PID 2936 wrote to memory of 2308	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	118
PID 2936 wrote to memory of 2308	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	118
PID 2936 wrote to memory of 536	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	119
PID 2936 wrote to memory of 536	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	119
PID 2936 wrote to memory of 536	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	119
PID 2936 wrote to memory of 1956	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	123
PID 2936 wrote to memory of 1956	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	123
PID 2936 wrote to memory of 1956	2936	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe	123
PID 1956 wrote to memory of 2384	1956	cmd.exe	125
PID 1956 wrote to memory of 2384	1956	cmd.exe	125
PID 1956 wrote to memory of 2384	1956	cmd.exe	125
PID 1956 wrote to memory of 1940	1956	cmd.exe	127

System policy modification 1 TTPs 18 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe
"C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Chess\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DYpxlgJN6F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2384
- - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
    "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c213ffdc-c152-4208-9fcf-9eb8b74bc494.vbs"
      4⤵
      PID:2180
    - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1896
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e71bb7-bc75-44d8-b8b2-37d74a6d4be7.vbs"
        6⤵
        
        PID:2624
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dffd671-e46c-4640-b162-310a1c4cbeeb.vbs"
        8⤵
        
        PID:2928
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e45895bb-a6d2-457c-a3ba-31cf561588aa.vbs"
        10⤵
        
        PID:3028
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aaea3f7-836c-4a94-939f-d03e68ec10f6.vbs"
        12⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc77fafb-cd0b-4091-9969-99c19bb9466d.vbs"
        12⤵
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\617c9133-2bb3-4b8f-aa40-58a616d6cd04.vbs"
        10⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c345539-5036-4893-aff8-073ae922b977.vbs"
        8⤵
        
        PID:2684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f95dce2-a9de-4dfb-bf20-0d8fc455355c.vbs"
        6⤵
        
        PID:2060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d450d121-14e5-47dd-a19c-2eef8e33da53.vbs"
      4⤵
      PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Chess\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Chess\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e5" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e5" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\sppsvc.exe

Filesize
1.9MB

MD5
c2f8028abb90f7b145fc10d6a4fd4130

SHA1
dd2fecff8f512fb51bceff4a78978e1e9e0c074f

SHA256
d44c927bc13857837ad727262cbdb473c438eea883217b42d7a5e97a6a8dc381

SHA512
1fbb6a657a8489e56b50cce452b5d100345fafcfbdf0e09ffa522b73624f25f48f7f47e1bb508e82e3bef15e6f317e38af30c2b9311471ae778f06bd817b8268

Download Submit
C:\Program Files (x86)\Windows Portable Devices\csrss.exe

Filesize
1.9MB

MD5
354c79108325f5b6dd80ae1426a47d1c

SHA1
1e34c1a47791d9fa9272e12f20ff3688a3fe4344

SHA256
e58eabc4f2e9f141e9f7bdae0ce27238617b13873cae6f95e4e982aaf8863d28

SHA512
35ef24cc861b872dd45441b56b85cf00d3ff3890a11f0dbe35c4fcc98f2f5db6ee88990080c690bb89917633f31e1dc1c0076ded5e546f15230ae393772648cb

Download Submit
C:\Program Files\Microsoft Games\Chess\winlogon.exe

Filesize
1.9MB

MD5
08b3f5be346c7ed0c47466f57b004854

SHA1
b8108e087af44f2b5a5c7c6243fb012dea4f16d1

SHA256
e66be9ed06283b4ee2914333d1f0dcad7c6c04e4f5e12c1d2bf185d0b26cb3dd

SHA512
d0df658414dc265c9d892023060bab353da4b5e298dd0502e1305b98d0ad4500c0927323a1c8ac6b366fbd0bb2e2de3618a0c22ee544be0baa666f223b37da2d

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\RCX9CAC.tmp

Filesize
1.9MB

MD5
728fc4401655f405f0ff52526ad482a8

SHA1
c2921104e9ad80df162bbfe8b6dcb8eed8466185

SHA256
a62f2bc8040c25b7504d51d7494559c0f927dee12337149bd106fc59fbe57974

SHA512
ac46077d99940aa04a7fa69f6a96f26a19ec98e01817f7b063213bf164aa7757996c5330252317c5886df90dc438270eeec96c0c7d544c78d054fbec4dde5788

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

Filesize
1.9MB

MD5
0a63e063ab8eb5d26764d60214cc718e

SHA1
5fd444ff88f9cbe1f31109a1332de2958ad8428a

SHA256
508fd9ddd025101fca7bd23c589d0a6d1e68a3f15e669df43bc930c30d35980e

SHA512
f06131120f27e8c9e8138c7cce521ece72ad3c7187c1866a05f743caa11c32c4f9927838599d129d82d583dd5f1af5a5eaa91a6cbedd10adbcfd6db7f3633e2a

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

Filesize
1.9MB

MD5
c0921ec3747434c13f0b47a0b7f51c13

SHA1
6ed8646a3db6af2e03ba3e657141400a1e95fa73

SHA256
7d22f450ddbdc23173fdcb5ce7f3c7fb855b7d615fa4ebc686c73b88526d31f6

SHA512
737fac24bddd71fce0227cbaed1da7f5faaadd2fe814fcd0f6afcfd1c6ba22939a3850f851c80d9b9f2fb3015dbb242ee1d8a71fbcdf340d68dd26cc4b6a14c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dffd671-e46c-4640-b162-310a1c4cbeeb.vbs

Filesize
734B

MD5
3c3f8d745abbc9fdf0bf55377d6d53b9

SHA1
a5363f035e982e25375ee006b5378652c6a397b4

SHA256
1f5e48183027ef6989384e56ed34f2d2ed9a5881ffa92b4b76820234fa005b36

SHA512
c7ed4e9fb46545d80bfcda9f42839c040de15cbf59254b7cd6dc637816c009dd086634d4359a29cf2edbf54f0e3a5944413748fc905b72b9e0ddae180d1dcc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aaea3f7-836c-4a94-939f-d03e68ec10f6.vbs

Filesize
734B

MD5
4adbbc3502d6434e295f7bf7e5567e3a

SHA1
ba828939e8290b348e067ec17f56e47a76a6da09

SHA256
6236de3aadb90e2741aa470f969781b8e3453c5b424c0f37b9207d6e18dfba05

SHA512
23542e00c64423324369fcac2a43dbe045f645437ca559fb677f672f67c083da7faadd3a6af431106f4297d639f8f18888d19fdb921d10f3984e92710b0b4800

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYpxlgJN6F.bat

Filesize
223B

MD5
2d6d8e78761265346ba667538c8a8d35

SHA1
0c6a2ae560db11190b1946f974989b09a57ff7d7

SHA256
f11a6c49bb32929e842e8b7328e420de75f9a3fc15f8c5b229b92911d0420b05

SHA512
40ed248ead4e0e3f198b93b6c3f982cd5163f4c4be27e67403f2813cc9b7cf1e92b8b67a4fb7d02c2079bbbb7406d9bffb8265ceb7b8552328c1a12fe19e0ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2e71bb7-bc75-44d8-b8b2-37d74a6d4be7.vbs

Filesize
734B

MD5
0265dba9bfb00e311b84ac776aff775e

SHA1
dc27ef9e5f44c760553275c72f5c91ae1c05cd8a

SHA256
bac5001b53289f23baf25001123991768411f25df1dec3dd670b066d9246eb33

SHA512
da3386c0ceae38e459b7733c8d69bff9182c889595665badb8a750816969601d72256fee5adca091b0ca8bb1508a52a0217a3ae867a098fad7cc2c080c3c95df

Download Submit
C:\Users\Admin\AppData\Local\Temp\c213ffdc-c152-4208-9fcf-9eb8b74bc494.vbs

Filesize
734B

MD5
609999353c80e360308ee370e52b4674

SHA1
ba7331806d5d8066a9b886054d3e17bb86cc7f2d

SHA256
cc393a0be5058fcf107f8e8fd021d9992c0f5928f88a7d5f764dd4217241465e

SHA512
5687fd5b87c5e6f37ebc4e15ae5cec0311445f8a1b434860f4f84be3f45f4f7d64b4a8705a9072137c3d51f6df209a2d27b962b68a61e099c08ade886abaaac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d450d121-14e5-47dd-a19c-2eef8e33da53.vbs

Filesize
510B

MD5
c597e1f1c2a819b38251dce1079fed41

SHA1
54a51d6a1350beedb83bb35c827153de45555d1e

SHA256
51d67de58f00f6abc030ac907c4dbbb372133afc533dbbe5f93496e4c11b46f1

SHA512
2ed246f73742d712774c9eacebf2c6cb8b2bea83aa535374c32a3f7bd168d27f636998c3956f9b9b48352f3e34830ef59d4f25eaeb8ba8ceb4a5012cd8b73ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e45895bb-a6d2-457c-a3ba-31cf561588aa.vbs

Filesize
734B

MD5
2196293cb4fc3900cba218c158f7d79b

SHA1
c964cfb2649fbca27b645a3c7be5bfdb7baaf28b

SHA256
2d05fbd8f060738a13c1ea3963cfa6ad73e3acef6d167b4d343c600506b95c55

SHA512
b83a63d27d27d0b6b7482c2f99db620e50b5d382789880245a4c9360f11cd1ff29568b79287b9545ba0a526f2c0dcaac07d7301699bc856e31185a578c440450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CTT26B79IA5NFACTIURG.temp

Filesize
7KB

MD5
cceefd8e212711c6795fa7eff7f4f755

SHA1
198fe7a2252ccf471fd4ddc8f2fc4003a4a93866

SHA256
caf444689b0447b89f2e65bf80bd9baec3e267d0aa4cd507a17990f3d9c83c0e

SHA512
00f25feeb90f18a0e80e4df4c08815c4e92902356946865c67a413b24c5aeb910d4aa3a8f09e0380415f7bce0cdb564391fb97463b91cf1e20626320d5dd4834

Download Submit
C:\Windows\ja-JP\csrss.exe

Filesize
1.9MB

MD5
d22a6aa88c69cfaf82babe92e387a448

SHA1
ddc108df782f21ae3e5b43c918cbccb8a3668527

SHA256
57187f43789b5b8472a59c49ad8e7ffdac93ec7c48bcfe63277e7c133bb7e0ac

SHA512
3d3fc8d6b8f154233b28f85131c29f51a832af0a71cd07b93f47392e3e18690e23994a8cc4ec5a90553a4600e856f02c2f0baace4271115d4cdec63baecf0b7a

Download Submit
memory/884-320-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1896-387-0x0000000001180000-0x000000000136A000-memory.dmp

Filesize
1.9MB

Download
memory/1940-375-0x0000000000840000-0x0000000000896000-memory.dmp

Filesize
344KB

Download
memory/1940-374-0x0000000000270000-0x000000000045A000-memory.dmp

Filesize
1.9MB

Download
memory/1940-376-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2016-425-0x0000000000440000-0x0000000000496000-memory.dmp

Filesize
344KB

Download
memory/2336-399-0x0000000001200000-0x00000000013EA000-memory.dmp

Filesize
1.9MB

Download
memory/2336-400-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2720-321-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2936-9-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2936-15-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/2936-12-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2936-10-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2936-14-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/2936-16-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2936-4-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2936-6-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2936-18-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2936-13-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2936-210-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2936-371-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-8-0x0000000000550000-0x00000000005A6000-memory.dmp

Filesize
344KB

Download
memory/2936-7-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2936-5-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2936-193-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2936-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2936-1-0x0000000001100000-0x00000000012EA000-memory.dmp

Filesize
1.9MB

Download
memory/2936-17-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/2936-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-413-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2960-412-0x0000000000DC0000-0x0000000000E16000-memory.dmp

Filesize
344KB

Download