5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Size

1.9MB
MD5

137d068c92f966611feaee3383ab28ce
SHA1

31afc2071c0f899e12a210b44a460468807af620
SHA256

82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404
SHA512

8024f3502da2ef447887a0f97578a5c84dd86db7f2552dd5c5ac5c7da41b15bb4649dc478f33c2a5a31526ceebe947ed1c0f4cf679f046d90f10997c46117912
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2772	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2772	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2264	powershell.exe
2256	powershell.exe
3064	powershell.exe
2068	powershell.exe
300	powershell.exe
2180	powershell.exe
1640	powershell.exe
2360	powershell.exe
2180	powershell.exe
860	powershell.exe
2468	powershell.exe
888	powershell.exe
2068	powershell.exe
632	powershell.exe
1020	powershell.exe
2100	powershell.exe
108	powershell.exe
1180	powershell.exe
2508	powershell.exe
2088	powershell.exe
2008	powershell.exe
2948	powershell.exe
2944	powershell.exe
2016	powershell.exe
2468	powershell.exe
2552	powershell.exe
320	powershell.exe
2492	powershell.exe
2248	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Executes dropped EXE 7 IoCs

pid	Process
948	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
1708	Idle.exe
760	Idle.exe
884	Idle.exe
1900	Idle.exe
3048	Idle.exe
2924	Idle.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXA3B0.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\24dbde2999530e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXA3AF.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\6cb0b6c459d5d3	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8365.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCX85C8.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Windows Mail\fr-FR\24dbde2999530e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\1610b97d3ab4a7	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX9716.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\886983d96e3d3e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX9717.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8366.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCX8589.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX8C71.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX8C72.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\1610b97d3ab4a7	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\Web\Wallpaper\Scenes\24dbde2999530e	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\servicing\Sessions\OSPPSVC.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\rescache\rc0005\services.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX87FC.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX8A6E.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\ShellNew\RCX9B9C.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\ShellNew\spoolsv.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\CSC\v2.0.6\lsm.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\ShellNew\f3b6ecef712a24	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX87FB.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX8A6D.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\ShellNew\spoolsv.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\ShellNew\RCX9B9D.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1128	schtasks.exe
2204	schtasks.exe
1276	schtasks.exe
1636	schtasks.exe
2428	schtasks.exe
1768	schtasks.exe
2760	schtasks.exe
1996	schtasks.exe
1964	schtasks.exe
1584	schtasks.exe
608	schtasks.exe
696	schtasks.exe
1896	schtasks.exe
1760	schtasks.exe
1720	schtasks.exe
2060	schtasks.exe
1344	schtasks.exe
1856	schtasks.exe
236	schtasks.exe
1964	schtasks.exe
788	schtasks.exe
2276	schtasks.exe
1264	schtasks.exe
1460	schtasks.exe
2876	schtasks.exe
2556	schtasks.exe
3044	schtasks.exe
2860	schtasks.exe
2076	schtasks.exe
824	schtasks.exe
2632	schtasks.exe
1924	schtasks.exe
1384	schtasks.exe
1020	schtasks.exe
2676	schtasks.exe
2520	schtasks.exe
484	schtasks.exe
2720	schtasks.exe
1688	schtasks.exe
1584	schtasks.exe
1344	schtasks.exe
2420	schtasks.exe
2368	schtasks.exe
1508	schtasks.exe
2032	schtasks.exe
2912	schtasks.exe
2256	schtasks.exe
2296	schtasks.exe
108	schtasks.exe
1752	schtasks.exe
2116	schtasks.exe
2616	schtasks.exe
1900	schtasks.exe
3004	schtasks.exe
300	schtasks.exe
2856	schtasks.exe
1680	schtasks.exe
1188	schtasks.exe
1276	schtasks.exe
1872	schtasks.exe
860	schtasks.exe
2844	schtasks.exe
1972	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
888	powershell.exe
2360	powershell.exe
2948	powershell.exe
2440	powershell.exe
2264	powershell.exe
1020	powershell.exe
2944	powershell.exe
2016	powershell.exe
2068	powershell.exe
2468	powershell.exe
2248	powershell.exe
2180	powershell.exe
2088	powershell.exe
2256	powershell.exe
2508	powershell.exe
108	powershell.exe
320	powershell.exe
1180	powershell.exe
2008	powershell.exe
2552	powershell.exe
948	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2468	powershell.exe
2068	powershell.exe
1640	powershell.exe
860	powershell.exe
2100	powershell.exe
2492	powershell.exe
2180	powershell.exe
300	powershell.exe
632	powershell.exe
1708	Idle.exe
3064	powershell.exe
760	Idle.exe
884	Idle.exe
1900	Idle.exe
3048	Idle.exe
2924	Idle.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	948	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Token: SeDebugPrivilege	1708	Idle.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	760	Idle.exe
Token: SeDebugPrivilege	884	Idle.exe
Token: SeDebugPrivilege	1900	Idle.exe
Token: SeDebugPrivilege	3048	Idle.exe
Token: SeDebugPrivilege	2924	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2360	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	88
PID 2952 wrote to memory of 2360	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	88
PID 2952 wrote to memory of 2360	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	88
PID 2952 wrote to memory of 2068	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	89
PID 2952 wrote to memory of 2068	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	89
PID 2952 wrote to memory of 2068	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	89
PID 2952 wrote to memory of 888	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	90
PID 2952 wrote to memory of 888	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	90
PID 2952 wrote to memory of 888	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	90
PID 2952 wrote to memory of 2008	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	92
PID 2952 wrote to memory of 2008	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	92
PID 2952 wrote to memory of 2008	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	92
PID 2952 wrote to memory of 2552	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	93
PID 2952 wrote to memory of 2552	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	93
PID 2952 wrote to memory of 2552	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	93
PID 2952 wrote to memory of 2948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	95
PID 2952 wrote to memory of 2948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	95
PID 2952 wrote to memory of 2948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	95
PID 2952 wrote to memory of 2440	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	96
PID 2952 wrote to memory of 2440	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	96
PID 2952 wrote to memory of 2440	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	96
PID 2952 wrote to memory of 2088	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	97
PID 2952 wrote to memory of 2088	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	97
PID 2952 wrote to memory of 2088	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	97
PID 2952 wrote to memory of 2508	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	98
PID 2952 wrote to memory of 2508	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	98
PID 2952 wrote to memory of 2508	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	98
PID 2952 wrote to memory of 2248	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	99
PID 2952 wrote to memory of 2248	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	99
PID 2952 wrote to memory of 2248	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	99
PID 2952 wrote to memory of 2468	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	100
PID 2952 wrote to memory of 2468	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	100
PID 2952 wrote to memory of 2468	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	100
PID 2952 wrote to memory of 2256	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	101
PID 2952 wrote to memory of 2256	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	101
PID 2952 wrote to memory of 2256	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	101
PID 2952 wrote to memory of 1020	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	102
PID 2952 wrote to memory of 1020	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	102
PID 2952 wrote to memory of 1020	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	102
PID 2952 wrote to memory of 2180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	103
PID 2952 wrote to memory of 2180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	103
PID 2952 wrote to memory of 2180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	103
PID 2952 wrote to memory of 2264	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	104
PID 2952 wrote to memory of 2264	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	104
PID 2952 wrote to memory of 2264	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	104
PID 2952 wrote to memory of 1180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	106
PID 2952 wrote to memory of 1180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	106
PID 2952 wrote to memory of 1180	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	106
PID 2952 wrote to memory of 320	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	107
PID 2952 wrote to memory of 320	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	107
PID 2952 wrote to memory of 320	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	107
PID 2952 wrote to memory of 108	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	108
PID 2952 wrote to memory of 108	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	108
PID 2952 wrote to memory of 108	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	108
PID 2952 wrote to memory of 2016	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	109
PID 2952 wrote to memory of 2016	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	109
PID 2952 wrote to memory of 2016	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	109
PID 2952 wrote to memory of 2944	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	110
PID 2952 wrote to memory of 2944	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	110
PID 2952 wrote to memory of 2944	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	110
PID 2952 wrote to memory of 948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	124
PID 2952 wrote to memory of 948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	124
PID 2952 wrote to memory of 948	2952	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	124
PID 948 wrote to memory of 3064	948	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	157

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
"C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
  "C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a74bb356-8834-4229-b5b2-21af892b509d.vbs"
      4⤵
      PID:2308
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:760
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d87270-f73f-4224-af2a-7cacc23af87b.vbs"
        6⤵
        
        PID:1872
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3e73a62-155e-41e2-a9f6-2aa297a10db3.vbs"
        8⤵
        
        PID:1612
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e1244ae-8d18-40b0-8923-0fdd21968bc6.vbs"
        10⤵
        
        PID:1768
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\030330ba-0ccc-42d6-b4b5-f29613027517.vbs"
        12⤵
        
        PID:1564
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88cea038-34a6-4b03-996b-bb0263a38707.vbs"
        14⤵
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f71dba11-0600-4996-9826-a20e9df2a248.vbs"
        14⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c182971-ee0f-42fe-9640-86a7df76a081.vbs"
        12⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e0842f0-4a8d-4ea8-a68d-af72a15fcf5e.vbs"
        10⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f80de9d4-bbd7-4839-8223-375cc2976c56.vbs"
        8⤵
        
        PID:2876
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37897530-7cd0-4b39-a70f-e8cdd295c368.vbs"
        6⤵
        
        PID:2952
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85a9a2a1-a07d-4467-ba04-b00980e4e1f5.vbs"
      4⤵
      PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Scenes\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\fr-FR\WmiPrvSE.exe

Filesize
1.9MB

MD5
137d068c92f966611feaee3383ab28ce

SHA1
31afc2071c0f899e12a210b44a460468807af620

SHA256
82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404

SHA512
8024f3502da2ef447887a0f97578a5c84dd86db7f2552dd5c5ac5c7da41b15bb4649dc478f33c2a5a31526ceebe947ed1c0f4cf679f046d90f10997c46117912

Download Submit
C:\ProgramData\Adobe\dwm.exe

Filesize
1.9MB

MD5
642697c767c0cd6e0b0f34d02a2a59a9

SHA1
8dae63d7dd9987ea3d2081e69b6e622841ab0775

SHA256
08ec8ef46a71e3f7e7e32a51e448549331f8da313ed128f799d3f17f899f0635

SHA512
9ab0b939f1a1fb7a8c0a5681ae58214ee0422fb0f71466c257636054bdbf9ac41463fc84630303422a65a61428340f387a39ccd2f9c35ca00d6391f4f97e01e0

Download Submit
C:\ProgramData\Idle.exe

Filesize
1.9MB

MD5
2e6b122a6f254e186b38e224e1cf749e

SHA1
dc88877a322a7941d507e37de30e6c213971216d

SHA256
25840c0b2c94ba9b5b220b7f563f5c55554a3f1d156efa9f045f9ae073350380

SHA512
e16b11dceab6baff9dd626f73f24a17bea71e81e368a37bb90033606686007a22e51152d6cbe78e1bd539f6c7fdb1ca2c6cdaca319c764b2e415af8c19be0fe0

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe

Filesize
1.9MB

MD5
eaf086321c4bf03c782e0653cbc82346

SHA1
a05e150bb10fdd1094d0d34d8bd026781afb4123

SHA256
25c982be16994ea513ced023e652b3352548c2a929c4da846c44fed34746104d

SHA512
9f3eacd8e19b6af2acb7fb5faf5c4f1342bd565c5dbc560ccd4998e3ce5230e374f00aaf8e77683b8a2de2197363f7506fb31e0a855430ea9231fc5bbc146be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\030330ba-0ccc-42d6-b4b5-f29613027517.vbs

Filesize
747B

MD5
f2875a486bf2c576a5d03dc1a82065b3

SHA1
dfe398311af6c715ad15f5d198aed3a9008a23ed

SHA256
030ea864ac1fe37c599d57b7e19de2e781db47e4b414bc5c8be494352c530a59

SHA512
3cc86a71fc99e37af3977e3c003ecfea0a213827e168cf81333462b7023e6b0031f340528f875fee2cdfd7e63e576e55cc8753bd90e3a2260335468b39aa1b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\29d87270-f73f-4224-af2a-7cacc23af87b.vbs

Filesize
746B

MD5
68bc722983b77a3962305113ac7726af

SHA1
002c0d44622b3d71b9567f56e40b160049ad108c

SHA256
a106df82066ece126d2902dcb2b215dc65a1781c18bfcca9259c0ddb62c3875b

SHA512
ea1bbe921f4d74391a1e195d467e6f02ae34e74a14625ec9389baead3067f1b82af8fd7377730d84412dea7da55c211aeb94510608f2b8726ea88db6a746e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e1244ae-8d18-40b0-8923-0fdd21968bc6.vbs

Filesize
747B

MD5
8a60880b08e49fbb1da0da36f50d64c2

SHA1
8736e93bbdf35ee908ab76aedc0ee09190a5c9eb

SHA256
353a5c470ef6bc1a43186ba047fa1bae58e6b4bd013afd850153a71ff574b387

SHA512
27c6c958adc194e54373e6a3614e5a3ded9c0328877d34309665cd68267aebf9eec2a1ed868ffa67e4e44a9d7ff6dcb3b3885bdd00e92f27e31a1c8694aef148

Download Submit
C:\Users\Admin\AppData\Local\Temp\85a9a2a1-a07d-4467-ba04-b00980e4e1f5.vbs

Filesize
523B

MD5
e2020b7686bc028a5c61447dce68cb67

SHA1
528ddd30a1b35edbf6b734d44e355fb60817bb95

SHA256
4aa9c2033633c97e79c87460046da5b59a327b369e26ea538f5fbae76fecfda2

SHA512
d5d7ccacf65661ea48d958ea3d334c5e9dd55aaa0df60723416fcc503791ec123a7fd5f2584a4fd265d2fae39ed35ac81a512957416b01311dcf71abca8bb6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\88cea038-34a6-4b03-996b-bb0263a38707.vbs

Filesize
747B

MD5
9e02461654e15a424eb24f59bba5df24

SHA1
c8769ca4b6fbf09655b2bbdf312ed2b020657baf

SHA256
c88d22a00bc8f3802d4b70a5fe7a0b34e8511cc7cd5b8a23b325ab1cfe18133d

SHA512
8ad3bd44cc5e7a02f495b61d909a7f10123efa4429096feacf8ad58e3884b6f96c200e6470e3f676909ff831539f6861c00a3877fdd75a5425d1dd424027da80

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3e73a62-155e-41e2-a9f6-2aa297a10db3.vbs

Filesize
746B

MD5
06b84ace06deea0b9ce60c88c523a43f

SHA1
b2dc8866b54aad620c4fca13b6ef6d43aae58d99

SHA256
8e80218ced514e75c83ec6e3d903574e2b00ef8d4d1eb964a0a769bd7a7ae813

SHA512
5e5e8b6c488ab5fae1060bb341a2e1b0a38508d968f8c86184e25d4d7980099523f5ff61edd71b4441b955c3abb61b0dd37df3f140d88bdb4199b6c5ec2f0010

Download Submit
C:\Users\Admin\AppData\Local\Temp\a74bb356-8834-4229-b5b2-21af892b509d.vbs

Filesize
747B

MD5
5fab6f70cddf58adf9957aabf897eaec

SHA1
7ae31c3934a6ef2948ac40d337c53f98572f1879

SHA256
55ef792ff395d4f4e7af79ccfb1a306768f93e67b2a107a7e0aae3db690697d6

SHA512
ce52e2e42530ba27a9037bd9c60cf1847d3bb42149f396fd5d8b31c342d6a5416b987f75211d29b0ad681d5c38c41c2c55d1f4dc1c2b0040704a2693c1b9d148

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
1KB

MD5
46c62df1f33c88c8845331a56882f242

SHA1
7019cca5a201745f166a56eca34c4d9784e94687

SHA256
948d9dc3192674da7d9d9ad134e26d251ea70834ed4df402d5329cae05ac4000

SHA512
2b4769e2a16a3291e6aaad6cf1322d71d4baaf1c3093df81fcda1273bfb4acdd635801f93c5b0a9d55c64c93e3c9ef5b38becbc1a4b0c12e2f0d891b75343176

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d56b82f2be86022cb20dd3e816c63239

SHA1
fa3b9b3e0f36357cf14c94ad5a8e73c87807d2b6

SHA256
e083c63028f89a9919c38a7efec4baf132d101bbc281e451f201d6c74fef7549

SHA512
b5e175ca3db3c43e6c0c0fa7e8d3a35beb1a3cc8ae056d6717fbec6517f50a9c28a32efcef022de62d074cc78f311cceaa28fb2248ae06a04e76f13489ccc28c

Download Submit
memory/760-493-0x0000000000D40000-0x0000000000F2A000-memory.dmp

Filesize
1.9MB

Download
memory/884-505-0x0000000001380000-0x000000000156A000-memory.dmp

Filesize
1.9MB

Download
memory/888-290-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/888-292-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/948-383-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1708-428-0x00000000009F0000-0x0000000000BDA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-482-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/1900-518-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/1900-517-0x0000000000330000-0x000000000051A000-memory.dmp

Filesize
1.9MB

Download
memory/2468-455-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2468-457-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2924-542-0x0000000000340000-0x000000000052A000-memory.dmp

Filesize
1.9MB

Download
memory/2924-543-0x0000000000830000-0x0000000000886000-memory.dmp

Filesize
344KB

Download
memory/2952-217-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-5-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2952-8-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/2952-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2952-9-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2952-14-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2952-192-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2952-10-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2952-7-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2952-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-12-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2952-321-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-13-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2952-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2952-18-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2952-17-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/2952-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2952-1-0x0000000000B80000-0x0000000000D6A000-memory.dmp

Filesize
1.9MB

Download
memory/2952-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2952-16-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2952-15-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/3048-530-0x0000000000EA0000-0x000000000108A000-memory.dmp

Filesize
1.9MB

Download