5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Size

1.9MB
MD5

137d068c92f966611feaee3383ab28ce
SHA1

31afc2071c0f899e12a210b44a460468807af620
SHA256

82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404
SHA512

8024f3502da2ef447887a0f97578a5c84dd86db7f2552dd5c5ac5c7da41b15bb4649dc478f33c2a5a31526ceebe947ed1c0f4cf679f046d90f10997c46117912
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5920	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	636	schtasks.exe	86

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
368	powershell.exe
1748	powershell.exe
2196	powershell.exe
2584	powershell.exe
2404	powershell.exe
4980	powershell.exe
3776	powershell.exe
6016	powershell.exe
5768	powershell.exe
536	powershell.exe
5380	powershell.exe
2592	powershell.exe
2816	powershell.exe
2208	powershell.exe
5220	powershell.exe
4060	powershell.exe
4288	powershell.exe
4280	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 7 IoCs

pid	Process
5096	sysmon.exe
852	sysmon.exe
5924	sysmon.exe
5980	sysmon.exe
4672	sysmon.exe
5904	sysmon.exe
4368	sysmon.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\Idle.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX74E6.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCX7554.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\Idle.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\SearchApp.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Containers\serviced\RCX704E.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Containers\serviced\Idle.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\L2Schemas\RCX7E55.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\Containers\serviced\Idle.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\Containers\serviced\6ccacd8608530f	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File created	C:\Windows\L2Schemas\38384e6a620884	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\Containers\serviced\RCX704F.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\L2Schemas\RCX7E54.tmp	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
File opened for modification	C:\Windows\L2Schemas\SearchApp.exe	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6140	schtasks.exe
4716	schtasks.exe
1892	schtasks.exe
4656	schtasks.exe
4612	schtasks.exe
4536	schtasks.exe
4216	schtasks.exe
3580	schtasks.exe
4436	schtasks.exe
4664	schtasks.exe
4752	schtasks.exe
4780	schtasks.exe
316	schtasks.exe
5116	schtasks.exe
1456	schtasks.exe
3816	schtasks.exe
4432	schtasks.exe
4504	schtasks.exe
5916	schtasks.exe
4416	schtasks.exe
5100	schtasks.exe
432	schtasks.exe
2384	schtasks.exe
2276	schtasks.exe
4460	schtasks.exe
3820	schtasks.exe
1528	schtasks.exe
924	schtasks.exe
5920	schtasks.exe
4484	schtasks.exe
2368	schtasks.exe
4524	schtasks.exe
3812	schtasks.exe
508	schtasks.exe
4456	schtasks.exe
4400	schtasks.exe
1084	schtasks.exe
4188	schtasks.exe
4380	schtasks.exe
4628	schtasks.exe
4704	schtasks.exe
6036	schtasks.exe
4200	schtasks.exe
1992	schtasks.exe
5240	schtasks.exe
1740	schtasks.exe
3080	schtasks.exe
4532	schtasks.exe
5360	schtasks.exe
1536	schtasks.exe
4944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
4060	powershell.exe
4060	powershell.exe
368	powershell.exe
368	powershell.exe
2592	powershell.exe
2592	powershell.exe
4288	powershell.exe
4288	powershell.exe
1748	powershell.exe
1748	powershell.exe
2196	powershell.exe
2196	powershell.exe
536	powershell.exe
536	powershell.exe
5220	powershell.exe
5220	powershell.exe
2208	powershell.exe
2208	powershell.exe
5380	powershell.exe
5380	powershell.exe
3776	powershell.exe
3776	powershell.exe
4980	powershell.exe
4980	powershell.exe
6016	powershell.exe
2816	powershell.exe
2816	powershell.exe
6016	powershell.exe
2584	powershell.exe
2584	powershell.exe
5768	powershell.exe
5768	powershell.exe
2404	powershell.exe
2404	powershell.exe
4280	powershell.exe
4280	powershell.exe
6016	powershell.exe
4280	powershell.exe
368	powershell.exe
368	powershell.exe
5380	powershell.exe
4060	powershell.exe
4060	powershell.exe
2584	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	5768	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	5096	sysmon.exe
Token: SeDebugPrivilege	852	sysmon.exe
Token: SeDebugPrivilege	5924	sysmon.exe
Token: SeDebugPrivilege	5980	sysmon.exe
Token: SeDebugPrivilege	4672	sysmon.exe
Token: SeDebugPrivilege	5904	sysmon.exe
Token: SeDebugPrivilege	4368	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4060	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	144
PID 2332 wrote to memory of 4060	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	144
PID 2332 wrote to memory of 368	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	145
PID 2332 wrote to memory of 368	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	145
PID 2332 wrote to memory of 1748	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	146
PID 2332 wrote to memory of 1748	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	146
PID 2332 wrote to memory of 5380	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	147
PID 2332 wrote to memory of 5380	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	147
PID 2332 wrote to memory of 2196	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	148
PID 2332 wrote to memory of 2196	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	148
PID 2332 wrote to memory of 2592	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	149
PID 2332 wrote to memory of 2592	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	149
PID 2332 wrote to memory of 5768	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	150
PID 2332 wrote to memory of 5768	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	150
PID 2332 wrote to memory of 2584	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	151
PID 2332 wrote to memory of 2584	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	151
PID 2332 wrote to memory of 4280	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	152
PID 2332 wrote to memory of 4280	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	152
PID 2332 wrote to memory of 4288	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	154
PID 2332 wrote to memory of 4288	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	154
PID 2332 wrote to memory of 536	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	156
PID 2332 wrote to memory of 536	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	156
PID 2332 wrote to memory of 6016	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	157
PID 2332 wrote to memory of 6016	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	157
PID 2332 wrote to memory of 3776	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	159
PID 2332 wrote to memory of 3776	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	159
PID 2332 wrote to memory of 5220	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	160
PID 2332 wrote to memory of 5220	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	160
PID 2332 wrote to memory of 4980	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	161
PID 2332 wrote to memory of 4980	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	161
PID 2332 wrote to memory of 2404	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	162
PID 2332 wrote to memory of 2404	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	162
PID 2332 wrote to memory of 2208	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	163
PID 2332 wrote to memory of 2208	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	163
PID 2332 wrote to memory of 2816	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	164
PID 2332 wrote to memory of 2816	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	164
PID 2332 wrote to memory of 4732	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	180
PID 2332 wrote to memory of 4732	2332	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe	180
PID 4732 wrote to memory of 4472	4732	cmd.exe	182
PID 4732 wrote to memory of 4472	4732	cmd.exe	182
PID 4732 wrote to memory of 5096	4732	cmd.exe	184
PID 4732 wrote to memory of 5096	4732	cmd.exe	184
PID 5096 wrote to memory of 1800	5096	sysmon.exe	185
PID 5096 wrote to memory of 1800	5096	sysmon.exe	185
PID 5096 wrote to memory of 1616	5096	sysmon.exe	186
PID 5096 wrote to memory of 1616	5096	sysmon.exe	186
PID 1800 wrote to memory of 852	1800	WScript.exe	188
PID 1800 wrote to memory of 852	1800	WScript.exe	188
PID 852 wrote to memory of 5800	852	sysmon.exe	189
PID 852 wrote to memory of 5800	852	sysmon.exe	189
PID 852 wrote to memory of 4708	852	sysmon.exe	190
PID 852 wrote to memory of 4708	852	sysmon.exe	190
PID 5800 wrote to memory of 5924	5800	WScript.exe	198
PID 5800 wrote to memory of 5924	5800	WScript.exe	198
PID 5924 wrote to memory of 4788	5924	sysmon.exe	199
PID 5924 wrote to memory of 4788	5924	sysmon.exe	199
PID 5924 wrote to memory of 5220	5924	sysmon.exe	200
PID 5924 wrote to memory of 5220	5924	sysmon.exe	200
PID 4788 wrote to memory of 5980	4788	WScript.exe	201
PID 4788 wrote to memory of 5980	4788	WScript.exe	201
PID 5980 wrote to memory of 4984	5980	sysmon.exe	202
PID 5980 wrote to memory of 4984	5980	sysmon.exe	202
PID 5980 wrote to memory of 3152	5980	sysmon.exe	203
PID 5980 wrote to memory of 3152	5980	sysmon.exe	203

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe
"C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DzPHbAiEIL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4472
- - C:\f9532e701a889cdd91b8\sysmon.exe
    "C:\f9532e701a889cdd91b8\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5096
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e674053-d497-4ffe-ad92-99c4656d1f1a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:852
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f696ce67-e0d8-48e0-b81e-3b1497392d28.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d64f94b-adfe-4ca9-b8ad-ab87ec199fab.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bf833e2-89ff-4c5d-ac32-a50ad9c5bbe3.vbs"
        10⤵
        
        PID:4984
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add1b97e-d1ae-422b-adea-fc9470e3a0d4.vbs"
        12⤵
        
        PID:3724
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dbbac4a-39d6-4f48-86f9-7225cb8dd075.vbs"
        14⤵
        
        PID:1988
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        
        C:\f9532e701a889cdd91b8\sysmon.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b030c44-f319-4024-8379-9df45e80d19c.vbs"
        16⤵
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d357d13-13a3-4ba0-93ad-146a606d40c3.vbs"
        16⤵
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae667cfb-79fb-4657-9a62-f7cd7b0f4df5.vbs"
        14⤵
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4a411a-ee07-492c-aab4-ccd238dda154.vbs"
        12⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c9ebc5-c781-426e-9a90-91e33b1ebbbc.vbs"
        10⤵
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\670099f9-d1b3-4622-9eaf-7b24baa810ca.vbs"
        8⤵
        
        PID:5220
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ebb0a2-ea7b-4cbd-a903-4265be561d4d.vbs"
        6⤵
        
        PID:4708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72a234f8-ff65-49c6-a29d-aff7978fd73c.vbs"
      4⤵
      PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e4048" /sc MINUTE /mo 10 /tr "'C:\Users\Public\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404" /sc ONLOGON /tr "'C:\Users\Public\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e4048" /sc MINUTE /mo 6 /tr "'C:\Users\Public\82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\fr-FR\Idle.exe

Filesize
1.9MB

MD5
9fa4f6fb1bb3237afc9fceed7cd15aee

SHA1
910f3ee2f603886e5f83349ed4b180214e0a6b27

SHA256
89b86579fbe24f14cf964c4f7047bd8e4b3ff199a1f9f3c396113e92cca1019e

SHA512
5da090ed9b1b747e3cb24e9d10536f22278c3cec9972644d57755324cc2241c1475e22c9c3db7398ad74f85c378cadc8c1230ac607c0da8366da5eff01383b64

Download Submit
C:\ProgramData\Microsoft\fontdrvhost.exe

Filesize
1.9MB

MD5
156ec9417504508e70dc747f41bae139

SHA1
5ca35749fc03ab42b6aa147b2965b7422315393e

SHA256
c4db013264e49d01c3c25da9254497bc7e27f55cca2a12eb143c1ed61ad4ed8a

SHA512
6c1c7f3697a461ae2d1ba8e9f971c4deb23f3daf96927afbd0877fedd948c7083ec74aa750bcf7976541f560469133f51671881d56c0a079124f7130b35c5c64

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.9MB

MD5
b73763d3a22606c1bde4c8de500a59d5

SHA1
651c44d9fa8e83a5ff59dd063371a5f16062eab8

SHA256
7854c2aef74d0460d14bcd8edeadf6df71c7b55f5cae197c73c0810e1cf5f6b3

SHA512
93512a35572d321a3ac6623742a40ad10f925006bb5de3498456f0615c174f1aa658fc1145de769b8d5245171041f5b7290b75c01de93942bd7b8d477a706c20

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
1.9MB

MD5
9febf3c626c01367a6e966725e83befd

SHA1
bd849cbcaae7b20dc3178c0bb94eb93e28b2be8b

SHA256
2fc79f113591e9396ff55ccf5bc698c08c329ddbb9f21dee5907ca82b47efb70

SHA512
31b8c5615f4d98eeeea596199523dbf1c5be1da71186f28907c0055759e85a24db6013420b6303d714cc975214f9b4de392d544838362f2921a40365071d6e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d6be353071c88740854583bdec012da9

SHA1
41e878ee8d34decbeec5ff5b590d10f3e99679e5

SHA256
af4f5eb0e62df1a63b700c151c24cb8a8e0dd3c9b09f809519efe8342b4e87c6

SHA512
cf5b17dcb4c89f7076a6d2ae261fca4263b13778eef45c6ef6d8bf2741ecc9b74cbb63cfc7cd86bd88dde71d356c05517465d7bceedddcd5e2c203aacedc3b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c63980b62b932c2336743babc337af85

SHA1
0ef001498596b702a9fd8944795d7ccb7aac5333

SHA256
59df6f476d34b7f08f279482dea01d2331665c987406de593ebcfd4bcbe73665

SHA512
71dab1d77cdefe2b22c6fd787dedf6c5296f05d450878d550ea9cd1f30fc575c6a234a1f798bb53815715f7f2d3db456358c1173f605f1eeabf41d921e94d067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
afc798b866b5e59eed81ed1ae790ab89

SHA1
f0198f123b8c2b4428e95f4eb1af52043f1a27ad

SHA256
4252f8b41ce5a5d808e0c8418440c8432b7075025fd3bf8e16cc1fc7697000f4

SHA512
463266fcb03789158528abcee746f35e8069e1f03dad6ab3d8aa30cd31c2c1c110cbb79ae44ef922b6a1765855ea7e5e4aa2a1d449e9d9e96c9f85d224b74e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
316c42ca95cd0ccbfd60996129f65adc

SHA1
e80bc56d3e28fc9081faae6a735d262fb0a8bbb1

SHA256
2cc6c0e6fc4690b21a7d1e699a487e22845a85933bab71638df535bb668e2d2f

SHA512
7be9772d74adec60087a0d18ef2a7ce837e7755f59077f311c4e52727184057774d279a508fb2407560f7a0b79f5c9a48fab8aff3f629bf2d967218816384242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc05a4f71923730b4eed5cb63f86aeed

SHA1
798199489ad94c55021a92ec812b320ed90b5711

SHA256
557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650

SHA512
fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc3171c3b52aa17359a2dd52f98ac905

SHA1
690d766c5fc3f21a91e27e4ba11513f135c640ee

SHA256
cdab093c32bd06c16808a03bef83de05f6a5ed68dc335fada9f925831215cf33

SHA512
5a069ce11527f5375ab5a8ef53602b39ce7e44a61a1e001662ec06836715c1bcdba34da441ec599648b761f1234e7231d160c4e0ccec92d9d003c3d31420d40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ea4fdbf8bad883929456091a1e50194

SHA1
fc3b6026729ad36729c2cc4349b8e7a94255ad71

SHA256
ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

SHA512
27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ec1de5af22ee94e2a00a91da98957bd

SHA1
0ade5098be757a47adb6d5d0dbf576bcf41d6253

SHA256
540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

SHA512
8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68bf9e6d0adb2ef3481ca14096fb649c

SHA1
16ca4ae4e06b787cb7ce84d9520fe27d09800063

SHA256
f450abac163b8b6e1390084d47356b54bfcde6c0411924907d24c727e964025e

SHA512
3dee6b307cb014ada181e92e2358f40eebfd3c7e19ee3f33ffbe7a600f4052a73a8120d64eb51639ae23d64c94ad7fc60fda740f6c7487ff8285602dd24a024c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b030c44-f319-4024-8379-9df45e80d19c.vbs

Filesize
710B

MD5
729c619a4a6d229597077aebe51bbc56

SHA1
4afa8ef6943b5afac78b7406bfdb4d3a5185d25b

SHA256
c9f613629668131b23a266c75508a9a683836ff272492b2190b78c50f621cac4

SHA512
14dfab123d8c98df4fa7ea4f061f30b146158f9fa4beed9244be0611bdcb926c350f8e399602b308e9113da2745b34425856cd56c13ca1490d4f95ad9815d91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dbbac4a-39d6-4f48-86f9-7225cb8dd075.vbs

Filesize
710B

MD5
db261a5cb1477e18dde2dfa67ee46daa

SHA1
097b635cbfd89edf6240c73dbace44363e706db8

SHA256
45a0da0d33dbde7a709e483ebe2c4cfa554818c3eef571b490a8c5e00f6b13ac

SHA512
473f6875c77644046fd5c6e7a42ad152b389b01c90688fc6ebf323dabaaef594420bfaabe90ad40cfa34f42dfaf03e9f7401613831c972016a173e650d0fa45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e674053-d497-4ffe-ad92-99c4656d1f1a.vbs

Filesize
710B

MD5
807f4a123d34c30ee18086fe5827dac2

SHA1
0449774cce122a08633000465b9a554ab6ec55c3

SHA256
90949de8e916d35ca68b061867f4d5e3eb0bf9b62ef1e59bf1ab32f35b41e1ac

SHA512
2e9be503b123de738b4e1d423f4bb3c5244ce7daeb63b27b6f99f04160dd80cc8040bfe5753e63b1cddfc7978228c234ea854858a3d19afdf789cfef8a988277

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d64f94b-adfe-4ca9-b8ad-ab87ec199fab.vbs

Filesize
710B

MD5
5c70206dba7667efcd442a009f076d45

SHA1
7a281a8038b2bc26a6ba2960c66f18ea5a19b49a

SHA256
72ebdea77e06030bb4ea0359523f91aaefa2e4621bd27b5a2ae2fef867cf0114

SHA512
9ac5e44e17eb3889bb956d319f4027258d20b95dc0d9c66e4522b323d1191f14a8728dae59ddf53b1c7200cac001f7d3c932080fffc6172f4b4306ca6e175982

Download Submit
C:\Users\Admin\AppData\Local\Temp\72a234f8-ff65-49c6-a29d-aff7978fd73c.vbs

Filesize
486B

MD5
6aa29681f11fb60317ad1a32d5cf75b8

SHA1
3d8865fc00758d6f3da836ec1f6729f2aa94a5ad

SHA256
dcc6ce4423138371a7ab394c6eeb742f4b4578c9aa3cbdc16f79b2b9f376733e

SHA512
e398465b5b109f8b89a56c388c83629a53f86bf5dadd3b586375edf0033f3a6423fcba7c920afeb155950e603214eca136dc60c414d7c938cb77329bce611889

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bf833e2-89ff-4c5d-ac32-a50ad9c5bbe3.vbs

Filesize
710B

MD5
1ec28c160a6dced25a2eea09b60b42a8

SHA1
64759eb862ab48936a4bef246e3663616629e025

SHA256
0409b0522eb0d9f99746013be6b17c05c061c492aee85568d96e909e77cf536a

SHA512
196bec81dbc53d7e7dd94fb485b4f180f57746f834f5e1624254a48dbf85cd7bad2c1e908f18a8ce022b73b9290c8cb280df41a0d2497311e5ea8bbb128faa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DzPHbAiEIL.bat

Filesize
199B

MD5
05d9ab8f8fbc14b24f77ad9a402f6701

SHA1
3fdc73f96bca522374de51d9cf764c93bf907cf9

SHA256
f88b984bb10d0c773c39038dc0651676c3655432e6546df63833433f0bebf772

SHA512
f0ac19c6a8ccefbd40366f68d549394e621489628b5eb7fc962690906431974b6adf9637adf037830375bea6fdebce302415af153cbf3e1beea1f60cdf4698a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sozk0mfp.xhu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\add1b97e-d1ae-422b-adea-fc9470e3a0d4.vbs

Filesize
710B

MD5
fa042d68906a07a000cab63c799ecfeb

SHA1
d90d86d9bdebbb0461e786f20271e69c854f4055

SHA256
b6cf8ea747425b9bd9d610de25e299c7cb3f8bcf923f12d4d6caf7bbad8a9206

SHA512
449204108b108109827270278090a65e8f088a27ab606dc25a508cc0bfc5e79c7dec4bd98c9cd2ef3ad2bdebb3121bd4b1d23490adf6485de5203df4c90ede9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f696ce67-e0d8-48e0-b81e-3b1497392d28.vbs

Filesize
709B

MD5
2efa187f25aaa95e488ed91b06a90ff6

SHA1
b3839b98a398252486ac665990d281df70ef4cdb

SHA256
831e17f01bd7674ea5d1e0417ec09a18f4b9c568e8854a5343193a8ad0ebb973

SHA512
a149a89a94881a07174096ba79f73a1e480b6b2042570a27d742845528450c290192c3698c14cc4ce1658036ecf91825f8634142c72c2e09cffa4244882589be

Download Submit
C:\aff403968f1bfcc42131676322798b50\csrss.exe

Filesize
1.9MB

MD5
7e8baf30c1abad43effe333586ed0a3a

SHA1
e7cb64e7ae6be567ca002026cee7e99621f627af

SHA256
b704ff9ace875b4fcc01d7435ee4f03282dc6b42bcd5b0b156eaf17e8a86648d

SHA512
5b9c639bcd2f445e89b18e8b61d249fbab15fc2da07948819a2ed8c5942c821b8e57ae31564faac216a4a78c88d0f39035af7f9368699f189bfc9a699799f685

Download Submit
C:\f9532e701a889cdd91b8\sysmon.exe

Filesize
1.9MB

MD5
137d068c92f966611feaee3383ab28ce

SHA1
31afc2071c0f899e12a210b44a460468807af620

SHA256
82dc0c2f48327b7dad22ea176fcf9e6b8dfcd5de417b762bd41d38ca4d50e404

SHA512
8024f3502da2ef447887a0f97578a5c84dd86db7f2552dd5c5ac5c7da41b15bb4649dc478f33c2a5a31526ceebe947ed1c0f4cf679f046d90f10997c46117912

Download Submit
memory/852-481-0x000000001B050000-0x000000001B0A6000-memory.dmp

Filesize
344KB

Download
memory/2332-16-0x000000001B3A0000-0x000000001B3AA000-memory.dmp

Filesize
40KB

Download
memory/2332-6-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2332-20-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/2332-0-0x00007FFB47C43000-0x00007FFB47C45000-memory.dmp

Filesize
8KB

Download
memory/2332-17-0x000000001B3B0000-0x000000001B3BE000-memory.dmp

Filesize
56KB

Download
memory/2332-18-0x000000001B3C0000-0x000000001B3C8000-memory.dmp

Filesize
32KB

Download
memory/2332-19-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/2332-15-0x000000001B390000-0x000000001B39C000-memory.dmp

Filesize
48KB

Download
memory/2332-14-0x000000001C480000-0x000000001C9A8000-memory.dmp

Filesize
5.2MB

Download
memory/2332-13-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/2332-11-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2332-10-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/2332-9-0x000000001B4E0000-0x000000001B536000-memory.dmp

Filesize
344KB

Download
memory/2332-1-0x00000000004B0000-0x000000000069A000-memory.dmp

Filesize
1.9MB

Download
memory/2332-2-0x00007FFB47C40000-0x00007FFB48701000-memory.dmp

Filesize
10.8MB

Download
memory/2332-7-0x00000000027E0000-0x00000000027F6000-memory.dmp

Filesize
88KB

Download
memory/2332-8-0x0000000002800000-0x000000000280A000-memory.dmp

Filesize
40KB

Download
memory/2332-5-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2332-263-0x00007FFB47C40000-0x00007FFB48701000-memory.dmp

Filesize
10.8MB

Download
memory/2332-211-0x00007FFB47C40000-0x00007FFB48701000-memory.dmp

Filesize
10.8MB

Download
memory/2332-195-0x00007FFB47C43000-0x00007FFB47C45000-memory.dmp

Filesize
8KB

Download
memory/2332-4-0x0000000002820000-0x0000000002870000-memory.dmp

Filesize
320KB

Download
memory/2332-3-0x0000000000EF0000-0x0000000000F0C000-memory.dmp

Filesize
112KB

Download
memory/4060-273-0x00000195582A0000-0x00000195582C2000-memory.dmp

Filesize
136KB

Download
memory/5096-468-0x000000001B920000-0x000000001B976000-memory.dmp

Filesize
344KB

Download
memory/5924-493-0x000000001BEA0000-0x000000001BEF6000-memory.dmp

Filesize
344KB

Download
memory/5980-505-0x000000001B3D0000-0x000000001B3E2000-memory.dmp

Filesize
72KB

Download