525209de288e36bab56d3a19446249ffd067c8757b5d5870daa6a782b9567e74

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c46d70788b60ff0ba7ea4c5f0549f18.exe
Size

1.9MB
MD5

6c46d70788b60ff0ba7ea4c5f0549f18
SHA1

10cd8b050891004ca06c2be54d55e38a243be162
SHA256

f4b884338e802040f828153f0a161ab18205ee0a90b8f778831900c7ae97c465
SHA512

c156dfae670696f766ef3672e3513f7c0f66460674cb78c4419b876f36128e593fc9a8be6923d752116f855d3334df65bbc8f26010aee9d8c8d6e4db430ee81a
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2812	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2812	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
892	powershell.exe
1156	powershell.exe
1616	powershell.exe
1888	powershell.exe
2204	powershell.exe
2172	powershell.exe
836	powershell.exe
708	powershell.exe
2520	powershell.exe
2320	powershell.exe
2480	powershell.exe
956	powershell.exe
2552	powershell.exe
1608	powershell.exe
2008	powershell.exe
1640	powershell.exe
2088	powershell.exe
2284	powershell.exe
2924	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6c46d70788b60ff0ba7ea4c5f0549f18.exe

Executes dropped EXE 7 IoCs

pid	Process
1348	smss.exe
2300	smss.exe
2004	smss.exe
2124	smss.exe
1972	smss.exe
1976	smss.exe
1040	smss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6ccacd8608530f	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX230E.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\69ddcba757bf72	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6203df4a6bafc7	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Google\Update\System.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Google\Update\27d1bcfc3c54e0	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX39CC.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX39CD.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX4599.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCX4607.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RCX29C7.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\RCX29C8.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RCX3C3E.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\RCX3C3F.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\886983d96e3d3e	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX22FD.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Google\Update\System.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\27d1bcfc3c54e0	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCX4327.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCX4395.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\b75386f1303e64	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Windows\TAPI\42af1c969fbb7b	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX3052.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\TAPI\RCX40B5.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\TAPI\RCX40B6.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File created	C:\Windows\TAPI\audiodg.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\RCX3053.tmp	6c46d70788b60ff0ba7ea4c5f0549f18.exe
File opened for modification	C:\Windows\TAPI\audiodg.exe	6c46d70788b60ff0ba7ea4c5f0549f18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
272	schtasks.exe
1768	schtasks.exe
1544	schtasks.exe
2924	schtasks.exe
2840	schtasks.exe
2776	schtasks.exe
1192	schtasks.exe
1992	schtasks.exe
2168	schtasks.exe
1480	schtasks.exe
1856	schtasks.exe
1328	schtasks.exe
1908	schtasks.exe
2116	schtasks.exe
2004	schtasks.exe
1712	schtasks.exe
1628	schtasks.exe
2184	schtasks.exe
1728	schtasks.exe
1040	schtasks.exe
1176	schtasks.exe
1888	schtasks.exe
2472	schtasks.exe
1804	schtasks.exe
2424	schtasks.exe
2564	schtasks.exe
2340	schtasks.exe
2920	schtasks.exe
1212	schtasks.exe
2492	schtasks.exe
2736	schtasks.exe
1996	schtasks.exe
2484	schtasks.exe
2044	schtasks.exe
2648	schtasks.exe
2688	schtasks.exe
3040	schtasks.exe
2512	schtasks.exe
1780	schtasks.exe
2188	schtasks.exe
2640	schtasks.exe
1064	schtasks.exe
1624	schtasks.exe
2568	schtasks.exe
404	schtasks.exe
2608	schtasks.exe
1268	schtasks.exe
2124	schtasks.exe
2580	schtasks.exe
1124	schtasks.exe
1788	schtasks.exe
2276	schtasks.exe
2108	schtasks.exe
1648	schtasks.exe
2020	schtasks.exe
576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
2480	powershell.exe
2284	powershell.exe
836	powershell.exe
2088	powershell.exe
956	powershell.exe
1624	powershell.exe
2204	powershell.exe
2520	powershell.exe
892	powershell.exe
708	powershell.exe
1608	powershell.exe
2320	powershell.exe
1156	powershell.exe
2008	powershell.exe
2552	powershell.exe
2924	powershell.exe
1640	powershell.exe
2172	powershell.exe
1616	powershell.exe
1888	powershell.exe
1348	smss.exe
2300	smss.exe
2004	smss.exe
2124	smss.exe
1972	smss.exe
1976	smss.exe
1040	smss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1348	smss.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2300	smss.exe
Token: SeDebugPrivilege	2004	smss.exe
Token: SeDebugPrivilege	2124	smss.exe
Token: SeDebugPrivilege	1972	smss.exe
Token: SeDebugPrivilege	1976	smss.exe
Token: SeDebugPrivilege	1040	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1616	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	88
PID 2516 wrote to memory of 1616	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	88
PID 2516 wrote to memory of 1616	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	88
PID 2516 wrote to memory of 1888	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	89
PID 2516 wrote to memory of 1888	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	89
PID 2516 wrote to memory of 1888	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	89
PID 2516 wrote to memory of 1608	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	91
PID 2516 wrote to memory of 1608	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	91
PID 2516 wrote to memory of 1608	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	91
PID 2516 wrote to memory of 1156	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	92
PID 2516 wrote to memory of 1156	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	92
PID 2516 wrote to memory of 1156	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	92
PID 2516 wrote to memory of 1640	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	93
PID 2516 wrote to memory of 1640	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	93
PID 2516 wrote to memory of 1640	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	93
PID 2516 wrote to memory of 2008	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	94
PID 2516 wrote to memory of 2008	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	94
PID 2516 wrote to memory of 2008	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	94
PID 2516 wrote to memory of 708	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	95
PID 2516 wrote to memory of 708	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	95
PID 2516 wrote to memory of 708	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	95
PID 2516 wrote to memory of 2552	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	97
PID 2516 wrote to memory of 2552	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	97
PID 2516 wrote to memory of 2552	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	97
PID 2516 wrote to memory of 2088	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	98
PID 2516 wrote to memory of 2088	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	98
PID 2516 wrote to memory of 2088	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	98
PID 2516 wrote to memory of 956	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	100
PID 2516 wrote to memory of 956	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	100
PID 2516 wrote to memory of 956	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	100
PID 2516 wrote to memory of 2172	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	102
PID 2516 wrote to memory of 2172	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	102
PID 2516 wrote to memory of 2172	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	102
PID 2516 wrote to memory of 2480	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	104
PID 2516 wrote to memory of 2480	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	104
PID 2516 wrote to memory of 2480	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	104
PID 2516 wrote to memory of 2204	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	106
PID 2516 wrote to memory of 2204	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	106
PID 2516 wrote to memory of 2204	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	106
PID 2516 wrote to memory of 2320	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	108
PID 2516 wrote to memory of 2320	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	108
PID 2516 wrote to memory of 2320	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	108
PID 2516 wrote to memory of 892	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	110
PID 2516 wrote to memory of 892	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	110
PID 2516 wrote to memory of 892	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	110
PID 2516 wrote to memory of 1624	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	111
PID 2516 wrote to memory of 1624	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	111
PID 2516 wrote to memory of 1624	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	111
PID 2516 wrote to memory of 836	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	112
PID 2516 wrote to memory of 836	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	112
PID 2516 wrote to memory of 836	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	112
PID 2516 wrote to memory of 2520	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	113
PID 2516 wrote to memory of 2520	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	113
PID 2516 wrote to memory of 2520	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	113
PID 2516 wrote to memory of 2924	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	114
PID 2516 wrote to memory of 2924	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	114
PID 2516 wrote to memory of 2924	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	114
PID 2516 wrote to memory of 2284	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	115
PID 2516 wrote to memory of 2284	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	115
PID 2516 wrote to memory of 2284	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	115
PID 2516 wrote to memory of 1348	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	128
PID 2516 wrote to memory of 1348	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	128
PID 2516 wrote to memory of 1348	2516	6c46d70788b60ff0ba7ea4c5f0549f18.exe	128
PID 1348 wrote to memory of 1804	1348	smss.exe	129

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6c46d70788b60ff0ba7ea4c5f0549f18.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe
"C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6c46d70788b60ff0ba7ea4c5f0549f18.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\6c46d70788b60ff0ba7ea4c5f0549f18.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\6c46d70788b60ff0ba7ea4c5f0549f18.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d3707f-fea6-48d6-aad3-8a88a43cd07b.vbs"
    3⤵
    PID:1804
  - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
      C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2300
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caf5f846-e0e7-411e-a2d1-66ec7bb6f636.vbs"
        5⤵
        
        PID:1700
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a137258-266b-48bf-a4d6-748efd8571fe.vbs"
        7⤵
        
        PID:1652
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0480d5b5-c1de-4beb-915c-ef55f810b20b.vbs"
        9⤵
        
        PID:708
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf61631-966a-4192-aceb-acbb8644ece1.vbs"
        11⤵
        
        PID:2276
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a67178aa-d3bf-44c7-a561-38730446e18c.vbs"
        13⤵
        
        PID:3044
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38b56b22-93c2-497a-9afa-b77a9ceeafdd.vbs"
        15⤵
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2622bafe-3667-4e28-9c29-7d5e844fcb13.vbs"
        15⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394f2a3a-644a-43ad-8110-1a56f014e454.vbs"
        13⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41152945-23ba-4972-b0e1-b9bf5b5b18d6.vbs"
        11⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e85fb9-d823-439c-91ac-430690a2fcd2.vbs"
        9⤵
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16d035b-b61b-4f44-876c-3ef5fe1c7604.vbs"
        7⤵
        
        PID:1268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032c7cb2-f8db-445b-b2eb-90142ab65730.vbs"
        5⤵
        
        PID:2840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b4b1a1-9944-4fe2-89bf-a1f926af257d.vbs"
    3⤵
    PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f186" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f18" /sc ONLOGON /tr "'C:\Users\Default\Downloads\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f186" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f186" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f18" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6c46d70788b60ff0ba7ea4c5f0549f186" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\6c46d70788b60ff0ba7ea4c5f0549f18.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCX4395.tmp

Filesize
1.9MB

MD5
7e56baf6588f73cbc2d2fd2fd02c27d8

SHA1
2881efd42565f459c316064f67f029f476c615f2

SHA256
14acedc286434a7ec0f978e043e231e4351e4c90a230f68ef87676cacce64aea

SHA512
4ba4c211c021ec67fed69c752c5753a92b2fc797a83cca20edb6c6b490296ec38664d0625e8bab651731f2ec19ae850356e9e6a369a42d0ed635f4d4fd19e977

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Idle.exe

Filesize
1.9MB

MD5
e1d2374101b80907cc489ec09c36f534

SHA1
2ae436c3b099e014848cc147f8c48c6c291ac657

SHA256
9450f39af5cc107049e5bbfc115d7f3932f7b8948b01b0f286e3a907dc4bb2d7

SHA512
8bed44c238f572ef66d864b871756d5ea33bb3d05c4ce47dfc5a05bbedecb4fdb647bfff919e651968db7cb9a87126b53b689784953eb536ceac0d1a40b135a2

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\taskhost.exe

Filesize
1.9MB

MD5
66734f2ee56af5cb930e611f38724550

SHA1
ddb35e01efb7caf9d2b49762992f55205168c05a

SHA256
168b2ebda2fb108391c5e21c3edbd40d62fbe29c46429d0937ed022acfac0e94

SHA512
97810eef955c36f80e6e5087e7196caa3d5e896b6db69125d6b821ee1d958d8f9f6af04a2a376ca95635b136e2778e64393ce8b722ab1c72df0038082d3db13a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\6c46d70788b60ff0ba7ea4c5f0549f18.exe

Filesize
1.9MB

MD5
9557a58c1288c2a96074e8d5fee8e0ab

SHA1
93ffe00043647e10e6e15408597759460d4c7450

SHA256
46c795171ed593b029f40b5a550e06e0b0ec03c3496bdb488f4c235a8dd3c7f3

SHA512
a1626c6a60a3e4efe7ab1b1855d8cf977443ae5863bd0fd3ee9db6f356c3bc7c92be4aab7b7cd00aab57e694a4c55b06f579d2e057c7f2c6c20b6e27fc2b6f66

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe

Filesize
1.9MB

MD5
6c46d70788b60ff0ba7ea4c5f0549f18

SHA1
10cd8b050891004ca06c2be54d55e38a243be162

SHA256
f4b884338e802040f828153f0a161ab18205ee0a90b8f778831900c7ae97c465

SHA512
c156dfae670696f766ef3672e3513f7c0f66460674cb78c4419b876f36128e593fc9a8be6923d752116f855d3334df65bbc8f26010aee9d8c8d6e4db430ee81a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe

Filesize
1.9MB

MD5
d12f68e1b7b60e09c815dd13a86ca566

SHA1
00d5b615d8d6ac809ebaec7ff36ed3839dca5a2c

SHA256
283654b178dc3f66370f812ce5ccf97500ca94649113d88afa262f406f46bd55

SHA512
ea71972127bd1ae3e3fc4c49c87a707416f8efa1675b7b4ea963de3ec5c4694ce15498ee103d5abec7cb64a7598a23315c31fd4998625572352c8d811877d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\0480d5b5-c1de-4beb-915c-ef55f810b20b.vbs

Filesize
733B

MD5
8e16dad83eb87afe0f2b6c930a48c40c

SHA1
8295589a1bef6c908109f743c82aba7ccc93c36c

SHA256
042a237160c7fe3470dd40f2d7303d3d3e1c333f4d71de248d6f271af1cb5373

SHA512
c94be1cf47d773fb06b45ee70b138f6ba48cb8cfc9e7c51b1f0c4966afe6653472534902523a6694869b39ab39411818badb1d8af6d43164ffdfead92e210618

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a137258-266b-48bf-a4d6-748efd8571fe.vbs

Filesize
733B

MD5
0fca0b0fe706accd9a73efa71e74c4fe

SHA1
8dd9080e7c63fe0fb3532b5d5d114a6ebb111ee9

SHA256
e6b305d04d09b3ba38c511552bb4e33ee4689824a6e8defac97ed79e74367e9c

SHA512
1d1a42259fd54885bfab9adef92e5f9d9b122d6eec946e323096eeda3de259e2c60017a4a4d8667c9cf7785f31fa5df78ab4b8bdf3317ded395e09a23e0e2a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\38b56b22-93c2-497a-9afa-b77a9ceeafdd.vbs

Filesize
733B

MD5
05b66a7a74d2fa61adfa8369bee3fda1

SHA1
ba41cae1f770f1b2dc52293041f5733b0d5022e8

SHA256
cdba8d44064b3fcc96d5312bb7cbd79337c0687a4838b89a211dcbeb30687350

SHA512
21811ae9cbeb34715fe3a73524a9aa0d03d26125b83ea8b796295eac4c4615b93bdc30728b1567ba8d6c35ba4ed8599400d1d298ffb02ccc1cc0417f36619275

Download Submit
C:\Users\Admin\AppData\Local\Temp\46d3707f-fea6-48d6-aad3-8a88a43cd07b.vbs

Filesize
733B

MD5
d7f1cc598b88d484067d2286eacc8312

SHA1
2ff2a63267086c473a5152d41316875fcf095b04

SHA256
6fbe7f3b4da9c30f050cd2964663b66aaaba273f20e0af46b0379bf745dc9ba9

SHA512
1cccc633a132bf2257718cb22a717e593f0809e6eb9bc89b752f7b25d1fff5f0d10bccb549e041ed7bdb038cec087f88e34a9c9af8ac22e3bb39375aefcdc78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99b4b1a1-9944-4fe2-89bf-a1f926af257d.vbs

Filesize
509B

MD5
5d339ddee8940634806ff9f3539e93f3

SHA1
91331064bbeea0e2b3efd96b5702ffc1ec211254

SHA256
0152dd17258132c105e802f6aca7e106d41996ee04c5153b0ae70ddaa7b87e08

SHA512
04732f62b6f3d192087a1c7c52f3c7d30fcd5507245c1ba4d741b5bef9afd37190803809a6623722279f79daa106ded0ec855fa91d782b680a4da914a812562a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a67178aa-d3bf-44c7-a561-38730446e18c.vbs

Filesize
733B

MD5
9d68a7eade5121c2ad8472ff5784015c

SHA1
9ff2e1d00656bf0c3c4f0777d1c89b3a43d844a1

SHA256
d9b1f9ea241d41c0a1da52b6750605b14e3961440f58c830f36dbb081cc92414

SHA512
8cc68b8292b0fc4dec1285f38c080ebbf9d172f600a7aca8bc12bb9f1c553a60454800052d990453a61efb7e16f9ad4fae85691fd48480cc88268f493076e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\caf5f846-e0e7-411e-a2d1-66ec7bb6f636.vbs

Filesize
733B

MD5
7f3eb00b45aa2eb309f445af97af557f

SHA1
15eba9058aaaf82c284210382b1ae37e98567167

SHA256
9cbf16a8eb768d906757472379978291509d0d7f41943a40799bba378a12c7a0

SHA512
c09922331281008ec1fd20105b728f1e17ccb128195f485da725aad35c37220451d91a9726d445739b3175a53eb4d7e7a86307f54ecfac7096eff6b0913278af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddf61631-966a-4192-aceb-acbb8644ece1.vbs

Filesize
733B

MD5
08861757cbbf854657c8dbeb1b83f39f

SHA1
3f643b4bf03efefc29f48468b002d34e542df853

SHA256
15167e51dc45f66a6d3a55f2860dd3ad5a2b4a25dd3322b0d18596c3642d23a0

SHA512
a8bdc923137917b3abdd8dcfc600041f6352b8e08208dd0c4925e98edf91d060848908e8ca77b6cf92565223bdf25e1e6f9d0c4cb3431dc6c09b92e0ea91437b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X9M5M2MF78QB808AS6C2.temp

Filesize
7KB

MD5
8e8bead467deb9b4fd11ae48c89596d9

SHA1
573af28b07a69bb194882ad01ab69c79f9592941

SHA256
ff12cdc0057c00d512417e9dd0a08cbde6882f44bb7e10a5d8f306e4edbf25b2

SHA512
277e64d90811de6d0e7a8f690b55043e23dccd78eab5a320ac258814f434fdaa95bcad3d3d57c6ebdc7482911243612a0b5bbf503f7ad33dc51335a1d560a97d

Download Submit
memory/956-334-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/1040-444-0x0000000001280000-0x000000000146A000-memory.dmp

Filesize
1.9MB

Download
memory/1348-374-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/1348-369-0x0000000000700000-0x0000000000756000-memory.dmp

Filesize
344KB

Download
memory/1348-356-0x0000000000A60000-0x0000000000C4A000-memory.dmp

Filesize
1.9MB

Download
memory/2004-399-0x0000000001260000-0x000000000144A000-memory.dmp

Filesize
1.9MB

Download
memory/2284-344-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2300-387-0x0000000000DD0000-0x0000000000FBA000-memory.dmp

Filesize
1.9MB

Download
memory/2516-12-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/2516-224-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-200-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2516-18-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/2516-17-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2516-16-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2516-15-0x0000000002390000-0x000000000239E000-memory.dmp

Filesize
56KB

Download
memory/2516-365-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-14-0x0000000002380000-0x000000000238A000-memory.dmp

Filesize
40KB

Download
memory/2516-13-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2516-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2516-10-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/2516-9-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2516-8-0x00000000006B0000-0x0000000000706000-memory.dmp

Filesize
344KB

Download
memory/2516-7-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2516-6-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/2516-5-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2516-4-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2516-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2516-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2516-1-0x0000000000360000-0x000000000054A000-memory.dmp

Filesize
1.9MB

Download