5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

Analysis

max time kernel
99s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Size

1.9MB
MD5

98666af3ef6ab2bcc4a5b3153a2e8d78
SHA1

b936c266aa4b4b85c113321fead31164955b8fa9
SHA256

91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6
SHA512

29ac1f9ad8331924e8fc7cb964b5e417d957b7597347103196739b520dd7523c2f5836830cb98976ccd1af298809bf1a5529c46f879f4dd563a91d215d67d238
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2808	schtasks.exe	89

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5304	powershell.exe
1744	powershell.exe
5040	powershell.exe
5816	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 8 IoCs

pid	Process
2340	sysmon.exe
3556	sysmon.exe
4172	sysmon.exe
3960	sysmon.exe
2116	sysmon.exe
2964	sysmon.exe
3556	sysmon.exe
5292	sysmon.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\en-US\upfc.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\upfc.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File created	C:\Program Files\Windows Media Player\en-US\ea1d8f6d871115	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\121e5b5079f7c0	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX80EA.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX80EB.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\RCX82FF.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\RCX8300.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\EventLog\Data\backgroundTaskHost.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5720	schtasks.exe
4652	schtasks.exe
4756	schtasks.exe
4876	schtasks.exe
3924	schtasks.exe
1952	schtasks.exe
4900	schtasks.exe
4592	schtasks.exe
4672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
1744	powershell.exe
1744	powershell.exe
5304	powershell.exe
5304	powershell.exe
5816	powershell.exe
5816	powershell.exe
5040	powershell.exe
5040	powershell.exe
5304	powershell.exe
1744	powershell.exe
5040	powershell.exe
5816	powershell.exe
2340	sysmon.exe
3556	sysmon.exe
4172	sysmon.exe
3960	sysmon.exe
2116	sysmon.exe
2964	sysmon.exe
3556	sysmon.exe
5292	sysmon.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	2340	sysmon.exe
Token: SeDebugPrivilege	3556	sysmon.exe
Token: SeDebugPrivilege	4172	sysmon.exe
Token: SeDebugPrivilege	3960	sysmon.exe
Token: SeDebugPrivilege	2116	sysmon.exe
Token: SeDebugPrivilege	2964	sysmon.exe
Token: SeDebugPrivilege	3556	sysmon.exe
Token: SeDebugPrivilege	5292	sysmon.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5872 wrote to memory of 5040	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	101
PID 5872 wrote to memory of 5040	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	101
PID 5872 wrote to memory of 5816	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	102
PID 5872 wrote to memory of 5816	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	102
PID 5872 wrote to memory of 1744	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	103
PID 5872 wrote to memory of 1744	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	103
PID 5872 wrote to memory of 5304	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	104
PID 5872 wrote to memory of 5304	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	104
PID 5872 wrote to memory of 2964	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	109
PID 5872 wrote to memory of 2964	5872	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	109
PID 2964 wrote to memory of 1888	2964	cmd.exe	111
PID 2964 wrote to memory of 1888	2964	cmd.exe	111
PID 2964 wrote to memory of 2340	2964	cmd.exe	114
PID 2964 wrote to memory of 2340	2964	cmd.exe	114
PID 2340 wrote to memory of 916	2340	sysmon.exe	116
PID 2340 wrote to memory of 916	2340	sysmon.exe	116
PID 2340 wrote to memory of 6120	2340	sysmon.exe	117
PID 2340 wrote to memory of 6120	2340	sysmon.exe	117
PID 916 wrote to memory of 3556	916	WScript.exe	119
PID 916 wrote to memory of 3556	916	WScript.exe	119
PID 3556 wrote to memory of 5368	3556	sysmon.exe	120
PID 3556 wrote to memory of 5368	3556	sysmon.exe	120
PID 3556 wrote to memory of 1164	3556	sysmon.exe	121
PID 3556 wrote to memory of 1164	3556	sysmon.exe	121
PID 5368 wrote to memory of 4172	5368	WScript.exe	128
PID 5368 wrote to memory of 4172	5368	WScript.exe	128
PID 4172 wrote to memory of 1384	4172	sysmon.exe	131
PID 4172 wrote to memory of 1384	4172	sysmon.exe	131
PID 4172 wrote to memory of 4176	4172	sysmon.exe	132
PID 4172 wrote to memory of 4176	4172	sysmon.exe	132
PID 1384 wrote to memory of 3960	1384	WScript.exe	133
PID 1384 wrote to memory of 3960	1384	WScript.exe	133
PID 3960 wrote to memory of 1624	3960	sysmon.exe	134
PID 3960 wrote to memory of 1624	3960	sysmon.exe	134
PID 3960 wrote to memory of 1212	3960	sysmon.exe	135
PID 3960 wrote to memory of 1212	3960	sysmon.exe	135
PID 1624 wrote to memory of 2116	1624	WScript.exe	136
PID 1624 wrote to memory of 2116	1624	WScript.exe	136
PID 2116 wrote to memory of 3252	2116	sysmon.exe	137
PID 2116 wrote to memory of 3252	2116	sysmon.exe	137
PID 2116 wrote to memory of 4536	2116	sysmon.exe	138
PID 2116 wrote to memory of 4536	2116	sysmon.exe	138
PID 3252 wrote to memory of 2964	3252	WScript.exe	139
PID 3252 wrote to memory of 2964	3252	WScript.exe	139
PID 2964 wrote to memory of 4956	2964	sysmon.exe	140
PID 2964 wrote to memory of 4956	2964	sysmon.exe	140
PID 2964 wrote to memory of 3992	2964	sysmon.exe	141
PID 2964 wrote to memory of 3992	2964	sysmon.exe	141
PID 4956 wrote to memory of 3556	4956	WScript.exe	143
PID 4956 wrote to memory of 3556	4956	WScript.exe	143
PID 3556 wrote to memory of 4628	3556	sysmon.exe	144
PID 3556 wrote to memory of 4628	3556	sysmon.exe	144
PID 3556 wrote to memory of 1996	3556	sysmon.exe	145
PID 3556 wrote to memory of 1996	3556	sysmon.exe	145
PID 4628 wrote to memory of 5292	4628	WScript.exe	146
PID 4628 wrote to memory of 5292	4628	WScript.exe	146
PID 5292 wrote to memory of 5276	5292	sysmon.exe	147
PID 5292 wrote to memory of 5276	5292	sysmon.exe	147
PID 5292 wrote to memory of 232	5292	sysmon.exe	148
PID 5292 wrote to memory of 232	5292	sysmon.exe	148

System policy modification 1 TTPs 27 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
"C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtqM3qVsgq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
    "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2340
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f3fead-d7e0-4d4f-bdcf-3acf84977a5e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\252e4362-f138-4d41-ad50-d0adf9191856.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30976f72-20ba-4791-a2ab-78ee2bc7c01f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5cdbf97-4421-44ab-a505-246cc928da82.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13819d35-132c-47b8-911f-8321d339dd68.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32e1ad92-d1e8-474b-8a98-60e01fc10fcc.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ffefd03-921b-4e16-8d5a-a3e7fece93da.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b63b2d0-e87c-4faf-b1fa-405e7e82f773.vbs"
        18⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        19⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358de3f2-c0c1-401d-aeea-eb562159b781.vbs"
        20⤵
        
        PID:5592
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        21⤵
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac9443d8-a4a4-45f3-bd8f-23002b155ab0.vbs"
        22⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe"
        23⤵
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ebd923-26a8-4499-abae-da7bf33edab9.vbs"
        24⤵
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\375736df-1c27-4138-a509-eda5ee905115.vbs"
        24⤵
        
        PID:5816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1fd0520-fb45-4dfc-a0e9-9b4797ad5078.vbs"
        22⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d64bf627-2f32-45ee-8be0-ed8644eb2578.vbs"
        20⤵
        
        PID:5776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\813180b4-70c3-435d-9c9b-21223dc8dadf.vbs"
        18⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2183db5f-8602-45cc-958d-b8bead54ac92.vbs"
        16⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\490aae01-a24b-405c-9642-a9f524ce8651.vbs"
        14⤵
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a6589ed-0afc-496e-9ae6-bfe62b309aaf.vbs"
        12⤵
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045c9323-19e5-486d-b515-953ce2e18adc.vbs"
        10⤵
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b89f7d4-25e3-430d-b2e1-2671c5c52fda.vbs"
        8⤵
        
        PID:4176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dccbf3bd-18e1-488e-8713-67305cc4cabb.vbs"
        6⤵
        
        PID:1164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44653973-701f-468d-b7f0-416aa324d0ad.vbs"
      4⤵
      PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\en-US\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\60739cf6f660743813\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\dllhost.exe

Filesize
1.9MB

MD5
71d932175886bfd725c18ce89380524a

SHA1
5c7e1a0708db1a7ea3724fd1a6f47dadd9a4967c

SHA256
a0cefca70ed91eee64b21759b4ec4407818e9566877b2653f9bde29d5595e5c3

SHA512
da12325dc14125be837ba58b6db4bb12bc568da535568d2a1a32f378820bc691aa12ab9031ca1c78e3ec78d528504d71d6d7e21454e9bc19f2471912ccad92a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10f3fead-d7e0-4d4f-bdcf-3acf84977a5e.vbs

Filesize
768B

MD5
4e41d199d352b5366c2ac5a68acffd70

SHA1
d83cb30f54f628806ff8d1203d28c22aea1016dd

SHA256
91ed134d1cc293a3ab415a1e926f76e9bd2e08daa7ce806cb135c1b68e5ffdef

SHA512
7fb415d76581a3f4f70a5aec2875b2dfd5b9234ff887110b71d6e13ab23d3207036db24cb06b4fb06f9cac0be2ccd881537705d37ec0131cd742a18b749c0f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\13819d35-132c-47b8-911f-8321d339dd68.vbs

Filesize
768B

MD5
8d5193dc61a363d16603db06ce3efadd

SHA1
d6529e6c9ba9299765eae9dd108b89c9a34b644b

SHA256
9045cefe716311266a9095a3b05cd71aef64f7ac591c5113ddcdbc41bf31c01a

SHA512
89eec4e23fae050c24b9e4573e35b1c366f4adcfbac0f23a0deb87e3a4c1959864396f6eb2238e0d1a3c0699ca857c75efa39ac5d24d85e7ba59b9c16bac452a

Download Submit
C:\Users\Admin\AppData\Local\Temp\252e4362-f138-4d41-ad50-d0adf9191856.vbs

Filesize
768B

MD5
59f241b9b7c339c618461534a2edeb1d

SHA1
1f1c0b369021a126e16c067efe9ea333a84341a8

SHA256
d9a824f0b4c74c97d43f154fb3e1b170921b865d0bdc8b7dce9e97c9b5c9d3c6

SHA512
2378a7d83d1dbe61a5d689b933e21997ce29529be16af75f2bbfe165f970e1c1cae92410648b836c20e4a431887c61c57f0d57e67d65ef801aa4e23686fa4b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\30976f72-20ba-4791-a2ab-78ee2bc7c01f.vbs

Filesize
768B

MD5
4172a8ad2bca81f130e8d5dbbaf9adc5

SHA1
91af754dcbf9a5ab78a36b02b22681d6e45b257e

SHA256
a5040c1522db519f6898da019b852e3dd0b5151ffd9fc12d9cbc32036c51f080

SHA512
b6277b980b4e243b47333b3076abe65afd66cc5c02571d4e382161d1aeacf763167b8cac2da98c948875a00751df8757285307be9c746247154e513c16d0a0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\32e1ad92-d1e8-474b-8a98-60e01fc10fcc.vbs

Filesize
768B

MD5
f91e316e7137b37f9bdc7e344b4303cf

SHA1
e487ab472dfef28b2ead7a2d354793b4fc005157

SHA256
8af12e4d8263848eed5e9ed96209013383419cfbfd77aab2c13ae3841781d528

SHA512
8f14c5ea2e9fab3bf33f882f7e30283b99215003f801fb648eb6e7324ff7c0d18067a4cf9e04acb59e132f8d837dbe70d7590a703f8ca3f1e6d69c2e51b7ff15

Download Submit
C:\Users\Admin\AppData\Local\Temp\358de3f2-c0c1-401d-aeea-eb562159b781.vbs

Filesize
768B

MD5
740bd3de8f1cbaaa970abfb12059560c

SHA1
a0391c73a8c24ea8bf7d931013cc3b7529e669e0

SHA256
3d31b08ae594ac5fd7336c38085bbdd4481f8b43d5f9a31e6bb9e416ad6ca25e

SHA512
3dbaefb6ec72c9569e113431e52fa02034f114fcd1133674b77497f669b224629158e1f0403eb6743f4d3bd48796d3fa4b95eec1fbe98f6357543835727bde0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\44653973-701f-468d-b7f0-416aa324d0ad.vbs

Filesize
544B

MD5
b2681c57f2e21b718ba5ab60c694d40d

SHA1
03e5290c15cacb943b69068e043164f19f87bbc6

SHA256
d484434bb52937863fff6c71db7866e6e986f509a2ad87faff2b2f88b315fa1c

SHA512
966d20680ef3edcc5b7352a3daf221bb70fb57afb6c36827f9c1cdb2ef23fde16a65c1644b3bd3373065069b347684b33fafe6162f0fde07d7c902e2337d5d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\68ebd923-26a8-4499-abae-da7bf33edab9.vbs

Filesize
768B

MD5
5ef8b4a9dbb217a92b48b939e8530330

SHA1
d63d50bbce1004a990a904f5ff9c28f35941b3bd

SHA256
914a3d461c3745eecf65b9de2d56c9c04c93f37bf8a15858de152ec898763b03

SHA512
04e3112298b0ffd0c1079bf6ad51da77df614b49347c2a19b9d43b09ae6489cf58a89d750f1775cd6665c97ba106779d4852484b1a77aa325aa3065bf4f62707

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b63b2d0-e87c-4faf-b1fa-405e7e82f773.vbs

Filesize
768B

MD5
12bee09041f3d19e54c1e4d7fa7bb6f8

SHA1
cf5f43d57edf97600335b85ca21bb9dbb3c7bcc1

SHA256
dbe8f642062d6838923c017adcae80cffcbf9aa7a2f6b46ce3fb08f430360e43

SHA512
90e2c8410d9c3d79818d28106c4a14fc5b753b2b53335bf614c0a0ae829615915724b0a8bcbbed1479ed7f37f11ac05d3c5ac287ac6900f3e579395790b30a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtqM3qVsgq.bat

Filesize
257B

MD5
cf762bf9970fb2463f7d50aa192ca0dc

SHA1
3cb30b125880bc7c4c3ad1d990fe41e41aa4c954

SHA256
6e038373d67b9806e0eadf4bcb50422ad27d27990534e61f7fb5bf0fe049154e

SHA512
956c8943d500902db1aa56d994eac71f7359513e156a84a6c3c75e0022d074bbaae5ee8e7e995d6f3ae59295ab9de3dfe5b2ef3226eebe03a5317c6dcc5ee2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX7ED6.tmp

Filesize
1.9MB

MD5
98666af3ef6ab2bcc4a5b3153a2e8d78

SHA1
b936c266aa4b4b85c113321fead31164955b8fa9

SHA256
91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6

SHA512
29ac1f9ad8331924e8fc7cb964b5e417d957b7597347103196739b520dd7523c2f5836830cb98976ccd1af298809bf1a5529c46f879f4dd563a91d215d67d238

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btqvyb41.poa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac9443d8-a4a4-45f3-bd8f-23002b155ab0.vbs

Filesize
768B

MD5
8a3d1aaf63d482c4fc7d88a364f7130e

SHA1
0dd11153d222d38b1c857ce545b1fa22e003193d

SHA256
352a9ab9ff5821fbe2e27abf452ffe3b8e88861c33d0fa050661531004e93637

SHA512
0deab833f6d9ddbf119c1c840c8ceb88863463de5beff1f0dba25ae6e74df523422e1d5e518224444c7735eee93eaf48fefe26100a82061ce5cdb2cb68b61069

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5cdbf97-4421-44ab-a505-246cc928da82.vbs

Filesize
768B

MD5
4745d8408f3ef6ec14b344c163de2404

SHA1
77e797d2dbd9f52c68720bcb9c07a76ac86887f1

SHA256
871d340380f27361f8ef405f454881747d69f586901cbac7812fda0cb5a21cf6

SHA512
cbe123eba6d74c0b9bd65b75eff29d1a4f374442256077afb014baa5d62c9a7a9ad73df16b3d8883595754a02bc1565f1f8776456e61f8f6239c732b1a308223

Download Submit
memory/2340-125-0x000000001B630000-0x000000001B686000-memory.dmp

Filesize
344KB

Download
memory/2964-183-0x000000001B6C0000-0x000000001B6D2000-memory.dmp

Filesize
72KB

Download
memory/3556-138-0x0000000002C10000-0x0000000002C22000-memory.dmp

Filesize
72KB

Download
memory/5304-73-0x00000188FDCF0000-0x00000188FDD12000-memory.dmp

Filesize
136KB

Download
memory/5872-0-0x00007FF9B00B3000-0x00007FF9B00B5000-memory.dmp

Filesize
8KB

Download
memory/5872-111-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

Filesize
10.8MB

Download
memory/5872-17-0x000000001C0F0000-0x000000001C0FE000-memory.dmp

Filesize
56KB

Download
memory/5872-18-0x000000001C100000-0x000000001C108000-memory.dmp

Filesize
32KB

Download
memory/5872-20-0x000000001C120000-0x000000001C12C000-memory.dmp

Filesize
48KB

Download
memory/5872-19-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/5872-16-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

Filesize
40KB

Download
memory/5872-15-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/5872-14-0x000000001C970000-0x000000001CE98000-memory.dmp

Filesize
5.2MB

Download
memory/5872-10-0x000000001BED0000-0x000000001BEDC000-memory.dmp

Filesize
48KB

Download
memory/5872-11-0x000000001BEE0000-0x000000001BEE8000-memory.dmp

Filesize
32KB

Download
memory/5872-13-0x000000001BEF0000-0x000000001BF02000-memory.dmp

Filesize
72KB

Download
memory/5872-4-0x000000001BE30000-0x000000001BE80000-memory.dmp

Filesize
320KB

Download
memory/5872-5-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/5872-9-0x000000001BE80000-0x000000001BED6000-memory.dmp

Filesize
344KB

Download
memory/5872-6-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/5872-7-0x000000001B780000-0x000000001B796000-memory.dmp

Filesize
88KB

Download
memory/5872-8-0x000000001B7A0000-0x000000001B7AA000-memory.dmp

Filesize
40KB

Download
memory/5872-3-0x0000000002D10000-0x0000000002D2C000-memory.dmp

Filesize
112KB

Download
memory/5872-2-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

Filesize
10.8MB

Download
memory/5872-1-0x0000000000960000-0x0000000000B4A000-memory.dmp

Filesize
1.9MB

Download