dcrat | ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

Resubmissions

13-01-2025 06:01

250113-gqyq5syqex 10

12-01-2025 22:40

250112-2ll7rsvqek 10

Analysis

max time kernel
896s
max time network
897s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Size

1.5MB
MD5

207f37be38ccbb0fe77bda8d4ab69187
SHA1

97a4aa79a700e336ca8450bfbf38d7e18215173b
SHA256

ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff
SHA512

34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRK:kzhWhCXQFN+0IEuQgyiVKS

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2988	schtasks.exe
		5020	schtasks.exe
		4100	schtasks.exe
		4060	schtasks.exe
		1400	schtasks.exe
		4348	schtasks.exe
		3960	schtasks.exe
		2008	schtasks.exe
		4416	schtasks.exe
		1044	schtasks.exe
		5108	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\skci\6cb0b6c459d5d3		ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
		4520	schtasks.exe
		4968	schtasks.exe
		3936	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\", \"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\", \"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\", \"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\", \"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\C_20280\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\wwanprotdim\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\", \"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\", \"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Windows\\System32\\C_20280\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\", \"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\", \"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\skci\\dwm.exe\", \"C:\\PerfLogs\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\", \"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\", \"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\", \"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\", \"C:\\Windows\\System32\\miguiresource\\dllhost.exe\", \"C:\\Windows\\System32\\Dsui\\taskhostw.exe\", \"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3628	schtasks.exe	83

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3544	powershell.exe
956	powershell.exe
2288	powershell.exe
552	powershell.exe
1416	powershell.exe
4452	powershell.exe
3616	powershell.exe
5000	powershell.exe
3548	powershell.exe
2876	powershell.exe
2956	powershell.exe
1136	powershell.exe
3084	powershell.exe
1540	powershell.exe
3668	powershell.exe
4400	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 64 IoCs

pid	Process
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
4812	spoolsv.exe
3296	spoolsv.exe
2712	spoolsv.exe
1508	spoolsv.exe
2376	spoolsv.exe
4808	spoolsv.exe
1672	spoolsv.exe
4612	spoolsv.exe
4900	spoolsv.exe
4908	spoolsv.exe
4352	spoolsv.exe
3904	spoolsv.exe
1432	spoolsv.exe
4256	spoolsv.exe
448	spoolsv.exe
3984	spoolsv.exe
1640	spoolsv.exe
2924	spoolsv.exe
5032	spoolsv.exe
1760	spoolsv.exe
4940	spoolsv.exe
2052	spoolsv.exe
752	spoolsv.exe
1040	spoolsv.exe
4464	spoolsv.exe
1152	spoolsv.exe
1412	spoolsv.exe
3664	spoolsv.exe
4612	spoolsv.exe
1572	spoolsv.exe
4784	spoolsv.exe
412	spoolsv.exe
4620	spoolsv.exe
3548	spoolsv.exe
4752	spoolsv.exe
3036	spoolsv.exe
1192	spoolsv.exe
3468	spoolsv.exe
4976	spoolsv.exe
1564	spoolsv.exe
2848	spoolsv.exe
4800	spoolsv.exe
1148	spoolsv.exe
1136	spoolsv.exe
1204	spoolsv.exe
1828	spoolsv.exe
3080	spoolsv.exe
3200	spoolsv.exe
2676	spoolsv.exe
2724	spoolsv.exe
1828	spoolsv.exe
4068	spoolsv.exe
2700	spoolsv.exe
4392	spoolsv.exe
2392	spoolsv.exe
1844	spoolsv.exe
2136	spoolsv.exe
4668	spoolsv.exe
4408	spoolsv.exe
464	spoolsv.exe
2308	spoolsv.exe
2348	spoolsv.exe
624	spoolsv.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Documents and Settings\\TextInputHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\skci\\dwm.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Documents and Settings\\TextInputHost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Provisioning\\Packages\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\miguiresource\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\C_20280\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wwanprotdim\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\sechost\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\skci\\dwm.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\System.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Dsui\\taskhostw.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\C_20280\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wwanprotdim\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\PerfLogs\\RuntimeBroker.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\tpmvscmgrsvr\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\miguiresource\\dllhost.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\Dsui\\taskhostw.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\srchadmin\\SppExtComObj.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\SettingsHandlers_InputPersonalization\\spoolsv.exe\""	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\skci\RCXAE81.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\miguiresource\5940a34987c991	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\wwanprotdim\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\skci\dwm.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\tpmvscmgrsvr\e1ef82546f0b02	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\sechost\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\sechost\e1ef82546f0b02	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\tpmvscmgrsvr\RCXB48F.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\miguiresource\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\Dsui\taskhostw.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\srchadmin\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\skci\dwm.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\sechost\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\tpmvscmgrsvr\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\C_20280\9e8d7a4ca61bd9	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\miguiresource\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\Dsui\taskhostw.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\Dsui\ea9f0e6c9e2dcd	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\C_20280\RuntimeBroker.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\skci\6cb0b6c459d5d3	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\C_20280\RuntimeBroker.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\SettingsHandlers_InputPersonalization\f3b6ecef712a24	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\srchadmin\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\tpmvscmgrsvr\SppExtComObj.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wwanprotdim\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\wwanprotdim\5940a34987c991	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\System32\sechost\RCXB693.tmp	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\System32\srchadmin\e1ef82546f0b02	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Icons\Registry.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Packages\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File created	C:\Windows\Provisioning\Packages\5940a34987c991	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
File opened for modification	C:\Windows\Provisioning\Packages\dllhost.exe	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
3960	schtasks.exe
1400	schtasks.exe
3936	schtasks.exe
4348	schtasks.exe
1044	schtasks.exe
4416	schtasks.exe
5020	schtasks.exe
2008	schtasks.exe
4968	schtasks.exe
4060	schtasks.exe
4520	schtasks.exe
4100	schtasks.exe
5108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
1540	powershell.exe
3668	powershell.exe
4400	powershell.exe
3084	powershell.exe
2288	powershell.exe
1416	powershell.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
2288	powershell.exe
1416	powershell.exe
3668	powershell.exe
1540	powershell.exe
4400	powershell.exe
3084	powershell.exe
2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
552	powershell.exe
552	powershell.exe
2956	powershell.exe
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4812	spoolsv.exe
Token: SeDebugPrivilege	3296	spoolsv.exe
Token: SeDebugPrivilege	2712	spoolsv.exe
Token: SeDebugPrivilege	1508	spoolsv.exe
Token: SeDebugPrivilege	2376	spoolsv.exe
Token: SeDebugPrivilege	4808	spoolsv.exe
Token: SeDebugPrivilege	1672	spoolsv.exe
Token: SeDebugPrivilege	4612	spoolsv.exe
Token: SeDebugPrivilege	4900	spoolsv.exe
Token: SeDebugPrivilege	4908	spoolsv.exe
Token: SeDebugPrivilege	4352	spoolsv.exe
Token: SeDebugPrivilege	3904	spoolsv.exe
Token: SeDebugPrivilege	1432	spoolsv.exe
Token: SeDebugPrivilege	4256	spoolsv.exe
Token: SeDebugPrivilege	448	spoolsv.exe
Token: SeDebugPrivilege	3984	spoolsv.exe
Token: SeDebugPrivilege	1640	spoolsv.exe
Token: SeDebugPrivilege	2924	spoolsv.exe
Token: SeDebugPrivilege	5032	spoolsv.exe
Token: SeDebugPrivilege	1760	spoolsv.exe
Token: SeDebugPrivilege	4940	spoolsv.exe
Token: SeDebugPrivilege	2052	spoolsv.exe
Token: SeDebugPrivilege	752	spoolsv.exe
Token: SeDebugPrivilege	1040	spoolsv.exe
Token: SeDebugPrivilege	4464	spoolsv.exe
Token: SeDebugPrivilege	1152	spoolsv.exe
Token: SeDebugPrivilege	1412	spoolsv.exe
Token: SeDebugPrivilege	3664	spoolsv.exe
Token: SeDebugPrivilege	4612	spoolsv.exe
Token: SeDebugPrivilege	1572	spoolsv.exe
Token: SeDebugPrivilege	4784	spoolsv.exe
Token: SeDebugPrivilege	412	spoolsv.exe
Token: SeDebugPrivilege	4620	spoolsv.exe
Token: SeDebugPrivilege	3548	spoolsv.exe
Token: SeDebugPrivilege	4752	spoolsv.exe
Token: SeDebugPrivilege	3036	spoolsv.exe
Token: SeDebugPrivilege	1192	spoolsv.exe
Token: SeDebugPrivilege	3468	spoolsv.exe
Token: SeDebugPrivilege	4976	spoolsv.exe
Token: SeDebugPrivilege	1564	spoolsv.exe
Token: SeDebugPrivilege	2848	spoolsv.exe
Token: SeDebugPrivilege	4800	spoolsv.exe
Token: SeDebugPrivilege	1148	spoolsv.exe
Token: SeDebugPrivilege	1136	spoolsv.exe
Token: SeDebugPrivilege	1204	spoolsv.exe
Token: SeDebugPrivilege	1828	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2288	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	89
PID 2484 wrote to memory of 2288	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	89
PID 2484 wrote to memory of 1416	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	90
PID 2484 wrote to memory of 1416	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	90
PID 2484 wrote to memory of 3084	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	91
PID 2484 wrote to memory of 3084	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	91
PID 2484 wrote to memory of 4400	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	92
PID 2484 wrote to memory of 4400	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	92
PID 2484 wrote to memory of 3668	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	93
PID 2484 wrote to memory of 3668	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	93
PID 2484 wrote to memory of 1540	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	94
PID 2484 wrote to memory of 1540	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	94
PID 2484 wrote to memory of 392	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	101
PID 2484 wrote to memory of 392	2484	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	101
PID 392 wrote to memory of 552	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	116
PID 392 wrote to memory of 552	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	116
PID 392 wrote to memory of 1136	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	117
PID 392 wrote to memory of 1136	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	117
PID 392 wrote to memory of 2956	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	118
PID 392 wrote to memory of 2956	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	118
PID 392 wrote to memory of 2876	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	119
PID 392 wrote to memory of 2876	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	119
PID 392 wrote to memory of 956	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	120
PID 392 wrote to memory of 956	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	120
PID 392 wrote to memory of 3548	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	121
PID 392 wrote to memory of 3548	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	121
PID 392 wrote to memory of 3544	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	122
PID 392 wrote to memory of 3544	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	122
PID 392 wrote to memory of 5000	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	123
PID 392 wrote to memory of 5000	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	123
PID 392 wrote to memory of 3616	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	124
PID 392 wrote to memory of 3616	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	124
PID 392 wrote to memory of 4452	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	125
PID 392 wrote to memory of 4452	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	125
PID 392 wrote to memory of 4812	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	136
PID 392 wrote to memory of 4812	392	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe	136
PID 4812 wrote to memory of 2424	4812	spoolsv.exe	137
PID 4812 wrote to memory of 2424	4812	spoolsv.exe	137
PID 4812 wrote to memory of 4048	4812	spoolsv.exe	138
PID 4812 wrote to memory of 4048	4812	spoolsv.exe	138
PID 2424 wrote to memory of 3296	2424	WScript.exe	145
PID 2424 wrote to memory of 3296	2424	WScript.exe	145
PID 3296 wrote to memory of 1364	3296	spoolsv.exe	146
PID 3296 wrote to memory of 1364	3296	spoolsv.exe	146
PID 3296 wrote to memory of 5036	3296	spoolsv.exe	147
PID 3296 wrote to memory of 5036	3296	spoolsv.exe	147
PID 1364 wrote to memory of 2712	1364	WScript.exe	151
PID 1364 wrote to memory of 2712	1364	WScript.exe	151
PID 2712 wrote to memory of 2492	2712	spoolsv.exe	152
PID 2712 wrote to memory of 2492	2712	spoolsv.exe	152
PID 2712 wrote to memory of 4344	2712	spoolsv.exe	153
PID 2712 wrote to memory of 4344	2712	spoolsv.exe	153
PID 2492 wrote to memory of 1508	2492	WScript.exe	154
PID 2492 wrote to memory of 1508	2492	WScript.exe	154
PID 1508 wrote to memory of 632	1508	spoolsv.exe	155
PID 1508 wrote to memory of 632	1508	spoolsv.exe	155
PID 1508 wrote to memory of 2764	1508	spoolsv.exe	156
PID 1508 wrote to memory of 2764	1508	spoolsv.exe	156
PID 632 wrote to memory of 2376	632	WScript.exe	157
PID 632 wrote to memory of 2376	632	WScript.exe	157
PID 2376 wrote to memory of 2072	2376	spoolsv.exe	158
PID 2376 wrote to memory of 2072	2376	spoolsv.exe	158
PID 2376 wrote to memory of 4336	2376	spoolsv.exe	159
PID 2376 wrote to memory of 4336	2376	spoolsv.exe	159

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\skci\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\tpmvscmgrsvr\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sechost\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe
  "C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\miguiresource\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Dsui\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\srchadmin\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\C_20280\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wwanprotdim\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
    "C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4812
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e703fed7-275c-410b-b75d-8784ba776a3f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b5555df-9715-4fc8-9501-9492b3e07544.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd80707f-fd17-4b24-8150-eb07a4ad2f9b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e476e12-13f6-4608-98d2-413fb8de482a.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37166018-ffea-4429-81e4-de041685d97a.vbs"
        12⤵
        
        PID:2072
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        13⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4332ff05-b93d-4fa0-9376-4b10327a4d3a.vbs"
        14⤵
        
        PID:4052
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        15⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59df9f60-a188-4fc6-8f87-f2b5be284d59.vbs"
        16⤵
        
        PID:4500
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f14599b-0d21-4f8f-996d-228c59be2753.vbs"
        18⤵
        
        PID:3120
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c2e5e1-756b-4dd1-a9c0-8880815ce399.vbs"
        20⤵
        
        PID:1508
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\550713d6-0787-4b22-8db3-f18c53c0a736.vbs"
        22⤵
        
        PID:1148
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d685bdb-edaa-4b0c-abbd-902a58bdb44a.vbs"
        24⤵
        
        PID:2844
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        25⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99fc8970-93b0-4c1d-90f6-ed223925c4a5.vbs"
        26⤵
        
        PID:4468
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cc24543-ad21-4ef0-911b-c7e4a2bd4bc6.vbs"
        28⤵
        
        PID:3336
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        29⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d485e9e-e812-49f0-89e2-caccf3e2e6ec.vbs"
        30⤵
        
        PID:4952
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f9333f8-37c7-4862-9e76-006e9c2d6a97.vbs"
        32⤵
        
        PID:3892
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        33⤵
        UAC bypass
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8f18c3-cd08-4a2b-9edf-3b3d12600342.vbs"
        34⤵
        
        PID:2288
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        35⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5660b9d4-ec34-4cc7-ab14-506ad61faed5.vbs"
        36⤵
        
        PID:3632
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        37⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\404ff3df-237d-4199-94ca-5818dd15c368.vbs"
        38⤵
        
        PID:3476
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        39⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe4e9ef7-1cd0-4e19-a3ee-81b243e7504a.vbs"
        40⤵
        
        PID:2552
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\939bdd0b-3b89-4431-b14a-e3ecc0f9f73b.vbs"
        42⤵
        
        PID:5088
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        43⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a058d34-439a-42e5-a9a1-ff81fee6e712.vbs"
        44⤵
        
        PID:468
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        45⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d481deb0-2172-4384-ac17-d703ac157f3b.vbs"
        46⤵
        
        PID:1408
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20195783-4def-4a30-b0f9-15beb98451ee.vbs"
        48⤵
        
        PID:5048
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        49⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\578f3a0a-25fa-46c1-8d61-d805906aa0df.vbs"
        50⤵
        
        PID:4532
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        51⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78247e4d-4c68-4702-8a8b-d914829c615c.vbs"
        52⤵
        
        PID:2284
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        53⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58bf176f-0082-45ed-ae5c-319b56f1ae53.vbs"
        54⤵
        
        PID:3420
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f806f2-f4cf-4500-839b-366f32f3fb7e.vbs"
        56⤵
        
        PID:2016
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        57⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09406653-0693-454f-9c13-3010f378bbb2.vbs"
        58⤵
        
        PID:4208
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a30d17e-2742-41db-8fca-491bfa624e56.vbs"
        60⤵
        
        PID:1852
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        61⤵
        UAC bypass
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc77a969-5e3d-4e0f-88ae-8bdb0270e736.vbs"
        62⤵
        
        PID:1832
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        63⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e16fd82f-30ed-4b83-af1e-a980ee0344b4.vbs"
        64⤵
        
        PID:1760
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868fd292-8523-4c52-968d-9ad638ccfa3b.vbs"
        66⤵
        
        PID:4472
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        67⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d9104c-81be-4433-96f3-de3d77ac6dec.vbs"
        68⤵
        
        PID:5116
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        69⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca1660b-f899-4342-8281-ec51c1b9a1e1.vbs"
        70⤵
        
        PID:4172
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        71⤵
        UAC bypass
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\853fb31d-c9f6-4129-809f-4a18df13c9af.vbs"
        72⤵
        
        PID:1852
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        73⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a42c6089-ddf0-4e53-b60b-5113eab32e97.vbs"
        74⤵
        
        PID:3768
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        75⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6dfdb51-000b-463b-9556-c8942c7cd540.vbs"
        76⤵
        
        PID:4676
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        77⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6417c9a-dea5-4ad8-b3d8-6789d640e9a3.vbs"
        78⤵
        
        PID:2352
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        79⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\121b0814-d6cc-4715-baa6-89627378109b.vbs"
        80⤵
        
        PID:2328
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        81⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7a7bd26-b6c7-4486-8d8a-4ae29192c095.vbs"
        82⤵
        
        PID:3188
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        83⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b18e457-b8ca-41e5-bd3b-2e952181abac.vbs"
        84⤵
        
        PID:4708
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        85⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a96891e6-b42c-48ba-b433-1a7e4fe6662d.vbs"
        86⤵
        
        PID:1228
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        87⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a87919f-6d97-4dc7-a8db-897013aa0937.vbs"
        88⤵
        
        PID:3320
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        89⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b10c78d-a601-4626-ab00-011cf2e6d64d.vbs"
        90⤵
        
        PID:4304
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        91⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d288cfdf-e8bf-4f33-a721-05c0dbd9c5e4.vbs"
        92⤵
        
        PID:3776
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        93⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77aa3855-ed35-4ba2-9290-be2475e3b2eb.vbs"
        94⤵
        
        PID:1100
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        95⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:3080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a24ffb7-6f0b-4bce-83e2-522a1a6e9da4.vbs"
        96⤵
        
        PID:4620
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        97⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        System policy modification
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\926dc80b-c16e-42f8-88d4-d6346a85c4be.vbs"
        98⤵
        
        PID:1916
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        99⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3080d714-fcb4-421c-85dc-9c1ba416b19f.vbs"
        100⤵
        
        PID:1552
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        101⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fcde1ad-2188-4499-bf89-cbddac4dee74.vbs"
        102⤵
        
        PID:1832
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        103⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\847fb957-680b-4e32-8a2d-9b009167690b.vbs"
        104⤵
        
        PID:2416
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        105⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8ff70a-5a38-4267-abbc-a94090b2a220.vbs"
        106⤵
        
        PID:4384
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        107⤵
        Executes dropped EXE
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\686a39d9-b3cb-46f3-9326-5111634fb557.vbs"
        108⤵
        
        PID:216
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        109⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2147e927-7e7d-447e-92b5-749d6a0da8f4.vbs"
        110⤵
        
        PID:760
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        111⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30d68326-23a3-4775-8fc0-2cd017660ed2.vbs"
        112⤵
        
        PID:2288
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        113⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f221a8-1d05-4509-b7b9-1d399b6588f3.vbs"
        114⤵
        
        PID:316
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        115⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\505d27bc-4c12-43f0-aa56-46a952aafc34.vbs"
        116⤵
        
        PID:4512
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        117⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:4668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c5d3943-7f66-45e3-be33-a89af529e7ae.vbs"
        118⤵
        
        PID:4820
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        119⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        System policy modification
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da8b1f1d-1d1d-4707-94a4-edb94a622015.vbs"
        120⤵
        
        PID:5088
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        121⤵
        Checks computer location settings
        Executes dropped EXE
        System policy modification
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b36084ed-4aab-4716-9f5a-f80788b3c394.vbs"
        122⤵
        
        PID:1040
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        123⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d57388-171c-41fb-97e8-dbbf10012e7b.vbs"
        124⤵
        
        PID:4116
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        125⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eeaf8f6-d4e3-4930-841b-93bb9608e459.vbs"
        126⤵
        
        PID:4512
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        127⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe7d1fee-67ba-41a0-957f-68f3cb728b90.vbs"
        128⤵
        
        PID:3112
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        129⤵
        Checks computer location settings
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52fa4c2f-6d6d-4497-b0a7-e45564e3b99e.vbs"
        130⤵
        
        PID:4724
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        131⤵
        UAC bypass
        Checks computer location settings
        Modifies registry class
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb44a1e9-3bd4-402e-b772-023b5d9f6408.vbs"
        132⤵
        
        PID:3904
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        133⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:3284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd959670-f0e9-405b-9fab-bd4e27c0e6a2.vbs"
        134⤵
        
        PID:2388
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        135⤵
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2a0de43-8e85-48f7-8cf0-bd9cbc464bb8.vbs"
        136⤵
        
        PID:1956
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        137⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bd05a65-7a41-4118-9385-f61a7d324834.vbs"
        138⤵
        
        PID:224
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        139⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf0e59ae-0907-4b27-a467-594aa90194cb.vbs"
        140⤵
        
        PID:3540
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        141⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:3448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fdc4a0c-338e-42ee-9f76-79c22b95f6cb.vbs"
        142⤵
        
        PID:1412
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        143⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dfb8505-701c-4bbe-9076-cd01b9f956f5.vbs"
        144⤵
        
        PID:2308
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        145⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93b09ba0-8caf-4ece-b089-7f031a244f89.vbs"
        146⤵
        
        PID:2136
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        147⤵
        UAC bypass
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4af5b7d4-4863-4257-a889-e198b5198c52.vbs"
        148⤵
        
        PID:624
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        149⤵
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a514051f-9612-4a1a-9b5d-8f717dbee302.vbs"
        150⤵
        
        PID:468
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        151⤵
        UAC bypass
        Checks computer location settings
        System policy modification
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1443b9-5273-45a5-8358-1dc0fbd1ad8f.vbs"
        152⤵
        
        PID:1720
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        153⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32593511-964a-4ecc-9fa8-61020f07b7a1.vbs"
        154⤵
        
        PID:4592
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        155⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaee1b1f-9144-4be1-be16-dfd71d93e00e.vbs"
        156⤵
        
        PID:3448
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        157⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:3632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4955c1fb-a5dc-45d7-b6b2-169a00ac9458.vbs"
        158⤵
        
        PID:1860
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        159⤵
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f470e028-a271-430b-8ddf-c056cd2602fe.vbs"
        160⤵
        
        PID:2012
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        161⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29e54af-854e-43c4-8e21-62786e4efc5d.vbs"
        162⤵
        
        PID:4924
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        163⤵
        Checks computer location settings
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1077ec46-f2b3-4a0c-a7f5-49586fd5a8ce.vbs"
        164⤵
        
        PID:1888
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        165⤵
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39e0abc-30b9-4140-b7bf-35405dd5bae0.vbs"
        166⤵
        
        PID:3320
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        167⤵
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\721f1c85-ce8c-440c-9b77-33f7f64a1c96.vbs"
        168⤵
        
        PID:384
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        169⤵
        UAC bypass
        Modifies registry class
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78929667-cbae-4765-bc5e-de6e8d1929d7.vbs"
        170⤵
        
        PID:1852
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        171⤵
        UAC bypass
        Checks computer location settings
        Modifies registry class
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71e7a73-1c97-48e6-8767-7ad0ca39a915.vbs"
        172⤵
        
        PID:2672
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        173⤵
        UAC bypass
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:4488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\814a9c4f-35f4-40d1-9a71-a5f9e47abe60.vbs"
        174⤵
        
        PID:2348
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        175⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f1a0e83-cccb-43e9-9fe1-f7e4ed6efee7.vbs"
        176⤵
        
        PID:4392
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        177⤵
        UAC bypass
        Modifies registry class
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4c3b1f-9e60-43a4-8e97-fcd58841884f.vbs"
        178⤵
        
        PID:3468
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        179⤵
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a86e9685-0102-41cc-a57e-adf91986629d.vbs"
        180⤵
        
        PID:764
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        181⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a3357c3-8c81-4f8a-b1d3-7e70ae836431.vbs"
        182⤵
        
        PID:2820
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        183⤵
        UAC bypass
        Checks computer location settings
        Modifies registry class
        System policy modification
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9485bb5-224e-4967-83ab-4dcfb5949ddf.vbs"
        184⤵
        
        PID:2552
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        185⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe5d716a-5795-435e-93eb-ea099d0f99bb.vbs"
        186⤵
        
        PID:2008
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        187⤵
        UAC bypass
        Checks computer location settings
        System policy modification
        
        PID:312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc433af7-6268-4c20-b97f-f6e180fe737e.vbs"
        188⤵
        
        PID:3808
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        189⤵
        UAC bypass
        Modifies registry class
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5737f09c-69a3-489f-bb8a-1e823501d6ab.vbs"
        190⤵
        
        PID:4588
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        191⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4e0c8f1-445c-48d0-a812-8838c8880a3f.vbs"
        192⤵
        
        PID:2008
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        193⤵
        UAC bypass
        Checks computer location settings
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c4578e-7d23-4fb2-ab62-0d0b7c4e1975.vbs"
        194⤵
        
        PID:4100
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        
        C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe
        195⤵
        System policy modification
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\271e89d1-2261-45cb-b6da-46fec6a214c0.vbs"
        196⤵
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdd45450-9367-422e-ac79-965824c7710a.vbs"
        196⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8625eca5-e317-4963-a155-1eb470462ff7.vbs"
        194⤵
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\124dd3a8-dd31-4c17-9be9-fbcdde4eff1d.vbs"
        192⤵
        
        PID:312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107d594f-6542-46dc-bf64-792cbcce8a10.vbs"
        190⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74812882-85e6-4f6f-9804-6b3691a52c8e.vbs"
        188⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45794295-dcda-4077-a3ed-9c8ecd4f3452.vbs"
        186⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f8394b-a319-4a99-8c83-1daaa3bb6a99.vbs"
        184⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28ace2a3-4bdc-4f68-b58f-e2d5e46f762d.vbs"
        182⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4b77cbd-fbcb-4f15-972f-07276fa86803.vbs"
        180⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\847fb3ca-cb40-44d7-955e-ab423b8a6b08.vbs"
        178⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07bea4b6-7fc9-41ed-95aa-a303e72b3d2c.vbs"
        176⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f561c33d-a13e-4958-8b1a-af66fe43f7c0.vbs"
        174⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e40c070f-9751-4cab-8538-cee7ced21a39.vbs"
        172⤵
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c99fe6a-31ad-49cb-9876-b22d0503bcd4.vbs"
        170⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0b21e1-efa0-4afa-aa88-960ce32b3a77.vbs"
        168⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39866b81-41f6-4085-a750-c0de93a96ae0.vbs"
        166⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68223be0-6fd2-40b5-b357-7ef6fcfa1dba.vbs"
        164⤵
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac0fae4-1641-4eca-addc-e1ecc07fa334.vbs"
        162⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75c18198-629b-4092-b7ca-15fb0ffc7b3c.vbs"
        160⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f60a0661-9eac-4634-a55c-678ac870b647.vbs"
        158⤵
        
        PID:4872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511c4462-9f53-4c2a-b68b-dba8a8d31d5d.vbs"
        156⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89046cb9-b577-4d82-aa76-00464fe13263.vbs"
        154⤵
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef066f5b-9a9b-4024-a7bb-73f75b58d23f.vbs"
        152⤵
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d0b45e-f763-488d-8f3f-150ca8c6bac1.vbs"
        150⤵
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\332eef10-88e1-4d32-96a8-3c68b6abc999.vbs"
        148⤵
        
        PID:116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f416bd9-d7e6-44bf-864e-43c20abe6585.vbs"
        146⤵
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f819689-3020-4da3-8c10-cdcfbb8c508c.vbs"
        144⤵
        
        PID:4204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b49f16a-d6ac-4ad8-aa8c-f11016747fa7.vbs"
        142⤵
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27b2e960-9a02-45f0-bae6-dc295d20a725.vbs"
        140⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\648c4537-3f4d-4e9b-b457-53637f86ddaa.vbs"
        138⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df5210d1-ed5b-4e22-aa3e-d50edebd0457.vbs"
        136⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\586035ff-41b0-477e-aa98-f0379df43c82.vbs"
        134⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\606bb7a3-b66f-4ad5-be00-69d3da43351b.vbs"
        132⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3caff988-cc2c-4f38-8aa6-bdc2f52bc0cd.vbs"
        130⤵
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\493d1911-f980-4140-a13a-8639b2dd8d7f.vbs"
        128⤵
        
        PID:3492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab7cd48-b7f8-4934-a4b2-acb099a2f5a4.vbs"
        126⤵
        
        PID:3960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63d7297b-dc2c-4d42-afe0-fe0733895132.vbs"
        124⤵
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d42a8e0c-02a3-449d-94fa-2ffd62b3417a.vbs"
        122⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3c98635-0014-4a9e-b8a3-0e7d44375fdf.vbs"
        120⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6d481ee-ab1e-4924-a8f6-5bf483f13426.vbs"
        118⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2f749c-6824-4e30-99fa-f1237f7d1393.vbs"
        116⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254034e0-6f29-499f-af13-dfebfd95af37.vbs"
        114⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e9d472-46be-493c-830a-0216175145dc.vbs"
        112⤵
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1685090-8a96-463a-9d12-778d286848f4.vbs"
        110⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d10048d2-a609-4134-b6e4-b890cbc8d635.vbs"
        108⤵
        
        PID:3652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f47d6bb-da44-4ec4-9e88-de621122377a.vbs"
        106⤵
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e57c67ed-7e40-4c63-af83-b1993af0bedb.vbs"
        104⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f754a594-d160-4202-b966-08acb3286d1a.vbs"
        102⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4857757a-ea23-4692-9162-4e6c26c9c5a8.vbs"
        100⤵
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b1d57a-3d76-4174-8434-aade82c8c651.vbs"
        98⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39b21001-6d1d-4356-86d8-60099db5d565.vbs"
        96⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\989c8f6a-2ec2-4492-8878-be991d093b67.vbs"
        94⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aab6963b-6857-4951-afd9-ba074e6d2c6e.vbs"
        92⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9528694f-743d-49c8-94fa-114373597b58.vbs"
        90⤵
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\369a803e-3632-4f74-8af9-ca6edf81d515.vbs"
        88⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eaf486e-8906-4312-8a51-ea87dd28d8de.vbs"
        86⤵
        
        PID:3432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abc3aad0-dec1-4850-bd09-456a488eccfc.vbs"
        84⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4656b79-6ac3-45f6-b3af-fcc98a669ccc.vbs"
        82⤵
        
        PID:4868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceb2a74c-8cc2-4243-b7a8-b2885749e052.vbs"
        80⤵
        
        PID:3704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b9eb5b-a753-4033-9dd9-062dc8e34d11.vbs"
        78⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fec2778-821a-48e4-b735-796b80d0f28c.vbs"
        76⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4e75be-24e4-4f8a-bb1a-bb69750b88a5.vbs"
        74⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\436315bd-4b92-42bf-9733-f892fe4fdcc1.vbs"
        72⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647d88f5-227e-421b-bf3d-a1271368a09a.vbs"
        70⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae4ab9f-c203-45a7-8dc0-dce3aff36018.vbs"
        68⤵
        
        PID:3516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fafd0fcb-2610-4354-b484-c5513faed081.vbs"
        66⤵
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153643f6-a968-4dec-8112-531e32c88e2a.vbs"
        64⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c04d3a28-f1e1-48a2-8947-1a70f36c7021.vbs"
        62⤵
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1a6ad2d-2c5f-4a01-8e04-f5eff4e8e60d.vbs"
        60⤵
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59ca6a16-d855-4df6-8f6a-b4bbfaf12db7.vbs"
        58⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f6c19a-1ad4-4f0d-8e25-01034a705375.vbs"
        56⤵
        
        PID:3700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f20414-642e-4819-b4dc-c6b5a4faf29d.vbs"
        54⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc609c4e-8012-4daf-9052-a968f1109056.vbs"
        52⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6778041-15e1-4732-a3c7-a370fa224f17.vbs"
        50⤵
        
        PID:3116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abf6a6f4-2091-4c39-9b0b-b68b6a17b210.vbs"
        48⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80612d3f-48e8-4cdf-949c-bd891f1d0939.vbs"
        46⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\494b8104-d7ad-4978-96ce-b3e73cc586d6.vbs"
        44⤵
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a3673b-91b4-42d3-bd40-5bb845c785b6.vbs"
        42⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25e4473-15b9-476b-bf52-179d43c797a6.vbs"
        40⤵
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90584b49-f726-4b60-b13a-9aa427dc8e13.vbs"
        38⤵
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb0c2fef-62b8-4d18-98cc-dd4bf1b4e04b.vbs"
        36⤵
        
        PID:3952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b57a0da-5ded-484b-b040-5906b6655fb7.vbs"
        34⤵
        
        PID:3588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8a351f9-6252-459e-a951-53ec3c3e708e.vbs"
        32⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25bdaf4e-f4a2-4560-bf50-3e489dd50dad.vbs"
        30⤵
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5daf53-4b76-4bc6-afc3-160e2f1659b8.vbs"
        28⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cddb840-4d97-42cc-afee-0027cf72e34b.vbs"
        26⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f39bf5f-343e-4634-8feb-84b9b485519d.vbs"
        24⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b78a06cd-281a-4306-a4dc-eeaa878caa11.vbs"
        22⤵
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be1d0ba-2b32-4cd8-996c-992157f5e90c.vbs"
        20⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26599d21-ec1d-4792-955a-b9e9cca6fd94.vbs"
        18⤵
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da2cb96e-a361-4f55-9da0-d627cbd0211b.vbs"
        16⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c78fe0-97c5-4e5f-9507-4fb641ec91ed.vbs"
        14⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b9a1e3-0119-4794-9b6c-aa60eabac841.vbs"
        12⤵
        
        PID:4336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08844819-79ef-4581-9f59-d876705f5060.vbs"
        10⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1264580e-c9e8-435a-9b5b-42042d17b7a2.vbs"
        8⤵
        
        PID:4344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd521b3c-eaeb-42d2-8d3d-c86bd9d85d08.vbs"
        6⤵
        
        PID:5036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25c36c70-3a05-4215-9c97-858982a10572.vbs"
      4⤵
      PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\skci\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\PerfLogs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Documents and Settings\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\tpmvscmgrsvr\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\sechost\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\miguiresource\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\Dsui\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\srchadmin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_InputPersonalization\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\C_20280\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wwanprotdim\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cff81b31909fbf8df6617136d6cb6605

SHA1
3bd85e728f4489a671764547e3d18dd01fe9e0a4

SHA256
3848c70d76babfa835b5d4e83c1486f51018d03d746e1449d86a1174d52677b0

SHA512
a38db85931dc6cdc83077f217a93b56404d78ec1d7c77e3d563f8a1b515f695749f7da4185e23827a6095761ea7324d3d83d86680c6f5ade433c777cf679ac72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f034c2130e582c647bfb45a3a835cbdd

SHA1
30b4ddd9ba0ac86a237688b6e5750744ed7e2526

SHA256
c20cda0a4034398dfcbf1bbfea3a2ede33ed18ab57906c4f08e02a40382e1081

SHA512
3a20ea802ae8261f15497173050f76693a15270340c76e27daf3e4959816ecd37aa8cedb2d47141d5f0d17a2cc6c59722d06d156b2e715cfbaa1c6e51fb30269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1d45939ab2a23c517e15ab27071928d5

SHA1
cca448b53ac101e2e71b8a596758b40e126a46cd

SHA256
daa8bffbb709010db0f5344c545413128dec7f689eb4eea35eadb5745572043b

SHA512
1a42dab2ed11144a54bb3cbd93fc40bc6fa6bd347c999b161e633750458adf769e852718a0de23dd89823ac21d155ec20fbe05154c47340c0e70bc1a8a3a2697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c5be14933f61737d2dba0e3d797ce24

SHA1
28abeb5ab249fe37338fd10fae1a1a12f75026cb

SHA256
93c49405dd6d88987ff03b3818aceefc2fb308951346d9901e33f8080aa2fb20

SHA512
4fe2004e6b77a6a9dda19ce36af914429641d50e2bb560eccd9928d490da9a170c2b939e72d3441586fe224ae7919cda421b31befe50e03fe2f7a7181225ce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e476e12-13f6-4608-98d2-413fb8de482a.vbs

Filesize
745B

MD5
009dd794639d4d0bb9bf55ca30074b75

SHA1
15dc04d1cae335d2bb03ffc4a7884d79da0e1375

SHA256
e452cf984b5f59459fddfd6519b1786ab58c05d934163c7f4c2c523a876e9819

SHA512
68c682eaa5e8b36e824e07b56e16e0efcbbb48e06581aea7da12e32a59b16a6f7462096ba0b9d3ba3c54ad41ecfaeddf0dcfc4ca38832e7a39ed1b6077fcf719

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d685bdb-edaa-4b0c-abbd-902a58bdb44a.vbs

Filesize
745B

MD5
d0b285ec875e472c89de1f2c77a06b23

SHA1
fda0b0c022e428b054b9cead3447fbcbc50dd2f9

SHA256
da912badd95ec5baaf66bf08221882b4e17d5a06a380112743d36a3d0914dff9

SHA512
0165eae1e252a183056e89ea0861ee86c0f23fcb7425058dc74e29eb8a704b69ecb45480fedef23f92dbbb326cdbf6da9c1ffe33ed43d4f55b82e391ff45a3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c36c70-3a05-4215-9c97-858982a10572.vbs

Filesize
521B

MD5
18ad47b07132925f93269b40dcc7e3e6

SHA1
eaf8209d5c7fa1d396ae819e29887436eab0bcba

SHA256
ca3da55c359ff9d6336049ab127844de31a994043b2adf8669a01e1a69bc44ef

SHA512
513a8e9829cd50070d5d4629a4c7d339b03d26554960d846a1effa5126185ff87002a03c61e6778fb777ae796e8a64e01718eef226738677dcce3b0dcdbe2aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\37166018-ffea-4429-81e4-de041685d97a.vbs

Filesize
745B

MD5
5c7d8f73ca6757d6bc8bac1688f01b63

SHA1
6efc399095bee15f478b799c37a98dab948bf5ab

SHA256
5d518d6b6a47cb86ef05b1a7f871a2713b780342bb2bbb1d95a7c84ac84dee15

SHA512
011839ea793c1f4d4b510feb56750c1d88ce2c76be075186810df6823b55d713fd3114dba4545101ccb1c4f9ebbcbf6e81df0eb54105586ccb29e44e1ab408c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f14599b-0d21-4f8f-996d-228c59be2753.vbs

Filesize
745B

MD5
fd8c5f9e9f386dca57634acd79657ea6

SHA1
3e4051f11a594088f826dd5173dfd30b16f43545

SHA256
dd86ed919b8332a3984f333ded160a461f219825e0809c4a183c50ac08061aa2

SHA512
3a8b0b6959a2722c6d3685895b569685e33230390cc2f6ee0162e5fdd0247d5c47306b0b809deb022e35d11566520e4f7afd0819670d4f8e6558a29ddaa8965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4332ff05-b93d-4fa0-9376-4b10327a4d3a.vbs

Filesize
745B

MD5
7af35fd41b86a432710b53e391abf5b0

SHA1
061b40eae7651aa6d9df1ad4bdff2d9ddae5675e

SHA256
d2e356d6a5b55f798ad464e309b707e17a99086b8dc90fe5b0f4198296d5b49d

SHA512
ef479ba9dec68a9d65dc72e6f89ff2e64999b812e256a9d8ad90b366529b84cfb6fff91e00505777881bda072c3006398cc6c33eb99e5e083e0c658fc997ac05

Download Submit
C:\Users\Admin\AppData\Local\Temp\51c2e5e1-756b-4dd1-a9c0-8880815ce399.vbs

Filesize
745B

MD5
7db4a6c0a3c906298f92a8e651a5225d

SHA1
4a66633a98e37ce4ebe4ecfbdb2bc19c3f535267

SHA256
bad57643453e98ce7e6c3f1978ebd4b5231f2333177ee7673703a21b392b836f

SHA512
706448a2306546a29ce045a91a87da5429c9c5917d371378c63ab59385c9c414c3ff8083e661e4ab37766ab585a25114357a9ce43b204cd5ee003626863b607e

Download Submit
C:\Users\Admin\AppData\Local\Temp\550713d6-0787-4b22-8db3-f18c53c0a736.vbs

Filesize
745B

MD5
6599735bdd023ccc75aed6f6422b33ee

SHA1
f568a754ed9196b0c978a1557b8a27f50ff134f4

SHA256
5e9ce3a4a0220e58ab349eabd3fd1e71bf6b1d5026f970c25f5fcda9f2627223

SHA512
b86a2ecb4688b1556f0be1015becfd9ed3a5e28b634627184e7bc8db192cab8fc055770e7ea428e9a2201b5e2c239cabaf22f6efcbe2e03c87e9af239be3d00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\59df9f60-a188-4fc6-8f87-f2b5be284d59.vbs

Filesize
745B

MD5
432e2206512f7987df27271fe13d4e0a

SHA1
50106893a033a6105ff8d565538738bcf685ef2a

SHA256
720ba3ed671a49a1e63331ecaee2016a8e30c7d5cdcc04583152dc6f603ed7cc

SHA512
3e3dee8fd3ca5aee52ec0a21cfb0148aa770c198577fdbd77ef0c2de1d867a67a16cc7c2f642b3c10ebf8de8d0cfd6fa9d22da682a053c9880f569e2c581b77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\721f1c85-ce8c-440c-9b77-33f7f64a1c96.vbs

Filesize
745B

MD5
bf5479a45ef469f0eae00284538051c9

SHA1
7a292fb3b621c2e10f26c5e5bf12329ba482f086

SHA256
0c3b82000b80e52628184852aa441a883477ec56c879a3afc90235da3cd44df7

SHA512
01c3eaccfee8c4f8264634f72a020b67ccd1acedab3a23c7654df88c1fd1fab10dc445fee168d05d8889dc605e26614e89588e1d23f08492af46af1e9367caab

Download Submit
C:\Users\Admin\AppData\Local\Temp\78929667-cbae-4765-bc5e-de6e8d1929d7.vbs

Filesize
745B

MD5
4eaed9afaf180f39dc4c29492644fbee

SHA1
d3178625d297a5a583269864a7f1a882f45dc443

SHA256
5057614cbcae29386fa8f9be74eb5f94c3ea6bed105be674ee55161d76a0ab82

SHA512
f3bbdb2cba11fc3d3a60bc3563998a36b2088281585db7677c75c7106bb22994651d39a806da425f571111bbed998db002acdb69ebc020108eb2eb03b68b56ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\847fb957-680b-4e32-8a2d-9b009167690b.vbs

Filesize
745B

MD5
ff4d32edb62cd04ce82d7dbf685a0332

SHA1
38ee4f621ec35e8c21255ad7e8ed98756e7c3bc9

SHA256
5fe0662dc0a445dd8bcd763011196b8fe199e79dbd23572175f1b2bfbf26d35a

SHA512
2e8501564235ac8e16b9eefa405a9ead606ef986d01dfecad67c9021ae27fe8a781ad7ad32a4397d5c40acd0855f74fb486de90539e47bb032db7406d547160a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b5555df-9715-4fc8-9501-9492b3e07544.vbs

Filesize
745B

MD5
13da576b517f6b83e7abbd300d72474d

SHA1
65ba2ee1df96331ee58362b9a5664312815968a1

SHA256
39c940a5123cb8b2b8b162f60fa91e90449236c945ae632766372e44103737ab

SHA512
b58ab07660878dbdc0e1bf245711c2bf3ee9a4613d5e6cfc13251145c51ad7c8dc79d138550f5dc1c139070bbe25d0700186a60976ec4c452b5ede2ea6bb7a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jryl3nkx.4jo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c71e7a73-1c97-48e6-8767-7ad0ca39a915.vbs

Filesize
745B

MD5
ca9e805081cf5859982f82d088a7c663

SHA1
d5a9128f3eae7f95345a1503844a6ffc7f66816d

SHA256
ace34d5e65b4fe72b40fee2d5fd18fa7db253601599ab5f8f78e356b94321746

SHA512
242ad622b8297cb159fe35e35974e24ffb285a9a086646658511922916f35a5cacf3c789a49cf88c673f5997f7a680675dc87af8fa17098a196b552a6ea4aaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e703fed7-275c-410b-b75d-8784ba776a3f.vbs

Filesize
745B

MD5
d404d2b676ba75b57c750b16835f8a9c

SHA1
f70703e5d3d307fa7373f373911b6e2ff3ae43fd

SHA256
bd2a31a4d9efb798a8cbc0c5f25933799b28620548dfff27dcad9bb7850fca32

SHA512
433915ed39f7d6c9fc76927a481740af412d4f2d18bfd9108cc43e5f0f68a3ec10e2cdc9949b6abdda318cbaf7edcaca0542fccdd9b6b6c8bad58412b0de194e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f36c19c0594ebb886dc55e1e2a7040ff3f1e38e04.5.273f27bd703f4f26926fc190021d65d71a2f1b9eab

Filesize
856B

MD5
2974208dfbe3c64c7fc8549224255069

SHA1
f931bb6ca37dd8893416b06131d4d73fd97b285b

SHA256
2f5b1958f8ec73c46257af26cfc4fc8787c373a070a79f9cd70985451fcfb5c9

SHA512
3f9ad19688f7d158200904328541fdf8d0bf96da05cfea9d26fcbc6016b66dd20ca5d252a8b46ad01da4e8bd2f50b2d6ff1c49405c9e862d8596206e634ca103

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd80707f-fd17-4b24-8150-eb07a4ad2f9b.vbs

Filesize
745B

MD5
3bfb4a00c35e6881b6468aefa54a36f4

SHA1
d3e195f0547da9e63543e94adf5411c9fbc2ce5a

SHA256
725c944e1c08d2921a16f1bcab74937b7b3ce6732177cd5140c656e8a671899b

SHA512
2424f68b302a80245961fe80d56c2fe84851a5a80a1b5f1ad1dd55815da48d0a3efb5888046f4361c5a74d654cd1dcfdd72c32b5c766b96e7a64d9fcae1b57e6

Download Submit
C:\Windows\System32\sechost\SppExtComObj.exe

Filesize
1.5MB

MD5
207f37be38ccbb0fe77bda8d4ab69187

SHA1
97a4aa79a700e336ca8450bfbf38d7e18215173b

SHA256
ec455e7827ad85aec51982eb1e0e3653ec13ee2dba778b72e1fc564c1ebeceff

SHA512
34350185b31d087e3d9027bdaa382497c061d68fd9d30a201d2563598fdaf2ef05dc8f08f27bc13af0303fc5694f2fea997e1ef042168e705cc83c3f23f6c93e

Download Submit
memory/448-508-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/552-342-0x000001F8702E0000-0x000001F8704FC000-memory.dmp

Filesize
2.1MB

Download
memory/656-978-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/956-363-0x000001F27C000000-0x000001F27C21C000-memory.dmp

Filesize
2.1MB

Download
memory/1136-723-0x000000001B8C0000-0x000000001B8D2000-memory.dmp

Filesize
72KB

Download
memory/1136-360-0x000001CDF72F0000-0x000001CDF750C000-memory.dmp

Filesize
2.1MB

Download
memory/1152-592-0x000000001B360000-0x000000001B372000-memory.dmp

Filesize
72KB

Download
memory/1540-87-0x0000029C79CE0000-0x0000029C79D02000-memory.dmp

Filesize
136KB

Download
memory/1564-694-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1640-524-0x0000000001730000-0x0000000001742000-memory.dmp

Filesize
72KB

Download
memory/1672-430-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

Filesize
72KB

Download
memory/1744-1036-0x0000000002980000-0x0000000002992000-memory.dmp

Filesize
72KB

Download
memory/1760-547-0x0000000001310000-0x0000000001322000-memory.dmp

Filesize
72KB

Download
memory/1828-738-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2052-563-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/2288-956-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2308-848-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2348-856-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/2484-5-0x0000000002430000-0x000000000243C000-memory.dmp

Filesize
48KB

Download
memory/2484-1-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download
memory/2484-14-0x000000001AE90000-0x000000001AE9C000-memory.dmp

Filesize
48KB

Download
memory/2484-0-0x00007FF8244B3000-0x00007FF8244B5000-memory.dmp

Filesize
8KB

Download
memory/2484-15-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

Filesize
40KB

Download
memory/2484-4-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2484-13-0x000000001AE80000-0x000000001AE8A000-memory.dmp

Filesize
40KB

Download
memory/2484-12-0x000000001AE70000-0x000000001AE78000-memory.dmp

Filesize
32KB

Download
memory/2484-11-0x000000001AE60000-0x000000001AE70000-memory.dmp

Filesize
64KB

Download
memory/2484-10-0x000000001AE50000-0x000000001AE60000-memory.dmp

Filesize
64KB

Download
memory/2484-17-0x000000001AEC0000-0x000000001AECC000-memory.dmp

Filesize
48KB

Download
memory/2484-9-0x000000001AE40000-0x000000001AE4C000-memory.dmp

Filesize
48KB

Download
memory/2484-8-0x000000001AE30000-0x000000001AE38000-memory.dmp

Filesize
32KB

Download
memory/2484-20-0x000000001AEE0000-0x000000001AEEC000-memory.dmp

Filesize
48KB

Download
memory/2484-6-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/2484-7-0x000000001AE20000-0x000000001AE2C000-memory.dmp

Filesize
48KB

Download
memory/2484-2-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2484-133-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2484-3-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2484-21-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/2484-16-0x000000001AEB0000-0x000000001AEB8000-memory.dmp

Filesize
32KB

Download
memory/2484-25-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2484-18-0x000000001AED0000-0x000000001AED8000-memory.dmp

Filesize
32KB

Download
memory/2484-24-0x00007FF8244B0000-0x00007FF824F71000-memory.dmp

Filesize
10.8MB

Download
memory/2700-790-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2712-385-0x0000000001520000-0x0000000001532000-memory.dmp

Filesize
72KB

Download
memory/2728-1007-0x0000000002F90000-0x0000000002FA2000-memory.dmp

Filesize
72KB

Download
memory/2876-353-0x00000215DC7C0000-0x00000215DC9DC000-memory.dmp

Filesize
2.1MB

Download
memory/2956-345-0x0000029BD2FC0000-0x0000029BD31DC000-memory.dmp

Filesize
2.1MB

Download
memory/3036-665-0x0000000002E20000-0x0000000002E32000-memory.dmp

Filesize
72KB

Download
memory/3200-753-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/3296-373-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/3544-369-0x0000018DF1D80000-0x0000018DF1F9C000-memory.dmp

Filesize
2.1MB

Download
memory/3548-359-0x000002213D940000-0x000002213DB5C000-memory.dmp

Filesize
2.1MB

Download
memory/3612-1073-0x00000000017F0000-0x0000000001802000-memory.dmp

Filesize
72KB

Download
memory/3616-348-0x000001C176A30000-0x000001C176C4C000-memory.dmp

Filesize
2.1MB

Download
memory/3664-607-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/3984-516-0x00000000016B0000-0x00000000016C2000-memory.dmp

Filesize
72KB

Download
memory/4068-782-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4352-476-0x00000000015D0000-0x00000000015E2000-memory.dmp

Filesize
72KB

Download
memory/4392-798-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/4452-366-0x0000029AECEB0000-0x0000029AED0CC000-memory.dmp

Filesize
2.1MB

Download
memory/4672-1102-0x0000000001970000-0x0000000001982000-memory.dmp

Filesize
72KB

Download
memory/4784-629-0x0000000001160000-0x0000000001172000-memory.dmp

Filesize
72KB

Download
memory/4900-453-0x00000000018F0000-0x0000000001902000-memory.dmp

Filesize
72KB

Download
memory/4940-555-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/4948-948-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/5000-354-0x0000017B7BE30000-0x0000017B7C04C000-memory.dmp

Filesize
2.1MB

Download
memory/5032-539-0x000000001B0B0000-0x000000001B0C2000-memory.dmp

Filesize
72KB

Download
memory/5088-1065-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download