4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Size

1.9MB
MD5

414863aa7119c788f473f89650c25803
SHA1

45300792d3fffba9bc35e9f3ff2bd3e42dada29b
SHA256

04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989
SHA512

baabf728513a96c0ba2cc0d1f85177323d26235086de1ec1bef2c7781750d37906e9281cc6344a3024d5a5214590ac09f0efea4ab96222b71e63102511e040b0
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2920	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2920	schtasks.exe	29

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1556	sppsvc.exe
5	1556	sppsvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
588	powershell.exe
1548	powershell.exe
1692	powershell.exe
3012	powershell.exe
2808	powershell.exe
1976	powershell.exe
1776	powershell.exe
1708	powershell.exe
2028	powershell.exe
2884	powershell.exe
1108	powershell.exe
2132	powershell.exe
2256	powershell.exe
1552	powershell.exe
2012	powershell.exe
2676	powershell.exe
1804	powershell.exe
984	powershell.exe
1536	powershell.exe
2764	powershell.exe
2928	powershell.exe
2148	powershell.exe
1672	powershell.exe
2180	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Executes dropped EXE 8 IoCs

pid	Process
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
1556	sppsvc.exe
2836	sppsvc.exe
2084	sppsvc.exe
588	sppsvc.exe
676	sppsvc.exe
592	sppsvc.exe
936	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\26c97563519bd3	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Internet Explorer\images\5940a34987c991	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX212B.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Internet Explorer\images\dllhost.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX2584.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Internet Explorer\images\WmiPrvSE.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Internet Explorer\images\dllhost.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Mozilla Firefox\fonts\6203df4a6bafc7	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Internet Explorer\images\WmiPrvSE.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files\Internet Explorer\images\24dbde2999530e	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\0a1fd5f707cd16	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6203df4a6bafc7	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX213C.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX2583.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\PLA\886983d96e3d3e	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\RCX1F08.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\smss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\Vss\Writers\Application\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\Vss\Writers\Application\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\tracing\System.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\RCX235F.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\addins\spoolsv.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\addins\f3b6ecef712a24	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\tracing\System.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\addins\spoolsv.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\PLA\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\RCX236F.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\tracing\27d1bcfc3c54e0	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\csrss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\PLA\Rules\en-US\smss.exe	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\PLA\Rules\en-US\69ddcba757bf72	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File opened for modification	C:\Windows\PLA\RCX1EF8.tmp	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
File created	C:\Windows\Vss\Writers\Application\886983d96e3d3e	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2060	schtasks.exe
1828	schtasks.exe
1760	schtasks.exe
1924	schtasks.exe
1204	schtasks.exe
1612	schtasks.exe
2068	schtasks.exe
2128	schtasks.exe
1636	schtasks.exe
2560	schtasks.exe
2380	schtasks.exe
3024	schtasks.exe
1200	schtasks.exe
2824	schtasks.exe
2180	schtasks.exe
2268	schtasks.exe
2780	schtasks.exe
2408	schtasks.exe
2452	schtasks.exe
2608	schtasks.exe
664	schtasks.exe
1680	schtasks.exe
2212	schtasks.exe
1736	schtasks.exe
1928	schtasks.exe
2492	schtasks.exe
2872	schtasks.exe
1640	schtasks.exe
612	schtasks.exe
2972	schtasks.exe
1932	schtasks.exe
2484	schtasks.exe
2612	schtasks.exe
432	schtasks.exe
2136	schtasks.exe
2588	schtasks.exe
2692	schtasks.exe
2508	schtasks.exe
2500	schtasks.exe
2112	schtasks.exe
2076	schtasks.exe
2816	schtasks.exe
2192	schtasks.exe
2252	schtasks.exe
2520	schtasks.exe
388	schtasks.exe
2032	schtasks.exe
2224	schtasks.exe
1748	schtasks.exe
2672	schtasks.exe
2744	schtasks.exe
640	schtasks.exe
2368	schtasks.exe
2972	schtasks.exe
2796	schtasks.exe
2156	schtasks.exe
1176	schtasks.exe
1844	schtasks.exe
1076	schtasks.exe
2364	schtasks.exe
2960	schtasks.exe
1592	schtasks.exe
1740	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1556	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
1108	powershell.exe
1548	powershell.exe
1776	powershell.exe
1536	powershell.exe
1976	powershell.exe
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
2028	powershell.exe
1708	powershell.exe
2132	powershell.exe
2256	powershell.exe
1552	powershell.exe
2180	powershell.exe
2808	powershell.exe
1804	powershell.exe
2012	powershell.exe
984	powershell.exe
1692	powershell.exe
2340	powershell.exe
2928	powershell.exe
2676	powershell.exe
1672	powershell.exe
2148	powershell.exe
588	powershell.exe
2764	powershell.exe
2884	powershell.exe
3012	powershell.exe
1556	sppsvc.exe
2836	sppsvc.exe
2084	sppsvc.exe
588	sppsvc.exe
676	sppsvc.exe
592	sppsvc.exe
936	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1556	sppsvc.exe
Token: SeDebugPrivilege	2836	sppsvc.exe
Token: SeDebugPrivilege	2084	sppsvc.exe
Token: SeDebugPrivilege	588	sppsvc.exe
Token: SeDebugPrivilege	676	sppsvc.exe
Token: SeDebugPrivilege	592	sppsvc.exe
Token: SeDebugPrivilege	936	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1976	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	42
PID 2448 wrote to memory of 1976	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	42
PID 2448 wrote to memory of 1976	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	42
PID 2448 wrote to memory of 1108	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	43
PID 2448 wrote to memory of 1108	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	43
PID 2448 wrote to memory of 1108	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	43
PID 2448 wrote to memory of 1548	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	44
PID 2448 wrote to memory of 1548	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	44
PID 2448 wrote to memory of 1548	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	44
PID 2448 wrote to memory of 1536	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	45
PID 2448 wrote to memory of 1536	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	45
PID 2448 wrote to memory of 1536	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	45
PID 2448 wrote to memory of 1776	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	46
PID 2448 wrote to memory of 1776	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	46
PID 2448 wrote to memory of 1776	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	46
PID 2448 wrote to memory of 2144	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	52
PID 2448 wrote to memory of 2144	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	52
PID 2448 wrote to memory of 2144	2448	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	52
PID 2144 wrote to memory of 2764	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	110
PID 2144 wrote to memory of 2764	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	110
PID 2144 wrote to memory of 2764	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	110
PID 2144 wrote to memory of 2132	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	111
PID 2144 wrote to memory of 2132	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	111
PID 2144 wrote to memory of 2132	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	111
PID 2144 wrote to memory of 2256	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	113
PID 2144 wrote to memory of 2256	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	113
PID 2144 wrote to memory of 2256	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	113
PID 2144 wrote to memory of 2928	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	114
PID 2144 wrote to memory of 2928	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	114
PID 2144 wrote to memory of 2928	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	114
PID 2144 wrote to memory of 1672	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	115
PID 2144 wrote to memory of 1672	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	115
PID 2144 wrote to memory of 1672	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	115
PID 2144 wrote to memory of 2148	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	116
PID 2144 wrote to memory of 2148	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	116
PID 2144 wrote to memory of 2148	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	116
PID 2144 wrote to memory of 1708	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	118
PID 2144 wrote to memory of 1708	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	118
PID 2144 wrote to memory of 1708	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	118
PID 2144 wrote to memory of 1552	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	119
PID 2144 wrote to memory of 1552	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	119
PID 2144 wrote to memory of 1552	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	119
PID 2144 wrote to memory of 2028	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	120
PID 2144 wrote to memory of 2028	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	120
PID 2144 wrote to memory of 2028	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	120
PID 2144 wrote to memory of 2012	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	121
PID 2144 wrote to memory of 2012	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	121
PID 2144 wrote to memory of 2012	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	121
PID 2144 wrote to memory of 2676	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	123
PID 2144 wrote to memory of 2676	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	123
PID 2144 wrote to memory of 2676	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	123
PID 2144 wrote to memory of 2884	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	124
PID 2144 wrote to memory of 2884	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	124
PID 2144 wrote to memory of 2884	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	124
PID 2144 wrote to memory of 2180	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	125
PID 2144 wrote to memory of 2180	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	125
PID 2144 wrote to memory of 2180	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	125
PID 2144 wrote to memory of 1804	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	127
PID 2144 wrote to memory of 1804	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	127
PID 2144 wrote to memory of 1804	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	127
PID 2144 wrote to memory of 984	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	128
PID 2144 wrote to memory of 984	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	128
PID 2144 wrote to memory of 984	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	128
PID 2144 wrote to memory of 1692	2144	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe	133

System policy modification 1 TTPs 27 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
"C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\en-US\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe
  "C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\deBu3xOP7T.bat"
    3⤵
    PID:2284
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2660
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
      4⤵
      UAC bypass
      Blocklisted process makes network request
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:1556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303fc6e7-b923-4abf-a681-925cd7c929cb.vbs"
        5⤵
        
        PID:2668
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a042488-e6be-4045-914c-cbd8d1723603.vbs"
        7⤵
        
        PID:2816
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26540a87-b863-45ce-aa61-d4b4d8850633.vbs"
        9⤵
        
        PID:612
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb4c6e13-bd94-454c-995d-a5e8fcd69199.vbs"
        11⤵
        
        PID:1640
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13531a3-171e-4fca-beb2-ac3ade5253ae.vbs"
        13⤵
        
        PID:1556
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13778fc6-838b-4231-b3dc-5c902691a4db.vbs"
        15⤵
        
        PID:2728
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22db8087-8949-48ca-b694-5016e22cdf71.vbs"
        17⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fc4b1e2-5c8e-4c55-ac16-ef81ec304839.vbs"
        17⤵
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ccc88fa-fb0e-40ae-abf0-9e7c9b0c71eb.vbs"
        15⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fea0a91-519d-4d5c-acb4-90053a652081.vbs"
        13⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3434019-2a40-4aa0-8091-fa9b8297f8c9.vbs"
        11⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdac462-8019-47df-9216-ee7e645d5ae5.vbs"
        9⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89a3db3d-b153-4bc9-9492-567f65a34e5a.vbs"
        7⤵
        
        PID:2364
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a14520d1-f735-4d8a-bc9e-e49d2f331ee1.vbs"
        5⤵
        
        PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b9890" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b9890" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13778fc6-838b-4231-b3dc-5c902691a4db.vbs

Filesize
757B

MD5
c73d2ec709b0db5f597593012bfe4ef3

SHA1
adca11089fa042d723dd977622d30ded656f159f

SHA256
88523489b9cdd830338e571a62756e69f2c7b443c05161e6860d218b6b62aa4d

SHA512
ffcf84356db4e20da403c0c7e4e1447704410a199d81afb0cf1ed09052d8e0441818a04506863289e649bc91ec068f93b3d79acf07cd202a9e2c7807bcf4c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\22db8087-8949-48ca-b694-5016e22cdf71.vbs

Filesize
757B

MD5
386e9d7c6c9568c2df326408c48a6cde

SHA1
e2b1011a18ef6333819564489cb707fa7a8f52ba

SHA256
989eda25472f438f2164a0659c70e537922a98e36497cb272cfa7c36f57c00c3

SHA512
7e55681e4a7e8e4f83214f95c51e361c3a642184c27eaabb1aaded5be69496fb406a711ca03e026ff863e880c81781b7cca940ed4cac517bf19caa12785c0b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\26540a87-b863-45ce-aa61-d4b4d8850633.vbs

Filesize
758B

MD5
99794eb13a437eafa4d6db4818067eaa

SHA1
6dbdbccf4fa39367c2e5bcb262caa56318e92807

SHA256
e5ac8d15f2f3b5eb1237ab16361900a5ff3c718232492007f6c12d536c39dc55

SHA512
4247dc2708f87637a4487c96ffd372d3ceba97fdbe7af6a005f54b798fd4f36f0e34738a877d95485fc62dc942cdf4c66fdbe123710fbd9f7c201b4548323ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\303fc6e7-b923-4abf-a681-925cd7c929cb.vbs

Filesize
758B

MD5
b96f350a22533addb8a9fc344af599f9

SHA1
0aaf6349859e261ea8d0a56c2f7fdac40c809686

SHA256
a4085b94e06aa50e6df28e134727d94133e1dc6b158ab09b526dc674b9c676cc

SHA512
1379abeb1018a47026e948828f474dd86d877b266ecca73932d378d00fc2e3f44e6d5f18146cab5535359a6c6f1f8326f2060fafbcce1c0a29461ecc803465c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a042488-e6be-4045-914c-cbd8d1723603.vbs

Filesize
758B

MD5
6c996dc98b18c04353a5b764fb7a1974

SHA1
e21116c79528a1ecbb7e2cb9849992794d5f8d58

SHA256
e5e9028a6f8449ca5fe63572119c00b18e6593ee8a6f4af0e46eda164b555bd7

SHA512
f5c636068fafa0964dfe9ce140b03d0db12d4ffd49876e59aa183927c3f813ab2bc23db2400a910ceeee2ea307da8221ce86cdbc4b098c15c03ac18bd74d54e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX1CD5.tmp

Filesize
1.9MB

MD5
414863aa7119c788f473f89650c25803

SHA1
45300792d3fffba9bc35e9f3ff2bd3e42dada29b

SHA256
04a0d422bfab50b323946c739913ca997a3d00e1c87bb102be934c914713b989

SHA512
baabf728513a96c0ba2cc0d1f85177323d26235086de1ec1bef2c7781750d37906e9281cc6344a3024d5a5214590ac09f0efea4ab96222b71e63102511e040b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a14520d1-f735-4d8a-bc9e-e49d2f331ee1.vbs

Filesize
534B

MD5
2dbb8ee24cc2408f0d4809897802da45

SHA1
42d0b718d7d5ac9ec63f579c901868ce42456859

SHA256
54384afcecd5da68f83d497bb8a516ecdd2773ab9432abda526ff2b5332ac05e

SHA512
b1039eb9076318fdab1e2ce4fac421ae3a91db0ec0546e84c8e2218ebab1d7508c91fd3b2580c3d54974f7afa74dc25abc7607cd45dc29cb07e46602acb84f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb4c6e13-bd94-454c-995d-a5e8fcd69199.vbs

Filesize
757B

MD5
7008f254786512242e4424ae5a30ff92

SHA1
5075af77f75f65a4de5fc9986d62242f974a2a97

SHA256
a62249b6f522cdff33c72cfd4a064d5697aa6bf9a372cfd01134f9e4423efea1

SHA512
086cb0ae2ee4878b1a289bc18357485af48dfc8b60ce1630fcfaa87514c3c52f2ae7b4770b2701984d7bdebded4b793d56adb06cac7de045451f3f35e82b0b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\deBu3xOP7T.bat

Filesize
247B

MD5
9440200188a22cd1d8034302af827208

SHA1
5122d921a7adbb0af28a4b0c3890947ef79830e9

SHA256
4eaa1c277a68a9c4a20ee64ac3715b198ae0c3306970fd21af194d6d65d79f5f

SHA512
c325cd01780359749790f8813840c575498fe605176d46e8a78e7e203d3ff1775bd2c79817de39c1b5c767f2d8c69fa24972e9e116f9b4209326e3cd01aaa045

Download Submit
C:\Users\Admin\AppData\Local\Temp\e13531a3-171e-4fca-beb2-ac3ade5253ae.vbs

Filesize
757B

MD5
6d2274720533d5826bd56365b8e1b854

SHA1
b6d4db3590322a242ea6e71dab56cb0e83b073fb

SHA256
f9b41abf077d224e012f0e083d7a78cfe1f8b5b01c05e16ccf9bd4306851a22b

SHA512
4ea937234c4bf2c7e0f53eabf370aa547ce8b3d47fcd4cb8ab75d9f194580903cc805d410a8216fa5d40608b05587cab6394572f9c54c07207c88e0fa495099a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
2KB

MD5
918be4cb0e2bf3642d2c1e1091c74af5

SHA1
7aa62964b6d6f4e924c01662b704d2ea4522583c

SHA256
18b36ec5992a0c2f7f4101378b6ecfe0d0284d6586b27e22955e965eb4d326c1

SHA512
3f5bc4b5c0b73b8557db947cdfc2cf06f909eeaa0bd3566b21424cc3c172e0ada3029b90daefffb4d31585e6d540342cbf54156c42fc67fcec6ca60da7b1475a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
084694f92b86faf27556bbf292df0e10

SHA1
451aa302d17fe9debfe0ceeebcc50c6c868f0144

SHA256
3c8a714809fc326b2f6bfbfceeb01d6cbd3ccff44020c0cda85f9ec89ca8c9db

SHA512
8d4e0eae0ba645bc4e6e6c4a165b31ad5c0ddadfc6843eba61776fd3da74cd29a9212eb734fc3d62921af338fc4c5ea962d8abb66884f37c7c48a68e224db53f

Download Submit
memory/588-328-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/592-352-0x0000000000320000-0x000000000050A000-memory.dmp

Filesize
1.9MB

Download
memory/676-340-0x00000000011E0000-0x00000000013CA000-memory.dmp

Filesize
1.9MB

Download
memory/936-364-0x0000000000B30000-0x0000000000D1A000-memory.dmp

Filesize
1.9MB

Download
memory/1108-107-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1108-106-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1556-295-0x0000000000D80000-0x0000000000F6A000-memory.dmp

Filesize
1.9MB

Download
memory/2028-198-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2028-213-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2144-109-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/2448-13-0x0000000000E50000-0x0000000000E5C000-memory.dmp

Filesize
48KB

Download
memory/2448-10-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2448-15-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/2448-108-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2448-14-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/2448-16-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2448-18-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/2448-12-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/2448-17-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2448-9-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2448-8-0x0000000000CC0000-0x0000000000D16000-memory.dmp

Filesize
344KB

Download
memory/2448-7-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/2448-6-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/2448-5-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2448-4-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2448-3-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2448-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-1-0x0000000000EC0000-0x00000000010AA000-memory.dmp

Filesize
1.9MB

Download