e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Size

1.9MB
MD5

f6e9aa3f2d123261eda08333b1bd7559
SHA1

6bfe995054477329b2308617b824fb27ed762449
SHA256

c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195
SHA512

24fd343e717a3b3caf5870b2e8007a16b41f26418ecd8844ccd6f74a6255bf8918f7cf9b2cc3fafdc1cb39fbbbd144daf97832d6217efa7e6330e43f49102633
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5660	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1772	schtasks.exe	87

UAC bypass 3 TTPs 27 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1452	powershell.exe
1796	powershell.exe
4744	powershell.exe
4620	powershell.exe
3268	powershell.exe
4224	powershell.exe
4472	powershell.exe
4656	powershell.exe
4900	powershell.exe
952	powershell.exe
4316	powershell.exe
4692	powershell.exe
4040	powershell.exe
4612	powershell.exe
5912	powershell.exe
632	powershell.exe
4120	powershell.exe
4720	powershell.exe
840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 8 IoCs

pid	Process
4852	OfficeClickToRun.exe
1764	OfficeClickToRun.exe
5264	OfficeClickToRun.exe
5200	OfficeClickToRun.exe
5776	OfficeClickToRun.exe
1392	OfficeClickToRun.exe
5588	OfficeClickToRun.exe
1512	OfficeClickToRun.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4596_217729105\csrss.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files\7-Zip\RCX8072.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files\7-Zip\StartMenuExperienceHost.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files\edge_BITS_4596_217729105\886983d96e3d3e	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files\7-Zip\StartMenuExperienceHost.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files\7-Zip\RCX8071.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files\edge_BITS_4596_217729105\csrss.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files\7-Zip\55b276f4edf653	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files\edge_BITS_4596_217729105\RCX7647.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX876C.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX876D.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ea1d8f6d871115	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Program Files\edge_BITS_4596_217729105\RCX76B6.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\RCX7DFE.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Windows\Logs\RCX7E6D.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Windows\Logs\27d1bcfc3c54e0	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Windows\Cursors\RCX6F9A.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Windows\Logs\System.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Windows\Cursors\1ada16b6df59d9	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File created	C:\Windows\Logs\System.exe	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
File opened for modification	C:\Windows\Cursors\RCX6FAB.tmp	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1204	schtasks.exe
3176	schtasks.exe
4828	schtasks.exe
3580	schtasks.exe
912	schtasks.exe
5184	schtasks.exe
2556	schtasks.exe
5660	schtasks.exe
4248	schtasks.exe
4396	schtasks.exe
1888	schtasks.exe
3172	schtasks.exe
4820	schtasks.exe
5028	schtasks.exe
5456	schtasks.exe
5116	schtasks.exe
1516	schtasks.exe
4044	schtasks.exe
732	schtasks.exe
64	schtasks.exe
5820	schtasks.exe
448	schtasks.exe
1108	schtasks.exe
4608	schtasks.exe
4676	schtasks.exe
4920	schtasks.exe
5268	schtasks.exe
1116	schtasks.exe
2540	schtasks.exe
1684	schtasks.exe
1536	schtasks.exe
4764	schtasks.exe
5460	schtasks.exe
336	schtasks.exe
6100	schtasks.exe
3548	schtasks.exe
2828	schtasks.exe
3788	schtasks.exe
4404	schtasks.exe
4000	schtasks.exe
4620	schtasks.exe
4880	schtasks.exe
4952	schtasks.exe
5444	schtasks.exe
4712	schtasks.exe
4980	schtasks.exe
3928	schtasks.exe
4548	schtasks.exe
4644	schtasks.exe
4848	schtasks.exe
3504	schtasks.exe
3220	schtasks.exe
4756	schtasks.exe
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
4472	powershell.exe
4472	powershell.exe
4316	powershell.exe
4316	powershell.exe
1796	powershell.exe
1796	powershell.exe
4120	powershell.exe
4120	powershell.exe
5912	powershell.exe
5912	powershell.exe
4720	powershell.exe
4720	powershell.exe
4040	powershell.exe
4040	powershell.exe
4224	powershell.exe
4224	powershell.exe
4692	powershell.exe
4692	powershell.exe
1452	powershell.exe
1452	powershell.exe
840	powershell.exe
840	powershell.exe
4612	powershell.exe
4612	powershell.exe
952	powershell.exe
952	powershell.exe
4620	powershell.exe
4620	powershell.exe
632	powershell.exe
632	powershell.exe
4656	powershell.exe
4656	powershell.exe
1452	powershell.exe
4744	powershell.exe
3268	powershell.exe
3268	powershell.exe
4744	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4852	OfficeClickToRun.exe
Token: SeDebugPrivilege	1764	OfficeClickToRun.exe
Token: SeDebugPrivilege	5264	OfficeClickToRun.exe
Token: SeDebugPrivilege	5200	OfficeClickToRun.exe
Token: SeDebugPrivilege	5776	OfficeClickToRun.exe
Token: SeDebugPrivilege	1392	OfficeClickToRun.exe
Token: SeDebugPrivilege	5588	OfficeClickToRun.exe
Token: SeDebugPrivilege	1512	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4316	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	148
PID 3712 wrote to memory of 4316	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	148
PID 3712 wrote to memory of 4472	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	149
PID 3712 wrote to memory of 4472	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	149
PID 3712 wrote to memory of 4120	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	151
PID 3712 wrote to memory of 4120	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	151
PID 3712 wrote to memory of 1452	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	152
PID 3712 wrote to memory of 1452	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	152
PID 3712 wrote to memory of 4224	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	153
PID 3712 wrote to memory of 4224	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	153
PID 3712 wrote to memory of 1796	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	156
PID 3712 wrote to memory of 1796	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	156
PID 3712 wrote to memory of 840	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	157
PID 3712 wrote to memory of 840	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	157
PID 3712 wrote to memory of 952	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	159
PID 3712 wrote to memory of 952	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	159
PID 3712 wrote to memory of 632	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	160
PID 3712 wrote to memory of 632	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	160
PID 3712 wrote to memory of 5912	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	164
PID 3712 wrote to memory of 5912	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	164
PID 3712 wrote to memory of 4720	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	165
PID 3712 wrote to memory of 4720	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	165
PID 3712 wrote to memory of 4900	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	166
PID 3712 wrote to memory of 4900	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	166
PID 3712 wrote to memory of 4612	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	167
PID 3712 wrote to memory of 4612	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	167
PID 3712 wrote to memory of 3268	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	168
PID 3712 wrote to memory of 3268	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	168
PID 3712 wrote to memory of 4040	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	169
PID 3712 wrote to memory of 4040	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	169
PID 3712 wrote to memory of 4656	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	170
PID 3712 wrote to memory of 4656	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	170
PID 3712 wrote to memory of 4620	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	171
PID 3712 wrote to memory of 4620	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	171
PID 3712 wrote to memory of 4692	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	172
PID 3712 wrote to memory of 4692	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	172
PID 3712 wrote to memory of 4744	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	173
PID 3712 wrote to memory of 4744	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	173
PID 3712 wrote to memory of 2828	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	186
PID 3712 wrote to memory of 2828	3712	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe	186
PID 2828 wrote to memory of 3712	2828	cmd.exe	188
PID 2828 wrote to memory of 3712	2828	cmd.exe	188
PID 2828 wrote to memory of 4852	2828	cmd.exe	189
PID 2828 wrote to memory of 4852	2828	cmd.exe	189
PID 4852 wrote to memory of 5444	4852	OfficeClickToRun.exe	190
PID 4852 wrote to memory of 5444	4852	OfficeClickToRun.exe	190
PID 4852 wrote to memory of 1948	4852	OfficeClickToRun.exe	191
PID 4852 wrote to memory of 1948	4852	OfficeClickToRun.exe	191
PID 5444 wrote to memory of 1764	5444	WScript.exe	200
PID 5444 wrote to memory of 1764	5444	WScript.exe	200
PID 1764 wrote to memory of 3576	1764	OfficeClickToRun.exe	201
PID 1764 wrote to memory of 3576	1764	OfficeClickToRun.exe	201
PID 1764 wrote to memory of 3120	1764	OfficeClickToRun.exe	202
PID 1764 wrote to memory of 3120	1764	OfficeClickToRun.exe	202
PID 3576 wrote to memory of 5264	3576	WScript.exe	203
PID 3576 wrote to memory of 5264	3576	WScript.exe	203
PID 5264 wrote to memory of 4416	5264	OfficeClickToRun.exe	204
PID 5264 wrote to memory of 4416	5264	OfficeClickToRun.exe	204
PID 5264 wrote to memory of 1684	5264	OfficeClickToRun.exe	205
PID 5264 wrote to memory of 1684	5264	OfficeClickToRun.exe	205
PID 4416 wrote to memory of 5200	4416	WScript.exe	206
PID 4416 wrote to memory of 5200	4416	WScript.exe	206
PID 5200 wrote to memory of 5584	5200	OfficeClickToRun.exe	208
PID 5200 wrote to memory of 5584	5200	OfficeClickToRun.exe	208

System policy modification 1 TTPs 27 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe
"C:\Users\Admin\AppData\Local\Temp\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4596_217729105\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLM2mMq4EJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3712
- - C:\Recovery\WindowsRE\OfficeClickToRun.exe
    "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4852
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9412fed-45a5-4d01-bf25-b0d45ccb9613.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5444
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6caeccc-4c56-46a2-9468-f204480f7a22.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2bd44de-5bbf-4660-88df-8b8bbd28d70e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be02f2ce-5468-474a-834a-d84a4e30d153.vbs"
        10⤵
        
        PID:5584
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63fc4c2f-095b-4039-b271-ba469c3e4e29.vbs"
        12⤵
        
        PID:1440
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b48934a-475d-4ce2-9674-52ac457ffc27.vbs"
        14⤵
        
        PID:5140
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fd3b5d4-1d97-4463-b079-5b538ae66dec.vbs"
        16⤵
        
        PID:1776
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70b8691e-6086-44d3-bf22-a770b8383033.vbs"
        18⤵
        
        PID:5396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5469ed93-2d03-4fce-9196-48b05ca0c47a.vbs"
        18⤵
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66cd872-b862-4436-a4e1-d71bae874393.vbs"
        16⤵
        
        PID:5980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cfd9e5-b425-43be-be93-43e0371a1ee4.vbs"
        14⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5e11044-e554-44d3-b8e7-ac70d289b21e.vbs"
        12⤵
        
        PID:3688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96bba0dc-2934-4594-bb27-762fc8eb05f0.vbs"
        10⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6d4910f-4678-4a75-9880-472fd6f5a78c.vbs"
        8⤵
        
        PID:1684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c509c1-5c15-4df9-aa5f-6e752f1561da.vbs"
        6⤵
        
        PID:3120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c3203b0-a617-406c-bdc1-4844c98bb148.vbs"
      4⤵
      PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195c" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195" /sc ONLOGON /tr "'C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195c" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4596_217729105\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4596_217729105\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4596_217729105\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\edge_BITS_4596_217729105\csrss.exe

Filesize
1.9MB

MD5
10b0529f4f7930115192bad5723abe42

SHA1
5536ee3b661d7e200185b41875c9b15bf5e0ef56

SHA256
0f07147d471c776ea0440560925965b0e46f3c7665ac03f7b5368e372f265ee0

SHA512
414605f946e766a7e36774ef72f732883abb12b820c994441be430da4a8f1d876c186a87cad010d3c1a24863c38f157b246c441f1c0363e51805202017a46578

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\fontdrvhost.exe

Filesize
1.9MB

MD5
1da7759089fe19c9cb4a0f5288bc30a6

SHA1
7ca194a1532545715a434e293909c88b4caec16a

SHA256
c7d92054adadaf9376f66e96631eca63cd04b222f1c5aba35f6ff9c6f76f02f2

SHA512
82fa7685ffebafdd5673dd11ea596ea4dcf76fd957a5acdde67af5ca46ef7b7efba67fad775d4c321f05ee6d809f851b77f8272871f5dd42591bbf8b5bd58517

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.9MB

MD5
683864f3353c0be3bb8e85d869037d6b

SHA1
ace0441759431650815af204724ed72a0199e648

SHA256
19feef6ba8726671f7b8728d039f40720efb7fcdad6742c1a4729a10550d5fc1

SHA512
f70e2358a23108f9284a73c55bc55ae2e8f8cf68a49c7edcec6397873d8121c5646840e6a9bca6370f5bfd75cf0f85e3081dd0bb6fce7aac015edc5f71b98941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba4e21ecb1da461b16fb5e959dd38709

SHA1
67736c22801adc11c6f7fcb0f590d55206e92a7b

SHA256
1436ac482c3aac03015aff9df65906a1ab313aee4a63fcc2d6ef2556b8913baa

SHA512
983d441d9a9369b8b9cd427410d90f8e1042a35e1a2738fd8f6b5576da497c503f770d1232d9962bb7a30c3ef543c1a8be648f48336499bce4a985513c1ce087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa06cb40f97ab488651f3aebd1e07736

SHA1
5094da2f768387c80a0e879ef43ffbdc677ddc97

SHA256
d792dfc55ca10a274ff6ace7d3f5bf6d4cfc9dcefd7c0e9b8aa714fff8988b82

SHA512
e3d49f6cb6b50acd6e93c9bc2b46cffa238d1d28b26f1c549267f32abdfd239c75a261b7bab9edcce606f35b8ca632676efaca3f2b1bbdb9bb739115f6003af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c63980b62b932c2336743babc337af85

SHA1
0ef001498596b702a9fd8944795d7ccb7aac5333

SHA256
59df6f476d34b7f08f279482dea01d2331665c987406de593ebcfd4bcbe73665

SHA512
71dab1d77cdefe2b22c6fd787dedf6c5296f05d450878d550ea9cd1f30fc575c6a234a1f798bb53815715f7f2d3db456358c1173f605f1eeabf41d921e94d067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e912b11f067dfdc49fa5eec88bfb74dd

SHA1
9eb1e129867c685d0c6c3ca18e677a6da2eb3c0d

SHA256
16b497f7b55339f9dbed02d0c4a7eccd490335a253cf41ebb611e7867c35f4a5

SHA512
b2e3bdd21857af9d568b7a87c088f6ab07eac8366fbeaaa27c6bebed7e90eaa024214cfb29d1f1379ad806bb63c06b61bd7c9c4ea53636d78914ae47c09950d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fd3b5d4-1d97-4463-b079-5b538ae66dec.vbs

Filesize
718B

MD5
79540345657e292b41da229dd3e42993

SHA1
580dba0cd390003211969e5e79de7ad1705e5e72

SHA256
2675a6a3f7344bfac832c9007c11543be7edde492c0b9c4ed2e400eef15dddf9

SHA512
18b07151962f7f398d48f70b06e408dc71b17e3b826449d22cf82ed57e778e47c3a2cd4a6d7354011b88b1940264aedbe7d102d203a6fef2828164717fd93807

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b48934a-475d-4ce2-9674-52ac457ffc27.vbs

Filesize
718B

MD5
b0520a35151017d13ab3768445e158d5

SHA1
1abeaaa7ff7e66e912b6e4cae59d85e915afffb5

SHA256
078d5c9d3783d49eebf61c2a0dfedda47b2d94a5ce2b4a930c30831c78500ee9

SHA512
0a7d21cfce994d75b2448ce4fb531be9785c056dc9ca93302e5a5f111d6e5b92d1d48541ba69ce6e8f55ea7dec4bb9f57374107430daeef3bf375ae05db6b8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\63fc4c2f-095b-4039-b271-ba469c3e4e29.vbs

Filesize
718B

MD5
e273eaa8d778727ca7e1276266bb96b3

SHA1
2280509697614156d5dd745402a5d63fe511f5a5

SHA256
1653bbc2a5fbf056d57cf25d5095a2ed77ed7f5bbeb2178be43cb03ecc7c345a

SHA512
9cf3eb332fcfb57181a60d9957accdc0113ad15cdd79ebaee61c191ba0b1578ac36595804f1fc468b0d9d8aa3b5bb38066557c34e34ef76b3278b7250372ba7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70b8691e-6086-44d3-bf22-a770b8383033.vbs

Filesize
718B

MD5
eb2546f4c0e5a83da4f590e1e2e268bf

SHA1
723078b2067712a711b9a42339baec9b584231de

SHA256
07f67833f097ef2e455fcf254abac944fefb4786091806d86052fdd595d6de63

SHA512
111d5a6b7217a61785ab4f469a9302b4a0864abe8ffd2a423f9115d0c553d2c157b778f0e91ef5c08bf498e5cfd1c0655225b70e21ccdc77ae88af951f68779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\752d71c15bba02f2a864b40fcf28367fd84c4bdf.exe

Filesize
1.9MB

MD5
85d1e0ae6c007c75f8903acd441f21da

SHA1
f47d84ffac66fabd0ebb9e354856fb77baa0e984

SHA256
002f84712bd003cd66c4fe39f7fb2c93abc4d559d9ab2dfe0c7684faaa66efab

SHA512
e2d96f702d44806204067958f4d62d3f22197577f01a482c5a90b3fac47b58e9caadd2531c74dfc0fab3d934f295eb38012c5d1b4e8952d6f5e41a7e30390b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c3203b0-a617-406c-bdc1-4844c98bb148.vbs

Filesize
494B

MD5
a14b015636582a6d7526891ef9d077e6

SHA1
03ae01b91b1c1843b79a8de4b6e0ffb3926667dc

SHA256
074db5423c088ca920c0cb4e24923bd71d7058eb15c1e522b156e93a40634373

SHA512
7fcf97e7f990eab48ce8db06c791afb634603fa26635105de29cb6683bdb5724bec89f1fb1c0fc8a8c9f51f4315c1c34892c049f550bce1c02109c2be4b74278

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4d0yuh5u.ndx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be02f2ce-5468-474a-834a-d84a4e30d153.vbs

Filesize
718B

MD5
2c561468ae604e7f13aa6ceee51ca5a9

SHA1
f68d675811d519cb313c3d2997b5a70be8bfd421

SHA256
7e1350652540f3494e5b86410f3c04a2dd31d780c586e09ad0e1356f7531b6d7

SHA512
34923a3ba44f8d825b6ad70603f148578c01269beaa455b9a8bdc6b81b7268041fd9d55825c84461c23cc8f3b879d67f30bcfad2359de3d93a09fb56ebf310ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLM2mMq4EJ.bat

Filesize
207B

MD5
0874275bde4659867258ae38f21ba883

SHA1
e9d74d28ea3b7240aefc2d342ac5e15515323052

SHA256
03a1493f32c9aaca78a716ca9d2152569ee248b04163db94df1ca96b56b65968

SHA512
d32a3b7b518c6543ce60df9ef573a8163d7045491066d3bdbd6418a823dbacc6d764ee3bd43189f82fbc995e830f038653b1190b22110fba4c4d1d7f8d52cbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2bd44de-5bbf-4660-88df-8b8bbd28d70e.vbs

Filesize
718B

MD5
b83ff7f9cdb3809971693385a86f5b09

SHA1
a9348036d052f836a84e38df3974cef26c119f44

SHA256
c3829f854a48e8ecc778fe4c50bb96a00f9cb7cbe7aeca0c2a910df2ec0bdecc

SHA512
36da259d2e480c071a731ece903f97697710ff1b58e6251e8dc36da864e514cb7aba151dc891cfeb5a5b0365fccf7d5bdb42bd55b6dccdebc08903ed450d98a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9412fed-45a5-4d01-bf25-b0d45ccb9613.vbs

Filesize
718B

MD5
85d15a7bde67c3e0092295595dcc9f9a

SHA1
d7e684e116095e85ea2d28ab25186fb80cb7fd56

SHA256
89997b7f4f899731f4e160d34bfed3f2bca31c591606c4e4ee27939ebc9fef7f

SHA512
c4746773db68f49f199cb1cc23e1df8ace4673d26ba4438182f73d9e653d324f8a96a8d5465643abaa704d7f890cd5ac5f6fd38a5084dca4f41897b2873eb424

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6caeccc-4c56-46a2-9468-f204480f7a22.vbs

Filesize
718B

MD5
42d61771c7446e834d71592e2adecae3

SHA1
c080aaaa429e3bed638d90d9cbfebb86c21980dd

SHA256
7e60af3521e83269d40b391d3ffd65328fef1b2b20a4771d9d2ab11c494137db

SHA512
8c47335bbb471be075c7b1ea5c1f8f9e47c048c6cb08a70d2536d2f0922dadab5511134dc40308b4041a1d1ac39b1b704072dac1fa23f28cde829f3418435dea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\upfc.exe

Filesize
1.9MB

MD5
af43090252a1f0e0092dfd1939dae7b2

SHA1
634fbc845b81a9922742718d78a8b937bc5fc228

SHA256
4f4e2eb5915bb390dbfba00073e6e087cc97932e2447992c70afbbe3773ed466

SHA512
fb4f88060ea8a9b89c555f8318395043367891e2e0a311390666c635bc7abb8e96236a59f73932a9f171ff5794a14ab541ecf8b35bbb90b3594db8ee53260ca8

Download Submit
C:\Windows\Cursors\c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195.exe

Filesize
1.9MB

MD5
f6e9aa3f2d123261eda08333b1bd7559

SHA1
6bfe995054477329b2308617b824fb27ed762449

SHA256
c119d7a5cbe03522b96e6fe8dd21f16e239d5ad617df9752ac0ca4827951e195

SHA512
24fd343e717a3b3caf5870b2e8007a16b41f26418ecd8844ccd6f74a6255bf8918f7cf9b2cc3fafdc1cb39fbbbd144daf97832d6217efa7e6330e43f49102633

Download Submit
C:\Windows\Logs\System.exe

Filesize
1.9MB

MD5
a70ba05009b7b5e17fcc5c2a3cb19bf7

SHA1
6cbf572570d6beda5de4f7a53da61fb2e206a280

SHA256
02524b053b3b31ee9bfe3fdedc80ebe6d8616cb3431a95f853b12fab47e7d260

SHA512
0ac3af442a53e626c72c032a7dff1912051737d3d4a757145959a324d481f50b8f3cdcfb85e9746629fa2b4850c1ffeb8d303f54dd154124ecd06d1781cec71c

Download Submit
C:\d25f591a00514bc9ba8441\SppExtComObj.exe

Filesize
1.9MB

MD5
6ba21de29a270bb7147538c00cdf9fd8

SHA1
bf05ace05f165496b7d8ffc76b9100002d402c2c

SHA256
a2a13449101afe05ebf4b9a10e503d80b220fa43fc0fc004a9315cda7f2184fa

SHA512
f655787f08bbb0ca6252eb382f57e1eb6f8811b373746e94ac25cc3eeaaf0a69ccefe5d38295ab3f93fb289a902d984dedb797f99a497ebb6b3a0002b069b0a2

Download Submit
memory/1764-494-0x000000001B1D0000-0x000000001B1E2000-memory.dmp

Filesize
72KB

Download
memory/3712-14-0x000000001CC10000-0x000000001D138000-memory.dmp

Filesize
5.2MB

Download
memory/3712-0-0x00007FFC653D3000-0x00007FFC653D5000-memory.dmp

Filesize
8KB

Download
memory/3712-266-0x00007FFC653D0000-0x00007FFC65E91000-memory.dmp

Filesize
10.8MB

Download
memory/3712-8-0x0000000002F50000-0x0000000002F5A000-memory.dmp

Filesize
40KB

Download
memory/3712-179-0x00007FFC653D3000-0x00007FFC653D5000-memory.dmp

Filesize
8KB

Download
memory/3712-16-0x000000001C370000-0x000000001C37A000-memory.dmp

Filesize
40KB

Download
memory/3712-17-0x000000001C380000-0x000000001C38E000-memory.dmp

Filesize
56KB

Download
memory/3712-18-0x000000001C390000-0x000000001C398000-memory.dmp

Filesize
32KB

Download
memory/3712-20-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

Filesize
48KB

Download
memory/3712-19-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

Filesize
48KB

Download
memory/3712-15-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

Filesize
48KB

Download
memory/3712-6-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3712-1-0x0000000000BF0000-0x0000000000DDA000-memory.dmp

Filesize
1.9MB

Download
memory/3712-203-0x00007FFC653D0000-0x00007FFC65E91000-memory.dmp

Filesize
10.8MB

Download
memory/3712-13-0x000000001C180000-0x000000001C192000-memory.dmp

Filesize
72KB

Download
memory/3712-10-0x0000000002F60000-0x0000000002F6C000-memory.dmp

Filesize
48KB

Download
memory/3712-11-0x000000001C170000-0x000000001C178000-memory.dmp

Filesize
32KB

Download
memory/3712-9-0x000000001C120000-0x000000001C176000-memory.dmp

Filesize
344KB

Download
memory/3712-3-0x0000000002EF0000-0x0000000002F0C000-memory.dmp

Filesize
112KB

Download
memory/3712-2-0x00007FFC653D0000-0x00007FFC65E91000-memory.dmp

Filesize
10.8MB

Download
memory/3712-4-0x000000001C0D0000-0x000000001C120000-memory.dmp

Filesize
320KB

Download
memory/3712-5-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/3712-7-0x0000000002F30000-0x0000000002F46000-memory.dmp

Filesize
88KB

Download
memory/4472-281-0x0000023C1F0C0000-0x0000023C1F0E2000-memory.dmp

Filesize
136KB

Download
memory/4852-481-0x000000001B1F0000-0x000000001B202000-memory.dmp

Filesize
72KB

Download
memory/4852-480-0x0000000000230000-0x000000000041A000-memory.dmp

Filesize
1.9MB

Download
memory/5264-506-0x000000001C3C0000-0x000000001C416000-memory.dmp

Filesize
344KB

Download