e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff2e9336d217437b4cca77856867f1b.exe
Size

1.9MB
MD5

bff2e9336d217437b4cca77856867f1b
SHA1

99f8ea54c8fc0cd346a9e068ed4e697e6f6ec264
SHA256

a6a8385b2dfec8b247a806f97a08878ee058b8155cb43f6b61924d849b0c608a
SHA512

3bcd140119ec7035d36bd714e2f0069a5df017ed5c2356bd233e22b845a07fc3aecc9851e88bcfbbad92184ccf3e500cce10734fa2949beba40c7d7d99ce3655
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6028	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2960	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	2960	schtasks.exe	89

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe
4992	powershell.exe
4892	powershell.exe
4844	powershell.exe
4780	powershell.exe
4896	powershell.exe
4824	powershell.exe
4840	powershell.exe
5316	powershell.exe
3004	powershell.exe
3564	powershell.exe
4724	powershell.exe
4884	powershell.exe
4740	powershell.exe
4812	powershell.exe
1396	powershell.exe
4888	powershell.exe
3484	powershell.exe
3412	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bff2e9336d217437b4cca77856867f1b.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	bff2e9336d217437b4cca77856867f1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 9 IoCs

pid	Process
2416	explorer.exe
1048	explorer.exe
656	explorer.exe
5116	explorer.exe
5524	explorer.exe
2744	explorer.exe
5836	explorer.exe
5964	explorer.exe
3004	explorer.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bff2e9336d217437b4cca77856867f1b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4740_303449538\eddb19405b7ce1	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\eddb19405b7ce1	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files\edge_BITS_4740_303449538\RCX82DF.tmp	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\RCX87F3.tmp	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files\edge_BITS_4740_303449538\RCX82DE.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX93A5.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX9414.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\services.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\RCX8871.tmp	bff2e9336d217437b4cca77856867f1b.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CbsTemp\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\twain_32\0a1fd5f707cd16	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\SKB\RCX6FC3.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\twain_32\RCX7247.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\SKB\9e8d7a4ca61bd9	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\twain_32\sppsvc.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\CbsTemp\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\CbsTemp\9e8d7a4ca61bd9	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX9938.tmp	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\SKB\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\SKB\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\twain_32\RCX7217.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\CbsTemp\RCX747A.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\CbsTemp\RCX747B.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX9937.tmp	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\ServiceState\unsecapp.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\SKB\RCX6FF3.tmp	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\twain_32\sppsvc.exe	bff2e9336d217437b4cca77856867f1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	bff2e9336d217437b4cca77856867f1b.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe
3624	schtasks.exe
4128	schtasks.exe
5184	schtasks.exe
2980	schtasks.exe
4740	schtasks.exe
1520	schtasks.exe
3296	schtasks.exe
4792	schtasks.exe
3916	schtasks.exe
3988	schtasks.exe
868	schtasks.exe
60	schtasks.exe
5040	schtasks.exe
4696	schtasks.exe
3216	schtasks.exe
1700	schtasks.exe
5944	schtasks.exe
2912	schtasks.exe
5548	schtasks.exe
4976	schtasks.exe
3696	schtasks.exe
3036	schtasks.exe
5108	schtasks.exe
752	schtasks.exe
2824	schtasks.exe
4360	schtasks.exe
4476	schtasks.exe
4844	schtasks.exe
4964	schtasks.exe
4916	schtasks.exe
452	schtasks.exe
2396	schtasks.exe
5196	schtasks.exe
2908	schtasks.exe
404	schtasks.exe
4780	schtasks.exe
5028	schtasks.exe
5112	schtasks.exe
5832	schtasks.exe
3364	schtasks.exe
5288	schtasks.exe
4352	schtasks.exe
4068	schtasks.exe
4884	schtasks.exe
4228	schtasks.exe
4736	schtasks.exe
6028	schtasks.exe
4264	schtasks.exe
4172	schtasks.exe
5984	schtasks.exe
2428	schtasks.exe
4632	schtasks.exe
4892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
1260	bff2e9336d217437b4cca77856867f1b.exe
3484	powershell.exe
3484	powershell.exe
3564	powershell.exe
3564	powershell.exe
4824	powershell.exe
4824	powershell.exe
4740	powershell.exe
4740	powershell.exe
5316	powershell.exe
4888	powershell.exe
5316	powershell.exe
4888	powershell.exe
3004	powershell.exe
3004	powershell.exe
4780	powershell.exe
4780	powershell.exe
3412	powershell.exe
3412	powershell.exe
4992	powershell.exe
4992	powershell.exe
4840	powershell.exe
4840	powershell.exe
4876	powershell.exe
4876	powershell.exe
4896	powershell.exe
4896	powershell.exe
1396	powershell.exe
1396	powershell.exe
4812	powershell.exe
4812	powershell.exe
4892	powershell.exe
4892	powershell.exe
4844	powershell.exe
4844	powershell.exe
4724	powershell.exe
4724	powershell.exe
4884	powershell.exe
4884	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	bff2e9336d217437b4cca77856867f1b.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	5316	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2416	explorer.exe
Token: SeDebugPrivilege	1048	explorer.exe
Token: SeDebugPrivilege	656	explorer.exe
Token: SeDebugPrivilege	5116	explorer.exe
Token: SeDebugPrivilege	5524	explorer.exe
Token: SeDebugPrivilege	2744	explorer.exe
Token: SeDebugPrivilege	5836	explorer.exe
Token: SeDebugPrivilege	5964	explorer.exe
Token: SeDebugPrivilege	3004	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3484	1260	bff2e9336d217437b4cca77856867f1b.exe	150
PID 1260 wrote to memory of 3484	1260	bff2e9336d217437b4cca77856867f1b.exe	150
PID 1260 wrote to memory of 3412	1260	bff2e9336d217437b4cca77856867f1b.exe	151
PID 1260 wrote to memory of 3412	1260	bff2e9336d217437b4cca77856867f1b.exe	151
PID 1260 wrote to memory of 5316	1260	bff2e9336d217437b4cca77856867f1b.exe	152
PID 1260 wrote to memory of 5316	1260	bff2e9336d217437b4cca77856867f1b.exe	152
PID 1260 wrote to memory of 3004	1260	bff2e9336d217437b4cca77856867f1b.exe	153
PID 1260 wrote to memory of 3004	1260	bff2e9336d217437b4cca77856867f1b.exe	153
PID 1260 wrote to memory of 3564	1260	bff2e9336d217437b4cca77856867f1b.exe	154
PID 1260 wrote to memory of 3564	1260	bff2e9336d217437b4cca77856867f1b.exe	154
PID 1260 wrote to memory of 4876	1260	bff2e9336d217437b4cca77856867f1b.exe	155
PID 1260 wrote to memory of 4876	1260	bff2e9336d217437b4cca77856867f1b.exe	155
PID 1260 wrote to memory of 4992	1260	bff2e9336d217437b4cca77856867f1b.exe	156
PID 1260 wrote to memory of 4992	1260	bff2e9336d217437b4cca77856867f1b.exe	156
PID 1260 wrote to memory of 4740	1260	bff2e9336d217437b4cca77856867f1b.exe	157
PID 1260 wrote to memory of 4740	1260	bff2e9336d217437b4cca77856867f1b.exe	157
PID 1260 wrote to memory of 4724	1260	bff2e9336d217437b4cca77856867f1b.exe	158
PID 1260 wrote to memory of 4724	1260	bff2e9336d217437b4cca77856867f1b.exe	158
PID 1260 wrote to memory of 4824	1260	bff2e9336d217437b4cca77856867f1b.exe	159
PID 1260 wrote to memory of 4824	1260	bff2e9336d217437b4cca77856867f1b.exe	159
PID 1260 wrote to memory of 4780	1260	bff2e9336d217437b4cca77856867f1b.exe	160
PID 1260 wrote to memory of 4780	1260	bff2e9336d217437b4cca77856867f1b.exe	160
PID 1260 wrote to memory of 4840	1260	bff2e9336d217437b4cca77856867f1b.exe	161
PID 1260 wrote to memory of 4840	1260	bff2e9336d217437b4cca77856867f1b.exe	161
PID 1260 wrote to memory of 1396	1260	bff2e9336d217437b4cca77856867f1b.exe	162
PID 1260 wrote to memory of 1396	1260	bff2e9336d217437b4cca77856867f1b.exe	162
PID 1260 wrote to memory of 4888	1260	bff2e9336d217437b4cca77856867f1b.exe	163
PID 1260 wrote to memory of 4888	1260	bff2e9336d217437b4cca77856867f1b.exe	163
PID 1260 wrote to memory of 4884	1260	bff2e9336d217437b4cca77856867f1b.exe	164
PID 1260 wrote to memory of 4884	1260	bff2e9336d217437b4cca77856867f1b.exe	164
PID 1260 wrote to memory of 4896	1260	bff2e9336d217437b4cca77856867f1b.exe	165
PID 1260 wrote to memory of 4896	1260	bff2e9336d217437b4cca77856867f1b.exe	165
PID 1260 wrote to memory of 4892	1260	bff2e9336d217437b4cca77856867f1b.exe	166
PID 1260 wrote to memory of 4892	1260	bff2e9336d217437b4cca77856867f1b.exe	166
PID 1260 wrote to memory of 4812	1260	bff2e9336d217437b4cca77856867f1b.exe	167
PID 1260 wrote to memory of 4812	1260	bff2e9336d217437b4cca77856867f1b.exe	167
PID 1260 wrote to memory of 4844	1260	bff2e9336d217437b4cca77856867f1b.exe	168
PID 1260 wrote to memory of 4844	1260	bff2e9336d217437b4cca77856867f1b.exe	168
PID 1260 wrote to memory of 64	1260	bff2e9336d217437b4cca77856867f1b.exe	188
PID 1260 wrote to memory of 64	1260	bff2e9336d217437b4cca77856867f1b.exe	188
PID 64 wrote to memory of 2480	64	cmd.exe	190
PID 64 wrote to memory of 2480	64	cmd.exe	190
PID 64 wrote to memory of 2416	64	cmd.exe	191
PID 64 wrote to memory of 2416	64	cmd.exe	191
PID 2416 wrote to memory of 3856	2416	explorer.exe	192
PID 2416 wrote to memory of 3856	2416	explorer.exe	192
PID 2416 wrote to memory of 1504	2416	explorer.exe	193
PID 2416 wrote to memory of 1504	2416	explorer.exe	193
PID 3856 wrote to memory of 1048	3856	WScript.exe	199
PID 3856 wrote to memory of 1048	3856	WScript.exe	199
PID 1048 wrote to memory of 3304	1048	explorer.exe	200
PID 1048 wrote to memory of 3304	1048	explorer.exe	200
PID 1048 wrote to memory of 1324	1048	explorer.exe	201
PID 1048 wrote to memory of 1324	1048	explorer.exe	201
PID 3304 wrote to memory of 656	3304	WScript.exe	205
PID 3304 wrote to memory of 656	3304	WScript.exe	205
PID 656 wrote to memory of 1700	656	explorer.exe	206
PID 656 wrote to memory of 1700	656	explorer.exe	206
PID 656 wrote to memory of 2704	656	explorer.exe	207
PID 656 wrote to memory of 2704	656	explorer.exe	207
PID 1700 wrote to memory of 5116	1700	WScript.exe	208
PID 1700 wrote to memory of 5116	1700	WScript.exe	208
PID 5116 wrote to memory of 5260	5116	explorer.exe	209
PID 5116 wrote to memory of 5260	5116	explorer.exe	209

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe
"C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YRqxpRRaJk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2480
- - C:\Recovery\WindowsRE\explorer.exe
    "C:\Recovery\WindowsRE\explorer.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27be504a-209a-4e67-a716-09affe1e3758.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1048
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170faaa4-6f76-4dc0-af6f-aafa19ba7060.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0999950e-6d55-4757-ae34-8639e59e7a5a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f20da170-df34-4eb7-adfc-34443541ac7e.vbs"
        10⤵
        
        PID:5260
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644142ce-b798-44ab-b172-d7285c1da5db.vbs"
        12⤵
        
        PID:2784
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bff4396-2f37-4b6b-85f0-98fb36c10c92.vbs"
        14⤵
        
        PID:5880
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba8a7ea-50b0-4a1b-86c8-a620fe7a9e13.vbs"
        16⤵
        
        PID:4620
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e2aba12-9f72-4e25-a11c-68a2983d49b8.vbs"
        18⤵
        
        PID:2584
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c344c0ea-9273-4fbc-bd26-f8c066fcc8f0.vbs"
        20⤵
        
        PID:5360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73f35e40-be71-4734-8135-65ee112bc5c0.vbs"
        20⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7236df32-1d00-4262-a4ff-d5698dd04482.vbs"
        18⤵
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b93a9e44-b37c-4f3e-aeb8-420be9f09cc0.vbs"
        16⤵
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ca22dd-ca68-4a0e-b9fb-7336a54609ae.vbs"
        14⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e478b1b-df4d-4482-b017-f447b7b002a5.vbs"
        12⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a595d31-3de3-4494-a4ca-1217ea0095be.vbs"
        10⤵
        
        PID:980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adc20643-8a85-44a0-858e-5ec19021ec0a.vbs"
        8⤵
        
        PID:2704
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bee8ddb-8817-4c92-9ed3-4714b130ba24.vbs"
        6⤵
        
        PID:1324
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf7277d-6fb5-46fa-a2bc-97df767ec89d.vbs"
      4⤵
      PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\7330c8a20692d0b35002ea5a\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4740_303449538\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\f170d29a37c9c9775251\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7330c8a20692d0b35002ea5a\fontdrvhost.exe

Filesize
1.9MB

MD5
ce796032752004297ca6dc6363bbbe53

SHA1
5c78f209845d76b963633aade8e80c166ae7aca9

SHA256
14d6e69f9844a5108bb806ed79cd72c6f9ebff493b9f02784c43d16ac8b4b004

SHA512
7ffbcf4150935208cc3697d59cf68921d5fc5eff2a423fb9bbf0149471505c0d219b20c081fe8f1ed9c6203662c9f0595b7a7079160cec11dad9497eaf6959ed

Download Submit
C:\Program Files (x86)\Internet Explorer\uk-UA\RCX87F3.tmp

Filesize
1.9MB

MD5
5cdfd847c19f65f4f96eeb3deed9d088

SHA1
d57a6f0c25f270ef6c95f43e5d682297b971904f

SHA256
ac4a44ad5ec3001707ce976b7fb839ec7a57b16b9e5c5d61e18856bcc235e46c

SHA512
f19861f59b522c4b1e8a90925d074113339d232b5ee17e81f5a74c06b057498d0cb61f7f33b4052aa749849f9e1124ca48074a754f052bae6b0bfd980b7b6a3f

Download Submit
C:\Program Files (x86)\Windows Portable Devices\services.exe

Filesize
1.9MB

MD5
98434eeaef338d85445da278fcd203fe

SHA1
d443d657ee2dfc6c12c61b230f0e8f57af668a7a

SHA256
d15eac15aa1cc49519a173e64eba533df2f26c7e815fbd64992a109c43bc5e9b

SHA512
eefb1d5cc6b10c3df8c53681f0dfdf5bfe297f301a4fab1f2eeef3335de9801fc645044e99dabb607fe16678f0f447068a5cd921c44dfb8350d52e5ad13145fb

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.9MB

MD5
b49d298d771d31f9f8dc1fbd42e042b1

SHA1
f70f63a1d02cd40d8c9116424637d6b3b982da47

SHA256
441c647d2a5117223bf7afdc98a4255741772927ce000adc79831a368c7c0300

SHA512
4f3d9424ce4f7910607b3238bfa4ab8a0a47082e44822f67d557f8335d01b1f6e51e8463931b4023aeee0098b2118b0a0161a7af6dc0bf37332d19a307ae5de8

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.9MB

MD5
47dcf9bfdbd45db1a6a5281544e6e539

SHA1
0cb8c0911245e2108a5472ae75668a2aef8018a4

SHA256
744f71b040a03fc27ef26e37eab9b042ef40bab3be2e5e32e33f9dee177c9b7d

SHA512
65cf894b016ee6a941d235ea87b1d20ed28bc6151f76b5f5759e54ab30b9fe68eb9beec82f26a3700865240be67592cfb02f9e728d15c2865ce436d6ca5272ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4dc87ccf902315ae810a02ad6da2560d

SHA1
5a186cac0cbea9f5a324a37ed83cf314b10e43ba

SHA256
4d31649cefe0891080d41588f38713e227ae0025679f064a9f3c5ee52f1dc591

SHA512
0b0c8316fa611d32e6c68f6cae6850144c3da5983ccc59056cc8acce5527ec963db5da4b34b92f5255567e0ca136cf1544e60d795ae2351d915f85cf13427ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c0794eb6cf5b2d712229ecf2e4b88b30

SHA1
b89867908fec1639dc81e5ad829f6d55e7d1f55d

SHA256
f6c8aea17fba021256de757cd05f64166d399c969be14b601bb4e885e9b99916

SHA512
3f365bf6b792c2a56519aad37d02dc2b7f3bd73dc843fa422c9647b3ede46eecf00da98d4ea4b4c92fa2981c1ad5bd4052eb8b3d5a1251c8cbc971093b526db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f6c280dd50f43ba753a6199446a4e32

SHA1
0a23d883d0148af5390b2f9bbf67beb84a6bf551

SHA256
5a2fc253dcd892f06a25b8a9795bc82c8dfefb9d68425e1aae8d5edde7c4b1ee

SHA512
0e2ccad087adcd517d698213a83d4f6467c496057df1eace2c0997984346f5cbe368fa25d1ccd1b45d0f60f6a3a2c2f4fbe1be61635311be07952c7af102e2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
452593747a6f6f0b2e08d8502e1ec6e7

SHA1
027c3a7f5f18e7a1e96bbf2a3d3c267e72821836

SHA256
495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d

SHA512
17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5298af510096b88490b00b468206c966

SHA1
afc8d92a832bf530001e9d7bce0a917067b1a753

SHA256
d1dae534bb9fc91682d16c2a30657cf3eafa4db82fec8d1477dde2d0e9af5a18

SHA512
9653df3b73599ad282259e3990d18b4e56f556d6fbc33697293503cc88738473245f7507b571059460ce57e6267219bc7b95ed1e90c198d0726a13b91427419e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1324e7a4e3e6cfc7ee7add0391f0b9

SHA1
19117163248a95e5ceb83b6dc8c21e396f33bcaf

SHA256
a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52

SHA512
6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\0999950e-6d55-4757-ae34-8639e59e7a5a.vbs

Filesize
709B

MD5
37f696652e27ca18186e00a7ba0b8570

SHA1
20d1c9f9faed7d2b0751042a1604931d7cf18ce8

SHA256
22e01dbdb0c7ae1ec738fcb2dde91a8d36faa3588d98eb6c0c53118866d34a16

SHA512
ed09d4ce3d4d5b283693abe235d1e64147e515fa3d8540783d52d9ff8d486efb0238d01a42ab72f1c42104ca09e86b4db8d0e7529295a7d570e2fb981ff51de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\170faaa4-6f76-4dc0-af6f-aafa19ba7060.vbs

Filesize
710B

MD5
c7e29dad03fa1fbfe6a49bf6b4551e61

SHA1
d6b545632d08f033d7291069d80f6ff659fefe84

SHA256
949588572654199fe02d28ff16b7163b6ccc4e5223e5d3796041d79a438679ed

SHA512
bed311f5617f7215064ad1a04eec6c8cc9ee815dcf6fb3b050bf1b45fcab4e611713e524e17828a0232359c7c2eadef6c7aafee3a47ffc3aeff0a1283d9ac7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\27be504a-209a-4e67-a716-09affe1e3758.vbs

Filesize
710B

MD5
0d1e284ea0b321114032299e72af0b9d

SHA1
d9c5e70ebe37dd01c99def10242080cdc53ebaba

SHA256
1db05ae5c3ccb7669b3102f9c4b2cd9b8bebed5117e7947b8cf36ff98a8a20d7

SHA512
2df253f79d0b2abc27f5a77f97ab0443858f90d5c615290e3acaf73f855d0e765f95bb37e8d9e0998caa20e66d79f6607cdc505382976aeb43cf0b102721c6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bff4396-2f37-4b6b-85f0-98fb36c10c92.vbs

Filesize
710B

MD5
ea2d6ba3c89663718260916d98f42205

SHA1
7486962b2080dee9ad173b21bdc827458ec6d386

SHA256
04a9b436e74c6e808b91609bb1b3dac356d91f3ad159b2891a158220964f83e0

SHA512
7daddbcb16de0db2ed19d3c3cd5919239d41a51f50ac3ca04e0c63e9dbc7e5219c228ebd2fc8e0bfc8526dc3fd0d046970895b97ef686d6eac60edc582b4788f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ba8a7ea-50b0-4a1b-86c8-a620fe7a9e13.vbs

Filesize
710B

MD5
f22d239e05b2d4063f2becaef21586b5

SHA1
4d84227d6dae69e55917e2fbec80c9dbaa4cf2aa

SHA256
73f79900184c4f10e6e9d966e68048ea1bc0a2a0560c17c7b8531b40257e0be2

SHA512
ee67218aeb00f23ccfb58241f4797e26ed93aeca777c54f9aa0a17695a9ac6cfc4373040e9d8a7863ca6d50a7308f2056619c3db9c3e94d4c5c63ac758565184

Download Submit
C:\Users\Admin\AppData\Local\Temp\644142ce-b798-44ab-b172-d7285c1da5db.vbs

Filesize
710B

MD5
ff34a27bf2da32385af18c98d84220a0

SHA1
5025fcb94e942b3ff122d1dbaa8984f43825bfaa

SHA256
87ced978281d997d9c174cdf8ee635acc0aaea2a353c0f91294c77b0f90a67b1

SHA512
f0173c800aed2450c7ae552d57680420052b2a67b66704c1bb9279e4b60cf96bad50e6174544c1d620f85c999d947596fee4a9aaff6f52e302af2a1c529cd39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e2aba12-9f72-4e25-a11c-68a2983d49b8.vbs

Filesize
710B

MD5
ac164785352f489447fba1a544d73760

SHA1
18162114642773a153481e8a2093e10dcf2df83b

SHA256
a42b6641adc800673b8bc138f6e4094f977e754bd98650dfc6da99b7da449e53

SHA512
5d9b12055c61bc0325bc28e00334fb2612c1a7087c08ec57249b39e71f65c07523fab28b6f49daa43c9bc2bf63c3460da8ee989e3198803085f99b5902765a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bf7277d-6fb5-46fa-a2bc-97df767ec89d.vbs

Filesize
486B

MD5
10b4ad307c96850e52d100581e4f814b

SHA1
ed29ed03e42cfb3c5bd8b1d5149f2a9281538e1e

SHA256
16d12bf6f083d89f54d3c7b774e65aa092be51e34b7eb311806f6006378014dc

SHA512
823676c1032779f4b76d6bf8ca73cf54dba2986fa1c0c1c8adf80de606617ee8937efccf35e544fef4b3e38c98e20a52bca50b8bdc42fcfe4a176402a4c15181

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRqxpRRaJk.bat

Filesize
199B

MD5
06d811fec3808a4e650846f2cfceb028

SHA1
637ea180dee73fd59770dc7866b55cdaa593dba2

SHA256
4d84a1e9be0264abfe07415d6ca7d7a361e90345148fa391289b0c73f0b6982b

SHA512
c994d41c0cc07ff63f0bbfb6da4a99b2be165c122b69ed51e4949afa599e8b87351339c763a79dcd01ef9f6208802d8f600db535916ed8ac8fa088f7ac4aeae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lrvpmqp.cbc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c344c0ea-9273-4fbc-bd26-f8c066fcc8f0.vbs

Filesize
710B

MD5
503ce4752c734f5c8c3d2a782b619c1b

SHA1
7e6ef9d755963499d2f4ecf4209ea204a0c05b85

SHA256
5dae61f096ce0d86055a82a06c6adb018ce2fd1b949ba8f58c5ebcb595d92118

SHA512
9960be5988cb32fdfebb9c712a5c084508a2c1e925b61c720e7a1ca7e505e5425e92adda5d990cb4d228db931108f801282078ad721f1d70b3d84ed1a96cb328

Download Submit
C:\Users\Admin\AppData\Local\Temp\f20da170-df34-4eb7-adfc-34443541ac7e.vbs

Filesize
710B

MD5
de978bae2964e403f3b5539ef4dc0b9c

SHA1
d2d1bbb85d5825f3ce3717e1b22256d06f6cdabe

SHA256
d44126eb4140f4680d53a81ff98b210b44cf0279f74284dedcf01be6ba05f671

SHA512
32cb8d5d91ce97dc92cd5b1a06999a9a143c122cb82230e4c0fb20fe89af92db462dea4e81d5650788becc962aa3c83f15b3130d03bd4be5ec289981bd288fd0

Download Submit
C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe

Filesize
1.9MB

MD5
bff2e9336d217437b4cca77856867f1b

SHA1
99f8ea54c8fc0cd346a9e068ed4e697e6f6ec264

SHA256
a6a8385b2dfec8b247a806f97a08878ee058b8155cb43f6b61924d849b0c608a

SHA512
3bcd140119ec7035d36bd714e2f0069a5df017ed5c2356bd233e22b845a07fc3aecc9851e88bcfbbad92184ccf3e500cce10734fa2949beba40c7d7d99ce3655

Download Submit
C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe

Filesize
1.9MB

MD5
52eb9855a8b50b2f0c9ebf545f05f54c

SHA1
c39a0750f4fe4e794b7d8dadb6661dbad06b2231

SHA256
8767a6c92bf9f3ea83955d02b6a2ee0f434bbda804555349f193304efb06a335

SHA512
6a62c42e338ed9a6c43f8febc58a8e2ce0de076f3fe58fafec917c1f9572a2eb67a55a6015aac72a49d697d3a765ee19a2fbf83b40d8855982e9584e5a6b29fd

Download Submit
C:\f170d29a37c9c9775251\csrss.exe

Filesize
1.9MB

MD5
1f85a2d544ffee1f9f36669f952e99f9

SHA1
9cca2eb07e0bf461f7e400def271cc1035603b91

SHA256
d2ae01b7dda10b3d0227ae7871e54c530b9fe4cf4f0c89c975afcc2a48b12d73

SHA512
6dc6622e7f072d9047be480bbc5db2aab977ca58c9e649b8a36cb4d21fd3e4e31d6f58968dd21d8085f03b1fcc303d84315ce2472b7e521eeb360be5926561b7

Download Submit
memory/656-518-0x000000001B5E0000-0x000000001B5F2000-memory.dmp

Filesize
72KB

Download
memory/1260-275-0x00007FFE9BEC0000-0x00007FFE9C981000-memory.dmp

Filesize
10.8MB

Download
memory/1260-11-0x0000000002E20000-0x0000000002E28000-memory.dmp

Filesize
32KB

Download
memory/1260-0-0x00007FFE9BEC3000-0x00007FFE9BEC5000-memory.dmp

Filesize
8KB

Download
memory/1260-211-0x00007FFE9BEC0000-0x00007FFE9C981000-memory.dmp

Filesize
10.8MB

Download
memory/1260-188-0x00007FFE9BEC3000-0x00007FFE9BEC5000-memory.dmp

Filesize
8KB

Download
memory/1260-20-0x000000001C000000-0x000000001C00C000-memory.dmp

Filesize
48KB

Download
memory/1260-16-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

Filesize
40KB

Download
memory/1260-17-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

Filesize
56KB

Download
memory/1260-18-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

Filesize
32KB

Download
memory/1260-19-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/1260-15-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/1260-14-0x000000001C940000-0x000000001CE68000-memory.dmp

Filesize
5.2MB

Download
memory/1260-1-0x00000000009B0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/1260-2-0x00007FFE9BEC0000-0x00007FFE9C981000-memory.dmp

Filesize
10.8MB

Download
memory/1260-13-0x0000000002E30000-0x0000000002E42000-memory.dmp

Filesize
72KB

Download
memory/1260-3-0x0000000002C90000-0x0000000002CAC000-memory.dmp

Filesize
112KB

Download
memory/1260-10-0x0000000002D00000-0x0000000002D0C000-memory.dmp

Filesize
48KB

Download
memory/1260-9-0x000000001B8A0000-0x000000001B8F6000-memory.dmp

Filesize
344KB

Download
memory/1260-4-0x000000001B840000-0x000000001B890000-memory.dmp

Filesize
320KB

Download
memory/1260-6-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/1260-5-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/1260-7-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

Filesize
88KB

Download
memory/1260-8-0x0000000002CF0000-0x0000000002CFA000-memory.dmp

Filesize
40KB

Download
memory/2416-494-0x000000001B8B0000-0x000000001B8C2000-memory.dmp

Filesize
72KB

Download
memory/2416-493-0x00000000009F0000-0x0000000000BDA000-memory.dmp

Filesize
1.9MB

Download
memory/3484-282-0x000002008C5B0000-0x000002008C5D2000-memory.dmp

Filesize
136KB

Download
memory/5116-530-0x0000000002E90000-0x0000000002EE6000-memory.dmp

Filesize
344KB

Download
memory/5524-542-0x0000000002A30000-0x0000000002A86000-memory.dmp

Filesize
344KB

Download
memory/5964-576-0x00000000034C0000-0x0000000003516000-memory.dmp

Filesize
344KB

Download