8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
93s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Size

1.9MB
MD5

2084c9d26206ec07c2dc65d1167ee1be
SHA1

ff37b5b781c17b3de200bbc1f68530370b4110a9
SHA256

cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320
SHA512

99740d059fc3cd37fad78ddacd9c149eabb519c7e043cb01cfa92884724bbce326dc9f9d4b716d85b222a6580e1c75ae437680752bf565135a5de9ceee226f44
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3608	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3608	schtasks.exe	89

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3860	powershell.exe
4348	powershell.exe
4332	powershell.exe
1512	powershell.exe
5016	powershell.exe
1852	powershell.exe
4412	powershell.exe
1060	powershell.exe
680	powershell.exe
652	powershell.exe
4964	powershell.exe
3944	powershell.exe
4936	powershell.exe
3440	powershell.exe
448	powershell.exe
2832	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 6 IoCs

pid	Process
1016	sihost.exe
2620	sihost.exe
3556	sihost.exe
1996	sihost.exe
2732	sihost.exe
5144	sihost.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Icons\Idle.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\e6c9b481da804f	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXA9B6.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXA9C6.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX9F0F.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX9F10.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Windows\L2Schemas\69ddcba757bf72	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Windows\Performance\WinSAT\DataStore\eddb19405b7ce1	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Windows\L2Schemas\RCX9824.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Windows\L2Schemas\smss.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File created	C:\Windows\L2Schemas\smss.exe	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
File opened for modification	C:\Windows\L2Schemas\RCX9823.tmp	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4152	schtasks.exe
3820	schtasks.exe
804	schtasks.exe
1556	schtasks.exe
1584	schtasks.exe
3928	schtasks.exe
532	schtasks.exe
4504	schtasks.exe
4652	schtasks.exe
1892	schtasks.exe
2560	schtasks.exe
772	schtasks.exe
4936	schtasks.exe
1256	schtasks.exe
4668	schtasks.exe
2272	schtasks.exe
4108	schtasks.exe
3888	schtasks.exe
4076	schtasks.exe
264	schtasks.exe
2916	schtasks.exe
1440	schtasks.exe
4420	schtasks.exe
3056	schtasks.exe
3880	schtasks.exe
2000	schtasks.exe
3480	schtasks.exe
3468	schtasks.exe
2368	schtasks.exe
5112	schtasks.exe
1680	schtasks.exe
4492	schtasks.exe
4980	schtasks.exe
3976	schtasks.exe
4320	schtasks.exe
3156	schtasks.exe
3212	schtasks.exe
3964	schtasks.exe
1508	schtasks.exe
2340	schtasks.exe
1400	schtasks.exe
2832	schtasks.exe
620	schtasks.exe
400	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
3440	powershell.exe
3440	powershell.exe
4332	powershell.exe
4332	powershell.exe
4348	powershell.exe
4348	powershell.exe
3860	powershell.exe
3860	powershell.exe
2832	powershell.exe
2832	powershell.exe
3944	powershell.exe
3944	powershell.exe
4936	powershell.exe
4936	powershell.exe
448	powershell.exe
448	powershell.exe
680	powershell.exe
680	powershell.exe
1060	powershell.exe
1060	powershell.exe
4412	powershell.exe
4412	powershell.exe
652	powershell.exe
652	powershell.exe
1512	powershell.exe
1512	powershell.exe
5016	powershell.exe
5016	powershell.exe
4964	powershell.exe
4964	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
448	powershell.exe
3440	powershell.exe
3440	powershell.exe
652	powershell.exe
680	powershell.exe
4348	powershell.exe
4348	powershell.exe
3860	powershell.exe
2832	powershell.exe
3860	powershell.exe
4332	powershell.exe
4332	powershell.exe
1060	powershell.exe
3944	powershell.exe
3944	powershell.exe
5016	powershell.exe
4936	powershell.exe
4412	powershell.exe
1512	powershell.exe
4964	powershell.exe
1016	sihost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1016	sihost.exe
Token: SeDebugPrivilege	2620	sihost.exe
Token: SeDebugPrivilege	3556	sihost.exe
Token: SeDebugPrivilege	1996	sihost.exe
Token: SeDebugPrivilege	2732	sihost.exe
Token: SeDebugPrivilege	5144	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3440	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	140
PID 4020 wrote to memory of 3440	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	140
PID 4020 wrote to memory of 448	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	141
PID 4020 wrote to memory of 448	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	141
PID 4020 wrote to memory of 3860	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	142
PID 4020 wrote to memory of 3860	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	142
PID 4020 wrote to memory of 3944	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	143
PID 4020 wrote to memory of 3944	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	143
PID 4020 wrote to memory of 4964	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	144
PID 4020 wrote to memory of 4964	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	144
PID 4020 wrote to memory of 652	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	145
PID 4020 wrote to memory of 652	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	145
PID 4020 wrote to memory of 680	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	146
PID 4020 wrote to memory of 680	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	146
PID 4020 wrote to memory of 4936	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	147
PID 4020 wrote to memory of 4936	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	147
PID 4020 wrote to memory of 1852	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	148
PID 4020 wrote to memory of 1852	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	148
PID 4020 wrote to memory of 5016	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	149
PID 4020 wrote to memory of 5016	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	149
PID 4020 wrote to memory of 1512	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	150
PID 4020 wrote to memory of 1512	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	150
PID 4020 wrote to memory of 4332	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	151
PID 4020 wrote to memory of 4332	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	151
PID 4020 wrote to memory of 4348	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	152
PID 4020 wrote to memory of 4348	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	152
PID 4020 wrote to memory of 1060	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	153
PID 4020 wrote to memory of 1060	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	153
PID 4020 wrote to memory of 2832	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	154
PID 4020 wrote to memory of 2832	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	154
PID 4020 wrote to memory of 4412	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	155
PID 4020 wrote to memory of 4412	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	155
PID 4020 wrote to memory of 3548	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	172
PID 4020 wrote to memory of 3548	4020	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe	172
PID 3548 wrote to memory of 5616	3548	cmd.exe	174
PID 3548 wrote to memory of 5616	3548	cmd.exe	174
PID 3548 wrote to memory of 1016	3548	cmd.exe	176
PID 3548 wrote to memory of 1016	3548	cmd.exe	176
PID 1016 wrote to memory of 5296	1016	sihost.exe	177
PID 1016 wrote to memory of 5296	1016	sihost.exe	177
PID 1016 wrote to memory of 5372	1016	sihost.exe	178
PID 1016 wrote to memory of 5372	1016	sihost.exe	178
PID 5296 wrote to memory of 2620	5296	WScript.exe	180
PID 5296 wrote to memory of 2620	5296	WScript.exe	180
PID 2620 wrote to memory of 4048	2620	sihost.exe	181
PID 2620 wrote to memory of 4048	2620	sihost.exe	181
PID 2620 wrote to memory of 5992	2620	sihost.exe	182
PID 2620 wrote to memory of 5992	2620	sihost.exe	182
PID 4048 wrote to memory of 3556	4048	WScript.exe	191
PID 4048 wrote to memory of 3556	4048	WScript.exe	191
PID 3556 wrote to memory of 4584	3556	sihost.exe	192
PID 3556 wrote to memory of 4584	3556	sihost.exe	192
PID 3556 wrote to memory of 3080	3556	sihost.exe	193
PID 3556 wrote to memory of 3080	3556	sihost.exe	193
PID 4584 wrote to memory of 1996	4584	WScript.exe	194
PID 4584 wrote to memory of 1996	4584	WScript.exe	194
PID 1996 wrote to memory of 5788	1996	sihost.exe	195
PID 1996 wrote to memory of 5788	1996	sihost.exe	195
PID 1996 wrote to memory of 3884	1996	sihost.exe	196
PID 1996 wrote to memory of 3884	1996	sihost.exe	196
PID 5788 wrote to memory of 2732	5788	WScript.exe	197
PID 5788 wrote to memory of 2732	5788	WScript.exe	197
PID 2732 wrote to memory of 1068	2732	sihost.exe	198
PID 2732 wrote to memory of 1068	2732	sihost.exe	198

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe
"C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPsZFR4eV5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5616
- - C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
    "C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1016
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a90d0b9-ae40-45c9-963f-eddbaa1a854a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5296
    - - C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2620
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff1a6200-fcd3-4e00-a789-3994cce0a6b9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d349ae62-a97f-49f4-a822-f04fdcbdf0b4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\511c832c-4f65-4152-93ec-684175c9c8f3.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5788
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63aa2e76-cc4c-405a-85e0-e1693617bb25.vbs"
        12⤵
        
        PID:1068
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\febb1bd2-8063-41a0-bf49-195711eef2b7.vbs"
        14⤵
        
        PID:5440
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        15⤵
        
        PID:5544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f092b15-9d21-4e44-8621-a5cda8a21f91.vbs"
        16⤵
        
        PID:4012
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        17⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ad52389-5b8f-45e9-9996-d1b74c85dd0a.vbs"
        18⤵
        
        PID:4916
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe
        19⤵
        
        PID:5612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b45462-7911-4618-b7aa-952540271234.vbs"
        20⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1e5dc8-fcdb-49e3-bf36-173d8b5fdac6.vbs"
        20⤵
        
        PID:4692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13ac983-01a6-4dbf-8b08-f7e7daf04f01.vbs"
        18⤵
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\485a713a-9fe7-41b3-81b1-c96dd59a1292.vbs"
        16⤵
        
        PID:3976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82c0965e-0d96-4a4b-a78e-2cb8d9471cae.vbs"
        14⤵
        
        PID:5976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98790a82-6dfc-4fa3-a528-ade5d42fac30.vbs"
        12⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72ca0348-30d3-4f9b-9fbc-2e78bfadb5a8.vbs"
        10⤵
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5cfcb4-2ee1-41db-a14f-07d1868097eb.vbs"
        8⤵
        
        PID:3080
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773035c8-b25e-4940-8ae5-9508d65c18c4.vbs"
        6⤵
        
        PID:5992
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1222bc2-b9b5-49f1-8cd8-3044e0bcf139.vbs"
      4⤵
      PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caf46b906a58e37d9a9d5830cca40ef7

SHA1
ba5b7fc4d909707ac0b0d23b0474a4ce4be344ea

SHA256
616b72a430081d6878826dc6ea2f1e4d3c890a7e084049fcaf30dcd2147727fd

SHA512
ba93462da88fea2be2fb3eecae32597c6c0248e77c6e05b43e0573a040f0784364e7abafede416c9eec466d9446a03d940628c977c45751b987a5da69c14ed00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ec1de5af22ee94e2a00a91da98957bd

SHA1
0ade5098be757a47adb6d5d0dbf576bcf41d6253

SHA256
540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

SHA512
8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69ced0a44ced088c3954d6ae03796e7

SHA1
ef4cac17b8643fb57424bb56907381a555a8cb92

SHA256
49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

SHA512
15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acb0e0db180c73954955309f90c91376

SHA1
c27f2c17cfa4fd4a92174eb548aacf6606814cf4

SHA256
10c4266a001dde473f229f0ad24a3ba938d703f7c80debe52f6f49d3441cc849

SHA512
6fffb653f2da467d9d0cec17d2a39c6bd89321c5193a093547f20af70f7f74800045273860165543779a9298c9bbace104f8710bc1557ff9a31d6cbec3a298fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68bf9e6d0adb2ef3481ca14096fb649c

SHA1
16ca4ae4e06b787cb7ce84d9520fe27d09800063

SHA256
f450abac163b8b6e1390084d47356b54bfcde6c0411924907d24c727e964025e

SHA512
3dee6b307cb014ada181e92e2358f40eebfd3c7e19ee3f33ffbe7a600f4052a73a8120d64eb51639ae23d64c94ad7fc60fda740f6c7487ff8285602dd24a024c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
524dc4216ee09facc7e63e372240789e

SHA1
60287bcf81563ab138f4a9d8a33b16653608d4d8

SHA256
33fc078810df83c5cb05c92f92df887ef30bcd553805d8fc58ed9badf8353a16

SHA512
5834f8c1ba0148b99d6b59303405c6713fd933b31429ba0030752f8003901c50eafde985473928cca8d4bf4b22ac196e52f376db823b0ddda49b0d45272e2c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc05a4f71923730b4eed5cb63f86aeed

SHA1
798199489ad94c55021a92ec812b320ed90b5711

SHA256
557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650

SHA512
fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b

Download Submit
C:\Users\Admin\AppData\Local\Temp\26b45462-7911-4618-b7aa-952540271234.vbs

Filesize
722B

MD5
24696a75f3a4e4f406498ab4f814e4d5

SHA1
22af814245301314f0d52846329e229bb8634989

SHA256
0aca2f2930dd6387a5c456d63a31668a06611c03de1ea0902ababf48fdad092b

SHA512
f3afb3a2dcb4b3342c75366fe392efe020b7473f05d8759c6e2fa3e465b7a847ffdff77613d50a0124b3606996a957491d5cba2ec16e0204cdf3b9a29c0e3717

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ad52389-5b8f-45e9-9996-d1b74c85dd0a.vbs

Filesize
721B

MD5
0e75ad5b3a03432117d0ea59eb67ddb0

SHA1
952d94425978e01ddacd66bca7112f5232c01ea8

SHA256
3b2f00fd12a9b4749369f55917a4831acc02e625466263fe7098ec71025eb2e2

SHA512
fe42d96644e578320015112be09b37868e827e5e22a1c03707a850a2d3281027c68740f8cf5bbf8f8046186fac5a2fe900480964114ce373cc8c0f4bc67dda19

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a90d0b9-ae40-45c9-963f-eddbaa1a854a.vbs

Filesize
722B

MD5
5319c2f304a4986362359858e1c4fb09

SHA1
616058c1c90373f2faa75bf9deb2f28f0e22ebb6

SHA256
48f4aaf6523945bc5b4a366de0ec1186dbce9cd5d0389d2c99ba510c80c7b9e1

SHA512
b2cadfe5e7c6d7e0b5f185082f50e8242b62d8d415f3b32191508bf872045cb861c6569ee35e00c3f6fa7acb37428bce93e6535b6927fdb82dfd8dd60f9a7aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\511c832c-4f65-4152-93ec-684175c9c8f3.vbs

Filesize
722B

MD5
57fdd97d46e65a57840956bc6cddeef3

SHA1
560ee074d08628f830f430188bfa5c664023d097

SHA256
d044d9a2ebc4e7579e1af1f0bb4eedaf3f7df42ac44c94332522c25d03734e9b

SHA512
2b07c7908ae5134667dce3aaaf822eddf7ae28543434afd038ff333aff26bd7b3cba0f800492433fed6a1a00b9c05ad68946025350feef9a13b44029c6e89a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\63aa2e76-cc4c-405a-85e0-e1693617bb25.vbs

Filesize
722B

MD5
83767b9f6d54bccaa05b4cd799fc8c32

SHA1
da9de5661ecaf1768531a7619c8e698498958b61

SHA256
dc129293233cd0cd78e12db46c1128ee20ec29bd36ad60e13cb7bb56cc88fbbd

SHA512
7422a06e497dc393ff63112675f5a6642c4f34c209e07d03dfb691b62193ede4391df9f5b89e98eb73497981a0da1d1463c9b621954867a7f2039f910b55f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f092b15-9d21-4e44-8621-a5cda8a21f91.vbs

Filesize
722B

MD5
fc56e1dd19786bc39cdf1b3f614505f2

SHA1
d44eae781df7c123ee56927481fc1572e9674c4a

SHA256
94f38b0d5cb34aec04a8823469473f449fa83c3ad64426901f444427485b8ed0

SHA512
370a99c8d664a242f12e41d635f57d8d69c44f59e8a3d489bd047b69166251c16b29160c88473138c6a3a9a9f839262f4e5dd6bf974f9a6dfa2138763f6fc194

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lq3wiw0.zaz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1222bc2-b9b5-49f1-8cd8-3044e0bcf139.vbs

Filesize
498B

MD5
1fdd5d5f7589362a60d3f34aa9fd5412

SHA1
42187e05ceafc7b10c833a6cde0ba9bd4fdbaa11

SHA256
7e7754be5794159bfbbfa0605cdc417423c3646314862036f2709d744d7869e9

SHA512
1b9ccf9e7029739c591a70e655269f1a619f2ecf5ca7834d7648e0d1d35c92748365ef39ff0e25541051c15372c937a5de78f1e8944bf70f240794dc89e776ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\d349ae62-a97f-49f4-a822-f04fdcbdf0b4.vbs

Filesize
722B

MD5
04da55602999dcd9745f8abf9bcbd3d8

SHA1
0ed57b5a376a499661b18923220d98de7cb02eb5

SHA256
62f83112d774c20c47b12c44ba3caef6bb544539d15d848bf61523d77a11be2f

SHA512
58bcf60498de853b8ad9c4b156ae73b75beca39bccdb5c3abbaa5081822257300007f3fdaaf10a9b770c383fad78b0b67424e88f54576878fb899ee72e93fc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\febb1bd2-8063-41a0-bf49-195711eef2b7.vbs

Filesize
722B

MD5
9813a58dd77044b3ed5f5910e8dbd4ba

SHA1
2b01033077058186415a7324d0d95fbec2a2dfad

SHA256
a287dda603fe4a5e758b49776a4de4aef2edb8e43ea271f7d0c1ed74c01417c1

SHA512
0e0ee50d611b3168c740c6cdc9cafa3960621992463b5eeb4ab9f9cd455fe22b33ee9d7c126ffa913025ec9133bbc0f469b9c50aced21e472e8396a60fb02d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff1a6200-fcd3-4e00-a789-3994cce0a6b9.vbs

Filesize
722B

MD5
fc1971882f8482627d83fb9694c00094

SHA1
ca401ee8a2ceb295d2c7a00252b55307019569b4

SHA256
1112ea5ccc2e8f5d9d445407fd68010a7b281b2b282a59a5ccca6297f92b9a5c

SHA512
e35ad4935f2c202ca396cba09ad9a39796499d43f15c5842a551989c5690eb6435bbee6c79ff7c6aee9442a1489c7935fb302d23f30c59b2eb17f742e1bc5661

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPsZFR4eV5.bat

Filesize
211B

MD5
cb12ac141ff81ee4366f35826bb55d18

SHA1
0f1b788ac5ad55f6bfbe86a6a8719d052b76b333

SHA256
11e37bd579ff7c619fed78f394abf395ba9fd3d6f3280f7ec26bb43ba6bcc4eb

SHA512
53ce7d30f14c470717d589f2726323abebfc9e53a0c05e1e645799bb4b5dd8c9151e4f9f9f6358ef2069638d4288fd1732c40a978fb4141a0eb9081c1c725037

Download Submit
C:\Users\Public\Libraries\RuntimeBroker.exe

Filesize
1.9MB

MD5
b72e239135a1672a9b95303c178115f8

SHA1
5abb0608116dd685a9495d73bc2476285c6f143c

SHA256
6c9e601e80a94c70a0f857f3e2b3e9b67bfe87fd4b1ac5e815de6952dfc9a14c

SHA512
cd6626031a8536c5996261529cf78e9a1a562b07fe8520e7639e740fa0b6077bb4e6fb86fe2946630ccde4c92d816141b0d45268972ff8569d377d0f5b0d79de

Download Submit
C:\Windows\L2Schemas\smss.exe

Filesize
1.9MB

MD5
2084c9d26206ec07c2dc65d1167ee1be

SHA1
ff37b5b781c17b3de200bbc1f68530370b4110a9

SHA256
cc22848f9c8ba8d38a385083ea8fad7840189caeb94ebf9e1f1b6fda829f0320

SHA512
99740d059fc3cd37fad78ddacd9c149eabb519c7e043cb01cfa92884724bbce326dc9f9d4b716d85b222a6580e1c75ae437680752bf565135a5de9ceee226f44

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\sihost.exe

Filesize
1.9MB

MD5
2b61f1a3ce5888defaf3946ac53825c6

SHA1
bb5768ddba5756c99fe727e3337f56489bb6a1de

SHA256
7f651d9ffe44535e68adb65b8f32d859249a6e9e17d4124d2423026a1db880c6

SHA512
e6e6573d243b258161e785d09bf92690ad33a20dc67fb9fee4e960b1b4ee0701f19164992462d27e7df513559d9570df55f9bffa3119da314bf90d91149d3aa3

Download Submit
memory/1016-423-0x0000000000680000-0x000000000086A000-memory.dmp

Filesize
1.9MB

Download
memory/1016-424-0x000000001BA00000-0x000000001BA56000-memory.dmp

Filesize
344KB

Download
memory/3440-244-0x000001E8FF290000-0x000001E8FF2B2000-memory.dmp

Filesize
136KB

Download
memory/3556-448-0x000000001AE10000-0x000000001AE22000-memory.dmp

Filesize
72KB

Download
memory/4020-11-0x000000001B3D0000-0x000000001B3D8000-memory.dmp

Filesize
32KB

Download
memory/4020-14-0x000000001BEF0000-0x000000001C418000-memory.dmp

Filesize
5.2MB

Download
memory/4020-186-0x00007FFB7E8F3000-0x00007FFB7E8F5000-memory.dmp

Filesize
8KB

Download
memory/4020-16-0x000000001B670000-0x000000001B67A000-memory.dmp

Filesize
40KB

Download
memory/4020-17-0x000000001B680000-0x000000001B68E000-memory.dmp

Filesize
56KB

Download
memory/4020-19-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/4020-18-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/4020-10-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

Filesize
48KB

Download
memory/4020-274-0x00007FFB7E8F0000-0x00007FFB7F3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-15-0x000000001B3F0000-0x000000001B3FC000-memory.dmp

Filesize
48KB

Download
memory/4020-210-0x00007FFB7E8F0000-0x00007FFB7F3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-13-0x000000001B3E0000-0x000000001B3F2000-memory.dmp

Filesize
72KB

Download
memory/4020-20-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/4020-9-0x000000001B450000-0x000000001B4A6000-memory.dmp

Filesize
344KB

Download
memory/4020-3-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/4020-0-0x00007FFB7E8F3000-0x00007FFB7E8F5000-memory.dmp

Filesize
8KB

Download
memory/4020-5-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/4020-6-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/4020-8-0x000000001B3B0000-0x000000001B3BA000-memory.dmp

Filesize
40KB

Download
memory/4020-7-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/4020-4-0x000000001B400000-0x000000001B450000-memory.dmp

Filesize
320KB

Download
memory/4020-2-0x00007FFB7E8F0000-0x00007FFB7F3B1000-memory.dmp

Filesize
10.8MB

Download
memory/4020-1-0x0000000000060000-0x000000000024A000-memory.dmp

Filesize
1.9MB

Download