1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Size

1.9MB
MD5

28e39f9d02ebd13216c240dff7276a30
SHA1

255206f138148168b57856ecff22fa1d08e857eb
SHA256

0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26
SHA512

fb4d52179efa3bd1aa83ffc9bc592393a999b2c6c847365e0e4108b10000c6bed9f621bc584650b66a5ecb165b8b372f15d7b780ef5ee9ea99f6dcb502f42d6a
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2856	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2856	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
2644	powershell.exe
1300	powershell.exe
2636	powershell.exe
2108	powershell.exe
1016	powershell.exe
2400	powershell.exe
1724	powershell.exe
1944	powershell.exe
2028	powershell.exe
1636	powershell.exe
352	powershell.exe
1552	powershell.exe
2440	powershell.exe
2024	powershell.exe
2240	powershell.exe
1328	powershell.exe
1672	powershell.exe
2412	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Executes dropped EXE 9 IoCs

pid	Process
1920	System.exe
2216	System.exe
1668	System.exe
2812	System.exe
1300	System.exe
1848	System.exe
3008	System.exe
1820	System.exe
2148	System.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\0C0A\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Windows\System32\0C0A\886983d96e3d3e	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\System32\0C0A\RCXCB16.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\System32\0C0A\RCXCB17.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\System32\0C0A\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXDCA4.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cc11b995f2a76d	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD192.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Update\wininit.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\85abf5cd7e6af9	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\smss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\RCXD81D.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RCXE796.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\27d1bcfc3c54e0	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\lsass.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXD618.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\RCXD81E.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\smss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXDF17.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE11B.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\42af1c969fbb7b	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\RCXC912.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXD193.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RCXE797.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\RCXC8A4.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXDCA3.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXDEA8.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXE11A.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Google\Update\56085415360792	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\69ddcba757bf72	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Program Files (x86)\Google\Update\wininit.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXD619.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\System\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\886983d96e3d3e	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXDA90.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\RCXE31F.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXDA22.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\Vss\Writers\System\csrss.exe	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\RCXE320.tmp	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
2576	schtasks.exe
1612	schtasks.exe
2208	schtasks.exe
1508	schtasks.exe
1028	schtasks.exe
2684	schtasks.exe
2956	schtasks.exe
1896	schtasks.exe
1428	schtasks.exe
1396	schtasks.exe
2236	schtasks.exe
1364	schtasks.exe
1636	schtasks.exe
1036	schtasks.exe
972	schtasks.exe
1004	schtasks.exe
1860	schtasks.exe
1692	schtasks.exe
1556	schtasks.exe
3004	schtasks.exe
900	schtasks.exe
2456	schtasks.exe
1288	schtasks.exe
2564	schtasks.exe
2620	schtasks.exe
2700	schtasks.exe
2788	schtasks.exe
1700	schtasks.exe
1532	schtasks.exe
1296	schtasks.exe
596	schtasks.exe
1300	schtasks.exe
2216	schtasks.exe
1716	schtasks.exe
700	schtasks.exe
776	schtasks.exe
560	schtasks.exe
2880	schtasks.exe
2584	schtasks.exe
1548	schtasks.exe
2820	schtasks.exe
2120	schtasks.exe
2072	schtasks.exe
960	schtasks.exe
996	schtasks.exe
2768	schtasks.exe
1984	schtasks.exe
1644	schtasks.exe
1668	schtasks.exe
1068	schtasks.exe
904	schtasks.exe
3060	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
1636	powershell.exe
352	powershell.exe
2024	powershell.exe
1672	powershell.exe
2636	powershell.exe
2412	powershell.exe
2108	powershell.exe
2400	powershell.exe
1552	powershell.exe
2644	powershell.exe
1724	powershell.exe
2440	powershell.exe
1016	powershell.exe
2028	powershell.exe
2072	powershell.exe
1944	powershell.exe
2240	powershell.exe
1300	powershell.exe
1328	powershell.exe
1920	System.exe
2216	System.exe
1668	System.exe
2812	System.exe
1300	System.exe
1848	System.exe
3008	System.exe
1820	System.exe
2148	System.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1920	System.exe
Token: SeDebugPrivilege	2216	System.exe
Token: SeDebugPrivilege	1668	System.exe
Token: SeDebugPrivilege	2812	System.exe
Token: SeDebugPrivilege	1300	System.exe
Token: SeDebugPrivilege	1848	System.exe
Token: SeDebugPrivilege	3008	System.exe
Token: SeDebugPrivilege	1820	System.exe
Token: SeDebugPrivilege	2148	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 1016	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	86
PID 2988 wrote to memory of 1016	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	86
PID 2988 wrote to memory of 1016	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	86
PID 2988 wrote to memory of 2024	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	87
PID 2988 wrote to memory of 2024	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	87
PID 2988 wrote to memory of 2024	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	87
PID 2988 wrote to memory of 1636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	88
PID 2988 wrote to memory of 1636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	88
PID 2988 wrote to memory of 1636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	88
PID 2988 wrote to memory of 2108	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	90
PID 2988 wrote to memory of 2108	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	90
PID 2988 wrote to memory of 2108	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	90
PID 2988 wrote to memory of 2400	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	91
PID 2988 wrote to memory of 2400	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	91
PID 2988 wrote to memory of 2400	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	91
PID 2988 wrote to memory of 2412	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	92
PID 2988 wrote to memory of 2412	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	92
PID 2988 wrote to memory of 2412	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	92
PID 2988 wrote to memory of 2240	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	94
PID 2988 wrote to memory of 2240	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	94
PID 2988 wrote to memory of 2240	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	94
PID 2988 wrote to memory of 2636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	96
PID 2988 wrote to memory of 2636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	96
PID 2988 wrote to memory of 2636	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	96
PID 2988 wrote to memory of 352	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	98
PID 2988 wrote to memory of 352	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	98
PID 2988 wrote to memory of 352	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	98
PID 2988 wrote to memory of 1672	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	100
PID 2988 wrote to memory of 1672	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	100
PID 2988 wrote to memory of 1672	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	100
PID 2988 wrote to memory of 2028	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	101
PID 2988 wrote to memory of 2028	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	101
PID 2988 wrote to memory of 2028	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	101
PID 2988 wrote to memory of 1944	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	102
PID 2988 wrote to memory of 1944	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	102
PID 2988 wrote to memory of 1944	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	102
PID 2988 wrote to memory of 1724	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	103
PID 2988 wrote to memory of 1724	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	103
PID 2988 wrote to memory of 1724	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	103
PID 2988 wrote to memory of 1300	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	104
PID 2988 wrote to memory of 1300	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	104
PID 2988 wrote to memory of 1300	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	104
PID 2988 wrote to memory of 2644	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	105
PID 2988 wrote to memory of 2644	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	105
PID 2988 wrote to memory of 2644	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	105
PID 2988 wrote to memory of 2440	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	106
PID 2988 wrote to memory of 2440	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	106
PID 2988 wrote to memory of 2440	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	106
PID 2988 wrote to memory of 2072	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	107
PID 2988 wrote to memory of 2072	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	107
PID 2988 wrote to memory of 2072	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	107
PID 2988 wrote to memory of 1328	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	108
PID 2988 wrote to memory of 1328	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	108
PID 2988 wrote to memory of 1328	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	108
PID 2988 wrote to memory of 1552	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	110
PID 2988 wrote to memory of 1552	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	110
PID 2988 wrote to memory of 1552	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	110
PID 2988 wrote to memory of 1920	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	124
PID 2988 wrote to memory of 1920	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	124
PID 2988 wrote to memory of 1920	2988	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe	124
PID 1920 wrote to memory of 2160	1920	System.exe	125
PID 1920 wrote to memory of 2160	1920	System.exe	125
PID 1920 wrote to memory of 2160	1920	System.exe	125
PID 1920 wrote to memory of 2304	1920	System.exe	126

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe
"C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\0C0A\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
  "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d36edfe-e771-4539-968b-0e8eb9955233.vbs"
    3⤵
    PID:2160
  - - C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
      "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4eaed1c-afa8-4146-b5da-ec6b9479ce65.vbs"
        5⤵
        
        PID:2460
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27542174-ca69-4279-9371-a7739e81b0fd.vbs"
        7⤵
        
        PID:2336
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d88c202-fc3e-4a3f-8179-7ac112244715.vbs"
        9⤵
        
        PID:448
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdc84331-f6ed-4777-aad2-9b2200bb63ce.vbs"
        11⤵
        
        PID:2212
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce41cabf-48f9-49fe-a66e-f40174c10a2f.vbs"
        13⤵
        
        PID:608
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42483290-79ff-45e7-8709-f973105c57b2.vbs"
        15⤵
        
        PID:1152
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccdd84c5-3906-48be-832b-d2d01725faff.vbs"
        17⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffae32b5-68ce-4386-8012-f906738ffff3.vbs"
        19⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aefe4bb6-908e-4792-9eea-d2cd2d0a20a7.vbs"
        19⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3fefb8-ac7a-420e-8913-5e35b59dbdec.vbs"
        17⤵
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3df60d6e-36b6-4307-9515-9474bf68e6e6.vbs"
        15⤵
        
        PID:484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2535700f-1590-4254-a1e4-92dbfb00c312.vbs"
        13⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b591af26-6916-495f-80d8-cd5f0d61510b.vbs"
        11⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4352d8-5d7c-4776-b028-8a746e974131.vbs"
        9⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e0a5a7-6a9a-44c0-9eea-f549dbab70e1.vbs"
        7⤵
        
        PID:3036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75fd292f-9776-4cad-99d8-4d42f5ff1357.vbs"
        5⤵
        
        PID:2788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55d20366-b6a7-4896-8b70-591342085572.vbs"
    3⤵
    PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\0C0A\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\0C0A\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\0C0A\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b260" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b260" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\wininit.exe

Filesize
1.9MB

MD5
b89040609166552c7ec8aa8d0b7db6cc

SHA1
3a5accecca61695abf8ccb2e4ac9832330fec2e8

SHA256
a3ab498459281b7ded0541fdf3fa30a221a533e89030d9168d92d52efec7a785

SHA512
0f45c0a93959a9300c1b52bd66fe5dc2ee2fc249a87c4b1d428c269d99b246b4d9243301a0b1213f4aa422a5c3ccd73300321106b4149701fbcfc0606ba947c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe

Filesize
1.9MB

MD5
2249778a34cb526896163c5ea67d2c85

SHA1
d3a7337847b830ffcd7908bc0ed455a9b5a24044

SHA256
2923fcdc5bfbc31ad902b0726d0c1c6bb098a512b75bc805e70acab7644449d1

SHA512
cc84e5955c59142a83058b213ab1412c311e1f43f9ca665fe5d1195dc17dd56804d8a445311eacc55240afff457e9bc9099d2806d8f6bf6c0c8a7baf6455909d

Download Submit
C:\ProgramData\Microsoft Help\winlogon.exe

Filesize
1.9MB

MD5
48822784f253c89c356fcb7ab4489985

SHA1
d28e84dfcda34446131c568ef8109cd068ae1724

SHA256
b1ce2523ed80f5a16d97a9a6c52a639b06109d7544064dcc5a7e6b13a9e48088

SHA512
c3a0ef0e31a458d7bd3dd49709d6a644907480d88f93a3a7546adc0bbec6c88808561e3f084a0af12685c0ddd366801fc74118248c4016f785b43c7428143cae

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe

Filesize
1.9MB

MD5
fd1cdb31c5e3a6eee020d6b3a32965f8

SHA1
c764b823e4cc0ca31366cd473202924e6ff5872a

SHA256
4dae2d2e071771f087e2e875f006b4705e34165f5f592b0a9f84e288494d2624

SHA512
36f3146f8b971249387bb1341f1729f152ce8cd7ed2e2c3fc6f13ab72c4609d85f4b224dcb94ba7dd540709fb247cd149ce272332c99b369c227d1fd84a160f7

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe

Filesize
1.9MB

MD5
de6b21708944c38165982b77eb131746

SHA1
ceaf832dca429e5d9c81fc486db4e5823648e0e8

SHA256
9d01a4e38b136814bc11698fc6a69ac0a33e5ae53dbdc1b032f17aa4edab34d3

SHA512
7b2d16436be4c817ff257b6c8b1800a1a09a526a1be4ace21fe075bea208ea8b07635691a0223d5fb06cf6173a4c6ee794b9e0aa5b0ed3dbc08a9f2d485067ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\27542174-ca69-4279-9371-a7739e81b0fd.vbs

Filesize
757B

MD5
20532463dd5c0bb56299823c801e1a77

SHA1
cbc92c76b7a665288918b4ff682ac957782d9bf1

SHA256
510f32879b346586d1083b5c9801e6b8a0c746817093c599e910bb4019f0b231

SHA512
f890533e3d4a2e6abd258ea6b9a0c0cb92c38aab7cb749a9e57d2709834ab81ece71a4c3c50cb4a5b19ce437d5bf910e3e59fa374887ff18694ebf8b39056efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\42483290-79ff-45e7-8709-f973105c57b2.vbs

Filesize
757B

MD5
0a0a09bbd08af5587b3d4d1c0a00e18e

SHA1
dee2a56ab000dc1d4f2be1ef3ce24665c50f4ecf

SHA256
6827a4d8cc3570a454ffe7d77ea1394db3fd3a137925784bdc545b3450ca31f9

SHA512
045114e0f697e85d4b442314a9ccabf3f3ebb799774942bdde5bd8cacdf2ea353d6e944674513c22a002c97486c1c95ad4c37017030f8b88767cedc8d564d7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\55d20366-b6a7-4896-8b70-591342085572.vbs

Filesize
533B

MD5
ea7c01d8c4ac18cc45f4ace52d4d2160

SHA1
f7897354966e7d03df500b6a61aeb2e39da62b5d

SHA256
d960de447dae3fc1bbc3548e6bcae4e55d0a700455348f5212404921886db39a

SHA512
f5da48ac352b38229f791ceb9c67d5bc8483c152393819ed5b3de8e3bba7cd2b3175edd00799d0a39221c3d803be43a5688a85007003b086b534a1c0caf066fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d36edfe-e771-4539-968b-0e8eb9955233.vbs

Filesize
757B

MD5
7d21d21d0ff804aabb596df5ceaa107e

SHA1
a8e516a4b6f6a78e3e2c113c01fb35738116fe7b

SHA256
c59ebf2b127fc9b0aa8056bc602d61c4c501e41485bf88ba087033988a848527

SHA512
faa4616cdc7cb5feced550a60a180c0c30db2eaba925463c67f9441acab679fb4774756e19bd63ea9fbbf080092f61caf45cb60539927a6d542f912a4dec3872

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d88c202-fc3e-4a3f-8179-7ac112244715.vbs

Filesize
757B

MD5
72f1cfb764076c35a9fc0c4e48913ef9

SHA1
1e61324e75b12e08ca4c0ae2d18da438c7961fd1

SHA256
4d7e1e7c107439eff74b931eaff3e8a0c970be8cd4a39269e4c8097465fc03e7

SHA512
042266f0360fb4d0b58cb322843873b16071fe545acafec25fd1831d4b618908c21c4ba2e7d670c34cdee3b5262f08055ca132b8bec65f4c960c91b63c380625

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4eaed1c-afa8-4146-b5da-ec6b9479ce65.vbs

Filesize
757B

MD5
cefda2e18e21307c1f34df21f0e81a82

SHA1
fb704cf09530b958349583506e55ab9127550ee8

SHA256
00af901bdf8e39f7a891e68cbd85aea24a5da3b9b3c1d3f1e31e6a8794aad408

SHA512
3b4ebaabc71b6235764a1f90b31169e32efe834aa0fde5a1d32e85ec0237a529ce7ea802207e24886fd69e0c0a56f6a79fe9590767a501e6e48f5adf24d7e374

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdc84331-f6ed-4777-aad2-9b2200bb63ce.vbs

Filesize
757B

MD5
68854ef80abc9a5e003345066733a0ba

SHA1
84ddfff0ffc7cab7102f0a100dc85cd3d73b89ee

SHA256
bb3b41d4db87a7daa1cd866803807df02ce50a52e12b23890d0ea976c9522ac3

SHA512
719fb6e088ec64fdc5e6fead382f62707ab9fc719af127dd92b95304129e88929150a91c31d32c45a643a18e4648f845024dcb7f4244edc1c4253ba1780a1235

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccdd84c5-3906-48be-832b-d2d01725faff.vbs

Filesize
757B

MD5
f5ca11cb6e1d8e58413f786ec39c871e

SHA1
df13e20daec2a1a33ee359eb9f2dc6091e4b3886

SHA256
71417628f9ca95d7c39bd11d622a2f5ebe37a4970fe093ef00478ac0da445a26

SHA512
c12e677452c6d331b7accd15d2a761a76d96f7584fc44ad39428e11338cc79ce511c42b9e13a9d4de338edae64f97ef66d4ad708426939983ec437cc84d1ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce41cabf-48f9-49fe-a66e-f40174c10a2f.vbs

Filesize
757B

MD5
952a7cde86be963be6694fee24895fed

SHA1
a0ff437764d546338ae3902f955e8a1626a8928d

SHA256
7267537bf2d4e4922729c7152a67535eac6152ac73a3b7aba600508a154a5b28

SHA512
95a85dbb6af91b0a9e955c64cf605a63108de28ffd43c66519ed00763caf3f3470601dad83923eee1b74570a62551af3089ce3a9217ebacc032b51f96dc7546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffae32b5-68ce-4386-8012-f906738ffff3.vbs

Filesize
757B

MD5
5f0fb09be624d8ca27f4a89110d6cf2c

SHA1
5c8380b6b0146a696f2fd021c389de73f3017de7

SHA256
05bd4759aa937ab8e89ae3d82a303b0705eed6ecc14c46def4048978dde33abe

SHA512
609793f3cce43d8478b7565105a9cdce881df584994785a2404b066f659bb9b8d6d0895114118fd5449a5710eac21be5b4c6c8a8d91a7015a792d38c483cb717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7439d9ab6951ca332e71d0fd2a7fdb54

SHA1
872eb2b9157e27199131a2de546cec8f8f97cc96

SHA256
62720555c7bc5b6fd52eb914e795693936da78d155281c49c8cfe2b12d9561c1

SHA512
17bd6548908c8a1c6d0ae25ec8e8bda290b3a166bfae6585f43a4ece9eb3e4c08295dede114e60f3fbf286d2ff2a988c59b8e7ee0653e5e323a6628dc7be0e49

Download Submit
C:\Users\Public\Pictures\Sample Pictures\services.exe

Filesize
1.9MB

MD5
f930e7df1961a2c131b8029512f34edd

SHA1
48038d6f9d73e1561fb43f0e78df649499599308

SHA256
2ad9c0587b8e8b280eda7f8fda766cd0d76687fc9cff82b0cec6897abc958096

SHA512
9f28f59b127a152b566950bd83a93b53436e4aae0e572f584396257bdc383ececaa1ad53862f3cfe59244187df302db1424557f827a3bdd7700bfc7c19e2e7be

Download Submit
C:\Windows\System32\0C0A\csrss.exe

Filesize
1.9MB

MD5
28e39f9d02ebd13216c240dff7276a30

SHA1
255206f138148168b57856ecff22fa1d08e857eb

SHA256
0ac60987a11110a0175e7d0fb4a0b8dc87352c2cdec3dd27ad2d980cce8b4b26

SHA512
fb4d52179efa3bd1aa83ffc9bc592393a999b2c6c847365e0e4108b10000c6bed9f621bc584650b66a5ecb165b8b372f15d7b780ef5ee9ea99f6dcb502f42d6a

Download Submit
C:\Windows\Vss\Writers\System\csrss.exe

Filesize
1.9MB

MD5
3bfca1b833bc226e7cd41469ee8a2058

SHA1
a042fdd4d82d85225685943f4725843d36ee9858

SHA256
dab933b9ca5e4e3465ab3b0a88832689f51a00c5814ad96348b7fe150f162232

SHA512
e09ce5d4ea46e619018d00cd9d5cee60549e7507fe37841c55285e45f71385063c3577d0109c6ebea9f035e61a2a7daa1f3a3f46432530f8802233e3aaded33a

Download Submit
memory/1300-420-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1636-316-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1636-318-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/1820-457-0x00000000004F0000-0x0000000000546000-memory.dmp

Filesize
344KB

Download
memory/1820-456-0x00000000010B0000-0x000000000129A000-memory.dmp

Filesize
1.9MB

Download
memory/1848-432-0x0000000000190000-0x000000000037A000-memory.dmp

Filesize
1.9MB

Download
memory/1920-375-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/1920-319-0x0000000000C80000-0x0000000000E6A000-memory.dmp

Filesize
1.9MB

Download
memory/2216-386-0x00000000013D0000-0x00000000015BA000-memory.dmp

Filesize
1.9MB

Download
memory/2988-7-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2988-6-0x0000000000680000-0x0000000000696000-memory.dmp

Filesize
88KB

Download
memory/2988-317-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-199-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/2988-18-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

Filesize
48KB

Download
memory/2988-10-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2988-9-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2988-13-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2988-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2988-14-0x00000000024C0000-0x00000000024CA000-memory.dmp

Filesize
40KB

Download
memory/2988-223-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2988-8-0x000000001AFF0000-0x000000001B046000-memory.dmp

Filesize
344KB

Download
memory/2988-5-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2988-15-0x00000000024D0000-0x00000000024DE000-memory.dmp

Filesize
56KB

Download
memory/2988-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2988-1-0x00000000000B0000-0x000000000029A000-memory.dmp

Filesize
1.9MB

Download
memory/2988-3-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2988-16-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2988-17-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/2988-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-444-0x00000000008A0000-0x0000000000A8A000-memory.dmp

Filesize
1.9MB

Download