6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
143s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192f0f1221e376146e725a4d23ee69a0.exe
Size

1.9MB
MD5

192f0f1221e376146e725a4d23ee69a0
SHA1

9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256

019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512

daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5752	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5848	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	5760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	5760	schtasks.exe	87

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5416	powershell.exe
4340	powershell.exe
924	powershell.exe
5172	powershell.exe
2224	powershell.exe
5676	powershell.exe
5372	powershell.exe
3992	powershell.exe
3816	powershell.exe
428	powershell.exe
5248	powershell.exe
5788	powershell.exe
3396	powershell.exe
5300	powershell.exe
3984	powershell.exe
5340	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	192f0f1221e376146e725a4d23ee69a0.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	192f0f1221e376146e725a4d23ee69a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 4 IoCs

pid	Process
1240	csrss.exe
4348	csrss.exe
1364	csrss.exe
2376	csrss.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\eddb19405b7ce1	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA8.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\Common Files\RCX95D3.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\Common Files\backgroundTaskHost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D8.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E7.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E8.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\6203df4a6bafc7	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9D59.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9DC8.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\RCX9FCD.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\edge_BITS_4648_225925476\RCXA2AE.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\edge_BITS_4648_225925476\5b884080fd4f94	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\RCX9FCC.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\edge_BITS_4648_225925476\RCXA1E2.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\f3b6ecef712a24	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\9e8d7a4ca61bd9	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\Common Files\RCX9564.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D7.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\Common Files\eddb19405b7ce1	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\Common Files\backgroundTaskHost.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\5b884080fd4f94	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA7.tmp	192f0f1221e376146e725a4d23ee69a0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\INF\csrss.exe	192f0f1221e376146e725a4d23ee69a0.exe
File created	C:\Windows\INF\886983d96e3d3e	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Windows\INF\RCX9A5A.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Windows\INF\RCX9AD8.tmp	192f0f1221e376146e725a4d23ee69a0.exe
File opened for modification	C:\Windows\INF\csrss.exe	192f0f1221e376146e725a4d23ee69a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	192f0f1221e376146e725a4d23ee69a0.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4772	schtasks.exe
4452	schtasks.exe
1212	schtasks.exe
3460	schtasks.exe
4768	schtasks.exe
4460	schtasks.exe
4624	schtasks.exe
4932	schtasks.exe
3944	schtasks.exe
3924	schtasks.exe
4140	schtasks.exe
4972	schtasks.exe
5756	schtasks.exe
5924	schtasks.exe
5564	schtasks.exe
5916	schtasks.exe
4596	schtasks.exe
4712	schtasks.exe
4888	schtasks.exe
4164	schtasks.exe
3100	schtasks.exe
4484	schtasks.exe
4372	schtasks.exe
4584	schtasks.exe
4880	schtasks.exe
6068	schtasks.exe
4432	schtasks.exe
5752	schtasks.exe
4388	schtasks.exe
4796	schtasks.exe
2816	schtasks.exe
4416	schtasks.exe
2120	schtasks.exe
6076	schtasks.exe
4692	schtasks.exe
1412	schtasks.exe
4940	schtasks.exe
4792	schtasks.exe
4648	schtasks.exe
2744	schtasks.exe
5724	schtasks.exe
5848	schtasks.exe
1988	schtasks.exe
4456	schtasks.exe
4732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1316	192f0f1221e376146e725a4d23ee69a0.exe
1316	192f0f1221e376146e725a4d23ee69a0.exe
1316	192f0f1221e376146e725a4d23ee69a0.exe
5248	powershell.exe
428	powershell.exe
428	powershell.exe
5248	powershell.exe
924	powershell.exe
924	powershell.exe
5676	powershell.exe
5300	powershell.exe
5676	powershell.exe
5300	powershell.exe
3816	powershell.exe
3816	powershell.exe
5416	powershell.exe
5416	powershell.exe
3984	powershell.exe
3984	powershell.exe
5340	powershell.exe
5340	powershell.exe
5788	powershell.exe
5788	powershell.exe
2224	powershell.exe
2224	powershell.exe
3992	powershell.exe
3992	powershell.exe
4340	powershell.exe
4340	powershell.exe
5372	powershell.exe
5372	powershell.exe
3396	powershell.exe
3396	powershell.exe
5172	powershell.exe
5172	powershell.exe
5372	powershell.exe
5172	powershell.exe
5300	powershell.exe
428	powershell.exe
428	powershell.exe
924	powershell.exe
5340	powershell.exe
924	powershell.exe
5676	powershell.exe
3816	powershell.exe
2224	powershell.exe
3984	powershell.exe
5416	powershell.exe
3396	powershell.exe
5248	powershell.exe
5248	powershell.exe
3992	powershell.exe
5788	powershell.exe
4340	powershell.exe
1240	csrss.exe
4348	csrss.exe
4348	csrss.exe
1364	csrss.exe
2376	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	192f0f1221e376146e725a4d23ee69a0.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	5300	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	5340	powershell.exe
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	1240	csrss.exe
Token: SeDebugPrivilege	4348	csrss.exe
Token: SeDebugPrivilege	1364	csrss.exe
Token: SeDebugPrivilege	2376	csrss.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 5248	1316	192f0f1221e376146e725a4d23ee69a0.exe	136
PID 1316 wrote to memory of 5248	1316	192f0f1221e376146e725a4d23ee69a0.exe	136
PID 1316 wrote to memory of 428	1316	192f0f1221e376146e725a4d23ee69a0.exe	137
PID 1316 wrote to memory of 428	1316	192f0f1221e376146e725a4d23ee69a0.exe	137
PID 1316 wrote to memory of 924	1316	192f0f1221e376146e725a4d23ee69a0.exe	138
PID 1316 wrote to memory of 924	1316	192f0f1221e376146e725a4d23ee69a0.exe	138
PID 1316 wrote to memory of 3816	1316	192f0f1221e376146e725a4d23ee69a0.exe	140
PID 1316 wrote to memory of 3816	1316	192f0f1221e376146e725a4d23ee69a0.exe	140
PID 1316 wrote to memory of 3992	1316	192f0f1221e376146e725a4d23ee69a0.exe	141
PID 1316 wrote to memory of 3992	1316	192f0f1221e376146e725a4d23ee69a0.exe	141
PID 1316 wrote to memory of 3984	1316	192f0f1221e376146e725a4d23ee69a0.exe	142
PID 1316 wrote to memory of 3984	1316	192f0f1221e376146e725a4d23ee69a0.exe	142
PID 1316 wrote to memory of 5372	1316	192f0f1221e376146e725a4d23ee69a0.exe	143
PID 1316 wrote to memory of 5372	1316	192f0f1221e376146e725a4d23ee69a0.exe	143
PID 1316 wrote to memory of 5676	1316	192f0f1221e376146e725a4d23ee69a0.exe	144
PID 1316 wrote to memory of 5676	1316	192f0f1221e376146e725a4d23ee69a0.exe	144
PID 1316 wrote to memory of 5300	1316	192f0f1221e376146e725a4d23ee69a0.exe	145
PID 1316 wrote to memory of 5300	1316	192f0f1221e376146e725a4d23ee69a0.exe	145
PID 1316 wrote to memory of 3396	1316	192f0f1221e376146e725a4d23ee69a0.exe	146
PID 1316 wrote to memory of 3396	1316	192f0f1221e376146e725a4d23ee69a0.exe	146
PID 1316 wrote to memory of 5416	1316	192f0f1221e376146e725a4d23ee69a0.exe	147
PID 1316 wrote to memory of 5416	1316	192f0f1221e376146e725a4d23ee69a0.exe	147
PID 1316 wrote to memory of 2224	1316	192f0f1221e376146e725a4d23ee69a0.exe	148
PID 1316 wrote to memory of 2224	1316	192f0f1221e376146e725a4d23ee69a0.exe	148
PID 1316 wrote to memory of 5340	1316	192f0f1221e376146e725a4d23ee69a0.exe	155
PID 1316 wrote to memory of 5340	1316	192f0f1221e376146e725a4d23ee69a0.exe	155
PID 1316 wrote to memory of 5172	1316	192f0f1221e376146e725a4d23ee69a0.exe	156
PID 1316 wrote to memory of 5172	1316	192f0f1221e376146e725a4d23ee69a0.exe	156
PID 1316 wrote to memory of 5788	1316	192f0f1221e376146e725a4d23ee69a0.exe	157
PID 1316 wrote to memory of 5788	1316	192f0f1221e376146e725a4d23ee69a0.exe	157
PID 1316 wrote to memory of 4340	1316	192f0f1221e376146e725a4d23ee69a0.exe	161
PID 1316 wrote to memory of 4340	1316	192f0f1221e376146e725a4d23ee69a0.exe	161
PID 1316 wrote to memory of 5812	1316	192f0f1221e376146e725a4d23ee69a0.exe	169
PID 1316 wrote to memory of 5812	1316	192f0f1221e376146e725a4d23ee69a0.exe	169
PID 5812 wrote to memory of 3380	5812	cmd.exe	171
PID 5812 wrote to memory of 3380	5812	cmd.exe	171
PID 5812 wrote to memory of 1240	5812	cmd.exe	173
PID 5812 wrote to memory of 1240	5812	cmd.exe	173
PID 1240 wrote to memory of 2820	1240	csrss.exe	175
PID 1240 wrote to memory of 2820	1240	csrss.exe	175
PID 1240 wrote to memory of 1624	1240	csrss.exe	176
PID 1240 wrote to memory of 1624	1240	csrss.exe	176
PID 2820 wrote to memory of 4348	2820	WScript.exe	180
PID 2820 wrote to memory of 4348	2820	WScript.exe	180
PID 4348 wrote to memory of 2100	4348	csrss.exe	181
PID 4348 wrote to memory of 2100	4348	csrss.exe	181
PID 4348 wrote to memory of 4316	4348	csrss.exe	182
PID 4348 wrote to memory of 4316	4348	csrss.exe	182
PID 2100 wrote to memory of 1364	2100	WScript.exe	183
PID 2100 wrote to memory of 1364	2100	WScript.exe	183
PID 1364 wrote to memory of 3756	1364	csrss.exe	184
PID 1364 wrote to memory of 3756	1364	csrss.exe	184
PID 1364 wrote to memory of 4708	1364	csrss.exe	185
PID 1364 wrote to memory of 4708	1364	csrss.exe	185
PID 3756 wrote to memory of 2376	3756	WScript.exe	186
PID 3756 wrote to memory of 2376	3756	WScript.exe	186
PID 2376 wrote to memory of 2224	2376	csrss.exe	187
PID 2376 wrote to memory of 2224	2376	csrss.exe	187
PID 2376 wrote to memory of 988	2376	csrss.exe	188
PID 2376 wrote to memory of 988	2376	csrss.exe	188

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	192f0f1221e376146e725a4d23ee69a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	192f0f1221e376146e725a4d23ee69a0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5812
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3380
- - C:\Windows\INF\csrss.exe
    "C:\Windows\INF\csrss.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1240
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\INF\csrss.exe
        
        C:\Windows\INF\csrss.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4348
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\INF\csrss.exe
        
        C:\Windows\INF\csrss.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\INF\csrss.exe
        
        C:\Windows\INF\csrss.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs"
        10⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\054d82fa-6662-4337-8b25-d6c6956d07fe.vbs"
        10⤵
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc942405-30cd-4116-b9a2-f422d2dcd0d5.vbs"
        8⤵
        
        PID:4708
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaee8a08-0687-48e3-b567-a6b41338d915.vbs"
        6⤵
        
        PID:4316
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs"
      4⤵
      PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe

Filesize
1.9MB

MD5
af1ea42c5a939898dec638a3e3bafe89

SHA1
e1198b426a010c52d5d819d4e3549b7fd9aedf9c

SHA256
297fa09f43979245eb68d51b056070d866ba499bbdba48002f510929a30d9529

SHA512
cedcff98f50e4744780d37878d3df5894a03c68c5181a4863184044ce0042f5bdf75f1e24b5cc18a1796e5f4a6e538e4d5185e57f4a21ef6a2b8050c36551d81

Download Submit
C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe

Filesize
1.9MB

MD5
d38f2b4edf0a2d92da9a09dd70d2cf37

SHA1
8bb8d4d545da1c85f4828ddcd67983b6faa4dc26

SHA256
2310585595777afba7f5918c1600f0e717da6277d5f2573445be74a890bd4a0c

SHA512
87e9ade45737b2b75eaa121bdf9f3af459752e8d9787ad27a502d4e80fb6af5e523eaa2ed447a7315bee850f36794cd8329970be25e99e98ec098fab4f1df350

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe

Filesize
1.9MB

MD5
8064fd807b0a95217b4310fa0f86b6b8

SHA1
686474ccf2248cad9ff138384929a5815887cada

SHA256
a60ddfcd566a760aa8d5429a13d92a9be4fc7a48243d4ee8b3b8769a7bbab4ef

SHA512
695bf4e1f3f91997e742172e48dff7bfed870242778c8940effb942e36a93a4f0fe1f228c0fd0a9dd621f1bb69336e1a7af3d560e523b224f1d2f942862d72ac

Download Submit
C:\Program Files\Common Files\backgroundTaskHost.exe

Filesize
1.9MB

MD5
192f0f1221e376146e725a4d23ee69a0

SHA1
9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff

SHA256
019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d

SHA512
daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

Download Submit
C:\Program Files\Common Files\backgroundTaskHost.exe

Filesize
1.9MB

MD5
6faff46046ba4e35aaac24654382aaf1

SHA1
7ab205f4c2cd3dec0955f7283f20cc9ce9b32057

SHA256
8320003cdab3fa348c22e15a1da150dad377039f4ab348c7c5fb24a451faf6a3

SHA512
06f42a846f51d5bf1efc28bc7304f29cf267f5be3d28bca39d812aced0c9156544fa080a4ad51024849dcac5f423dbcac58ad02fcaeeee83bd0cf760a558e844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea6fe6004d9717ca991a4a5fd8873443

SHA1
af50625293a3f23d13dedd6cdb64ccf374ec5c85

SHA256
81e411c6b8ba866564687309bb2aa45431e595ce1aba231f6abb1c34169355bd

SHA512
0214e67ddac786e31f3d2f5665f6c15f1dd87c00d403b38ca77260f04bad8b29402ef40c5219af62af27ae05590ef375d7f6a9eee51ef529fd2ecdc80a63cf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bc26d684f5b18f9220f5487ef7791ec

SHA1
484f4f11b2143a750753f24c413380c2731f28f2

SHA256
9381ad930c4656a680f340a2892781ae12b9eb6eccc1a50a0ca40467cf38f35c

SHA512
2a69e4c58808c4bac49ccd4abe75b79c07482855940d13937371279771e48d1127dde9471bcc2ea2fdc4e93a8434663e4f42e01a1d7ee4c1eb2803aa57450459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c3cddab7d289f65843ac7ee436ff50d

SHA1
19046a0dc416df364c3be08b72166becf7ed9ca9

SHA256
c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

SHA512
45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c8fd95453fe0d2e0f6d8e5ac03994b1

SHA1
d9811cf9d2b0d0ce3387fd79462cd592b005a634

SHA256
232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58

SHA512
f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

Download Submit
C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs

Filesize
700B

MD5
259d7e6d9a37a7dfc6436643d2875afc

SHA1
fe0a1bd28418c179438fd325cdf3b71d48140c1e

SHA256
377e4e0909e000fe50cee20e46c6075e88736e3beb191560b3a9163a5baf7413

SHA512
90ca7d2c5f86dbb1aa66ccf8a49aaa739e0e1b6292d309ca3400f524c9f75e7d71ecd43f9552db2151b6c673c656a55c9cd5c223a588d467c04f37070fb30371

Download Submit
C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs

Filesize
700B

MD5
61701634730f703141dd8ac5155425c5

SHA1
34569d1849fc5e858b274197baf73eaeee196b63

SHA256
0f71765886ac465cda927bb0140766cc36729335b77ffac5d72ed5138606b05a

SHA512
6b5eb486837ede8f5fcaf070380589e9d41fa7c9beacce5329e532d689da65b13d6fc0c28851aa701970c8dcf923669d6b5277723db4eae0603b5a4ecbe2e5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs

Filesize
700B

MD5
5c1222a45892d80248b4f364bc79d694

SHA1
72c131a0988d4649d76857bc87a4b0ad384de6c7

SHA256
0f054f4c59706be1146af6783217d96c735a9af1d26951b0280d99469fd65f58

SHA512
8de7ead3649e6b1ca6384513a80d776a3cc763647b233a8847cb54be221e934153afd8bd519ab2182665c45397b0e9bbdad769a59e6e266cca4e727b487ff5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat

Filesize
189B

MD5
9de1f780a0d76f5cf665dd3e9b4ee4fb

SHA1
78f560b23e20723d73e24e75fb30244d40913bcb

SHA256
4dacf51d0cfe3961fa0cc7cc035d288de7a32a80a3f0fc5eabaa98962e5e7f53

SHA512
a08b0d35cfc510451432330bd045efd76f1cb02a404d33307389744f837ef2ef33adcf90ff4548269a6c176047bcefedf31116b3d588cb6d4ca4de5950a346c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smsen4sv.z3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs

Filesize
700B

MD5
920ba622e14d10ae01909b718cecaa28

SHA1
e1cf2550b8d6a6bb8a4595ae0eac75a6f3c6f218

SHA256
4b7a7739c921345a3559beacfb1c3a28feba40184efba222be3560678ff6a1d3

SHA512
54c1c529b893e272ffbbb714a5dbb297c924b707bf6eb6e1a6e6214cbb6f7dd1e051c013c53f5deeba6b7c9d6b072e2d1623d32a25f995aa847d3223855a7996

Download Submit
C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs

Filesize
476B

MD5
598aed3da2b9bdd3052dbd5a96dd9bee

SHA1
2f5f7aca2e053000f16fc5a599a690c2147cccd6

SHA256
ed446bc64ca3f525e8051e13939e49bc49bf157e36393e8fa9c3e37ac1986d5a

SHA512
ba2457c986c110d6307252d3e52e41d1d76fbf6fef5d466c90e8a576a574a00e6426500bdb1ae361437b0bfa0bab54fdf93318abf67387b0eb6c4a3d80c0ee7a

Download Submit
C:\Windows\INF\csrss.exe

Filesize
1.9MB

MD5
e65c46812829dbd42ad6b83b86264516

SHA1
573a8d91f80af72a0fb2f3d1d3703d8d9af2d521

SHA256
791aa8ff83acfea81ad9677705472f449fa2603fea30d41786afb8cb46f53fbf

SHA512
d92c4429e8fb676cb633299be2e99705ea0c42a4e51a0a39b820a301acaa207be8fd7ee9864034a6a604a1f55cbb8e1d386fa89aeb343324289b4500966f7803

Download Submit
memory/1240-407-0x0000000000CD0000-0x0000000000EBA000-memory.dmp

Filesize
1.9MB

Download
memory/1240-418-0x000000001E260000-0x000000001E362000-memory.dmp

Filesize
1.0MB

Download
memory/1240-421-0x000000001E260000-0x000000001E362000-memory.dmp

Filesize
1.0MB

Download
memory/1240-408-0x000000001D6A0000-0x000000001D6B2000-memory.dmp

Filesize
72KB

Download
memory/1316-3-0x0000000002DE0000-0x0000000002DFC000-memory.dmp

Filesize
112KB

Download
memory/1316-15-0x000000001BF40000-0x000000001BF4C000-memory.dmp

Filesize
48KB

Download
memory/1316-1-0x0000000000AF0000-0x0000000000CDA000-memory.dmp

Filesize
1.9MB

Download
memory/1316-206-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

Filesize
10.8MB

Download
memory/1316-182-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp

Filesize
8KB

Download
memory/1316-14-0x000000001CA00000-0x000000001CF28000-memory.dmp

Filesize
5.2MB

Download
memory/1316-16-0x000000001C100000-0x000000001C10A000-memory.dmp

Filesize
40KB

Download
memory/1316-17-0x000000001C110000-0x000000001C11E000-memory.dmp

Filesize
56KB

Download
memory/1316-18-0x000000001C120000-0x000000001C128000-memory.dmp

Filesize
32KB

Download
memory/1316-19-0x000000001C130000-0x000000001C13C000-memory.dmp

Filesize
48KB

Download
memory/1316-20-0x000000001C140000-0x000000001C14C000-memory.dmp

Filesize
48KB

Download
memory/1316-231-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

Filesize
10.8MB

Download
memory/1316-0-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp

Filesize
8KB

Download
memory/1316-4-0x000000001BED0000-0x000000001BF20000-memory.dmp

Filesize
320KB

Download
memory/1316-10-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/1316-11-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

Filesize
32KB

Download
memory/1316-13-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

Filesize
72KB

Download
memory/1316-8-0x0000000002E20000-0x0000000002E2A000-memory.dmp

Filesize
40KB

Download
memory/1316-9-0x0000000002E60000-0x0000000002EB6000-memory.dmp

Filesize
344KB

Download
memory/1316-7-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/1316-5-0x0000000001490000-0x0000000001498000-memory.dmp

Filesize
32KB

Download
memory/1316-6-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/1316-2-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

Filesize
10.8MB

Download
memory/5676-241-0x000001F896DF0000-0x000001F896E12000-memory.dmp

Filesize
136KB

Download