760f5ddd00760be411967d77224b29a48e00e1eed0e978ba4017979595d1637e

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Size

1.9MB
MD5

6b2fc4f837857e149b08e54742b10c30
SHA1

b5cca5b8fd192a47b21f1521c883d8aa91a36ce2
SHA256

6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3
SHA512

208c6534ce6c3ee3bc9457b5404ee58b1114138eb585ef33071a73347f3c93175944fb5a207f1e4543a3457bcbbc55834b4c1e4c96a14b80a46b0f9bb054cc02
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2708	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2708	schtasks.exe	31

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe
2744	powershell.exe
2820	powershell.exe
1340	powershell.exe
2056	powershell.exe
2204	powershell.exe
1248	powershell.exe
1332	powershell.exe
2028	powershell.exe
2732	powershell.exe
2312	powershell.exe
2068	powershell.exe
1876	powershell.exe
1864	powershell.exe
2952	powershell.exe
2504	powershell.exe
584	powershell.exe
1972	powershell.exe
408	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Executes dropped EXE 7 IoCs

pid	Process
1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2612	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2700	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1664	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1780	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2716	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1440	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXFA58.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXDF62.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXDAEB.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXF16B.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXF16C.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF853.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\5940a34987c991	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Windows Journal\Templates\f76c3ede4bea7c	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\75a57c1bdf437c	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\RCXE86F.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\75a57c1bdf437c	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCXE66A.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Common Files\OSPPSVC.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\1610b97d3ab4a7	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXDF61.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCXE669.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\RCXE86E.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF852.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Common Files\OSPPSVC.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXDAEA.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXEC78.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF64E.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXEC79.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXFA57.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\f76c3ede4bea7c	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\Common Files\1610b97d3ab4a7	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF5E0.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\b75386f1303e64	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Windows\Microsoft.NET\RCXFC5C.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Windows\Microsoft.NET\RCXFC5D.tmp	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File opened for modification	C:\Windows\Microsoft.NET\taskhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Windows\rescache\rc0005\wininit.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Windows\Speech\Common\fr-FR\sppsvc.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
File created	C:\Windows\Microsoft.NET\taskhost.exe	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
340	schtasks.exe
2936	schtasks.exe
2844	schtasks.exe
1332	schtasks.exe
1952	schtasks.exe
332	schtasks.exe
840	schtasks.exe
2612	schtasks.exe
2924	schtasks.exe
864	schtasks.exe
1504	schtasks.exe
1856	schtasks.exe
880	schtasks.exe
2508	schtasks.exe
1588	schtasks.exe
2768	schtasks.exe
2840	schtasks.exe
2788	schtasks.exe
1896	schtasks.exe
3028	schtasks.exe
1600	schtasks.exe
2448	schtasks.exe
452	schtasks.exe
2592	schtasks.exe
1860	schtasks.exe
912	schtasks.exe
2096	schtasks.exe
1624	schtasks.exe
1640	schtasks.exe
324	schtasks.exe
760	schtasks.exe
1580	schtasks.exe
2872	schtasks.exe
3020	schtasks.exe
1744	schtasks.exe
1516	schtasks.exe
1820	schtasks.exe
2792	schtasks.exe
3008	schtasks.exe
1824	schtasks.exe
836	schtasks.exe
2076	schtasks.exe
1628	schtasks.exe
2568	schtasks.exe
1524	schtasks.exe
2668	schtasks.exe
1308	schtasks.exe
1804	schtasks.exe
2196	schtasks.exe
816	schtasks.exe
1492	schtasks.exe
1764	schtasks.exe
2548	schtasks.exe
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2068	powershell.exe
2732	powershell.exe
2952	powershell.exe
1248	powershell.exe
2504	powershell.exe
1876	powershell.exe
408	powershell.exe
1332	powershell.exe
2744	powershell.exe
584	powershell.exe
2516	powershell.exe
1340	powershell.exe
1972	powershell.exe
1864	powershell.exe
2056	powershell.exe
2028	powershell.exe
2312	powershell.exe
2820	powershell.exe
2204	powershell.exe
1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2612	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2700	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1664	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1780	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
2716	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
1440	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	2612	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	2700	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	1664	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	1780	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	2716	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Token: SeDebugPrivilege	1440	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1876	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	86
PID 2040 wrote to memory of 1876	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	86
PID 2040 wrote to memory of 1876	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	86
PID 2040 wrote to memory of 584	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	87
PID 2040 wrote to memory of 584	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	87
PID 2040 wrote to memory of 584	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	87
PID 2040 wrote to memory of 2068	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	88
PID 2040 wrote to memory of 2068	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	88
PID 2040 wrote to memory of 2068	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	88
PID 2040 wrote to memory of 2504	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	89
PID 2040 wrote to memory of 2504	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	89
PID 2040 wrote to memory of 2504	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	89
PID 2040 wrote to memory of 2312	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	92
PID 2040 wrote to memory of 2312	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	92
PID 2040 wrote to memory of 2312	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	92
PID 2040 wrote to memory of 408	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	96
PID 2040 wrote to memory of 408	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	96
PID 2040 wrote to memory of 408	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	96
PID 2040 wrote to memory of 2732	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	97
PID 2040 wrote to memory of 2732	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	97
PID 2040 wrote to memory of 2732	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	97
PID 2040 wrote to memory of 2028	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	98
PID 2040 wrote to memory of 2028	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	98
PID 2040 wrote to memory of 2028	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	98
PID 2040 wrote to memory of 1864	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	99
PID 2040 wrote to memory of 1864	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	99
PID 2040 wrote to memory of 1864	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	99
PID 2040 wrote to memory of 1332	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	100
PID 2040 wrote to memory of 1332	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	100
PID 2040 wrote to memory of 1332	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	100
PID 2040 wrote to memory of 1248	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	101
PID 2040 wrote to memory of 1248	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	101
PID 2040 wrote to memory of 1248	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	101
PID 2040 wrote to memory of 2056	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	102
PID 2040 wrote to memory of 2056	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	102
PID 2040 wrote to memory of 2056	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	102
PID 2040 wrote to memory of 2516	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	103
PID 2040 wrote to memory of 2516	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	103
PID 2040 wrote to memory of 2516	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	103
PID 2040 wrote to memory of 2952	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	104
PID 2040 wrote to memory of 2952	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	104
PID 2040 wrote to memory of 2952	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	104
PID 2040 wrote to memory of 2744	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	105
PID 2040 wrote to memory of 2744	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	105
PID 2040 wrote to memory of 2744	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	105
PID 2040 wrote to memory of 2204	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	106
PID 2040 wrote to memory of 2204	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	106
PID 2040 wrote to memory of 2204	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	106
PID 2040 wrote to memory of 2820	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	107
PID 2040 wrote to memory of 2820	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	107
PID 2040 wrote to memory of 2820	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	107
PID 2040 wrote to memory of 1972	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	108
PID 2040 wrote to memory of 1972	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	108
PID 2040 wrote to memory of 1972	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	108
PID 2040 wrote to memory of 1340	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	109
PID 2040 wrote to memory of 1340	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	109
PID 2040 wrote to memory of 1340	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	109
PID 2040 wrote to memory of 1872	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	124
PID 2040 wrote to memory of 1872	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	124
PID 2040 wrote to memory of 1872	2040	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	124
PID 1872 wrote to memory of 3052	1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	125
PID 1872 wrote to memory of 3052	1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	125
PID 1872 wrote to memory of 3052	1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	125
PID 1872 wrote to memory of 2684	1872	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe	126

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
"C:\Users\Admin\AppData\Local\Temp\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
  "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fd03a9-08ed-4194-a230-7b59c40c38f8.vbs"
    3⤵
    PID:3052
  - - C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
      "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9b05054-debd-4236-a659-95c7340fb34c.vbs"
        5⤵
        
        PID:960
      - C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c19f21f1-e561-4d41-a535-f3e5a6f2769f.vbs"
        7⤵
        
        PID:1580
        
        C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\800f0077-254e-4a1d-b9ac-1fed07c682e0.vbs"
        9⤵
        
        PID:680
        
        C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06472a8b-52a7-4305-adc0-3bc8d712a461.vbs"
        11⤵
        
        PID:2968
        
        C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10b23803-1c48-4198-9641-8b8d2c162c1c.vbs"
        13⤵
        
        PID:2400
        
        C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9f6d12-266b-40cc-9c5d-f7381bb07f57.vbs"
        15⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0bb6e62-55df-40b7-87a6-e3e9577b6883.vbs"
        15⤵
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85e48faf-ec3e-493c-a574-b0552a14dd8b.vbs"
        13⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57ee34dd-fb70-4f37-a12b-dcad103ff08c.vbs"
        11⤵
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af846fa8-5e18-40c8-97e9-6b667899611a.vbs"
        9⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba35334b-099a-4f93-b752-087650b1ce3b.vbs"
        7⤵
        
        PID:352
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8397ee9-6c0a-48cf-bdfd-b1c0c6561121.vbs"
        5⤵
        
        PID:760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bfc9572-1d77-4744-ae18-ab1a4bd11ef0.vbs"
    3⤵
    PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe36" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\spoolsv.exe

Filesize
1.9MB

MD5
6ebbca13693c0363c2a5c81231cd609f

SHA1
16025d7b52f98d42d31d106c369c7f43b5cba561

SHA256
0f29b0a108a0384c9aedc94c9b9606a40a60947ea77f610e09a6b863e18d7184

SHA512
3baa084ae91d8babfbb95e6da8d44173edfd61f9ff0e9e803a531525bfc0af46f8b453f88bb94db0352cb4287658ca10bb08f0c7858019e87cb17a3585c5ac2d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
1.9MB

MD5
6ac2671ca224a2cf4de1781b3df8dc5a

SHA1
d16f4afbc17a2133f2db639f379dfeda34e94c7c

SHA256
b210f2511ce34016b2b7cd6d37b028bdb07a55644e05a2ab4b7734a651ef6c19

SHA512
3c25676319256b488ecbc87b02c6e409002ee5cb26986e33e76459a0eb68f44a07fc3bb1d45f189cccf80f1c1004732d4139f62b84275d9e75429f4249a24feb

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe

Filesize
1.9MB

MD5
2dea334f07823de3c97e3619cc31a868

SHA1
015ff29fc598e23ac48c2e670eab357e641b9867

SHA256
7c0f633d169c39625c2a5caf0a2e3afe397549f1815aa6be04593632ae38510c

SHA512
b0d26d48b72bb3dfa62e0f25f849fea26f6f4ac5d25a87a4c57f0afdaeb72b6edbc673dfe263f4bcb7ac8ebd52eaa81adfb54232070ddad328ebbb2fda7c0cfe

Download Submit
C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe

Filesize
1.9MB

MD5
6b2fc4f837857e149b08e54742b10c30

SHA1
b5cca5b8fd192a47b21f1521c883d8aa91a36ce2

SHA256
6568e08910efb944663d1ebc8ef4693849bdd01571f3698d389fc43b09c8dfe3

SHA512
208c6534ce6c3ee3bc9457b5404ee58b1114138eb585ef33071a73347f3c93175944fb5a207f1e4543a3457bcbbc55834b4c1e4c96a14b80a46b0f9bb054cc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\06472a8b-52a7-4305-adc0-3bc8d712a461.vbs

Filesize
801B

MD5
bd31d3bdfbc49e06d298c8d7108960d5

SHA1
1244e8dda74b798373befcf879bd864012b991e9

SHA256
ec4f3301cbabe386f4ff0e05d37bf4b7df03cdb9acdcc785d354e6eba7b6c086

SHA512
a15c03ad22ea0ec278da9821a7b87823b66b8027aab0a3203c67a5854d928ee0c1351733c8acb5698df139a1412871e7bff021fcdc30697348d47afec3857227

Download Submit
C:\Users\Admin\AppData\Local\Temp\10b23803-1c48-4198-9641-8b8d2c162c1c.vbs

Filesize
801B

MD5
09def5e1916c65fbe1926e0169c1d304

SHA1
69906bb758dc9f7870ab1e368e66a86a68f6cf89

SHA256
605006e22039f17f087c5a6a952b5be594de9f8901b06f6e70191051ab50ec08

SHA512
19b9dbdea3699da136810bf77b18c6370924d093a20a4874f94105e8445b84ce07212cbc6996f3410870ed3026c3bf7da7d19d22d71b89606355648c2475320f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bfc9572-1d77-4744-ae18-ab1a4bd11ef0.vbs

Filesize
577B

MD5
1d5dfaae28b2f44df4b7f54b5b8f2ce8

SHA1
58a73d997f9b1487ea3a719e335c0a0b95482e87

SHA256
c3b2a199d1bc6cb2fa017523b7b64082e789f275f6586571321f23517db45490

SHA512
5c2c736e62843ae8de1dea2756bd59f7be0b40b71c4875ddc6bd57b3d8fa481bc03aff4ef0838e5e11be3f3322e1887a1032255dde3d7905052c2f8d76b56059

Download Submit
C:\Users\Admin\AppData\Local\Temp\800f0077-254e-4a1d-b9ac-1fed07c682e0.vbs

Filesize
801B

MD5
29bd91b32023aa766ec93497eb98081f

SHA1
63a134ea2059271cdcca84f3cd0ac1f7b4b5e34c

SHA256
aff2c21267270f1950a321debede4377b9533b539010a501f05f0c87b5c96926

SHA512
192c9017c36645f935363696ecd8f8e19068957f91e9c937852152d855d8bcad093caea9dfd4dab98814032f836a6a9d243cdbc91bed6eb7185e6090ca7813e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\84fd03a9-08ed-4194-a230-7b59c40c38f8.vbs

Filesize
801B

MD5
127a2bb7a66759d92cccd76c680765ab

SHA1
82ea5cabacc35d42fccd7ea47c37793a0a58f9ca

SHA256
faa0f421db0d04d292842dab819316aebed433bb6669b51253111680b21d53c5

SHA512
674839bd889f72d986c674d451c5d29815dd665323de2d6409d71f253f646465fab08566b01d29a3f98c83c22464c61781341db1b45abf6ad97eb4d5657ac801

Download Submit
C:\Users\Admin\AppData\Local\Temp\978f684442467354e28821397045b9780ba3154c.exe

Filesize
1.9MB

MD5
7f0731e7ff6ad094adb6d2cdf2707318

SHA1
15d21416a89005ddfbec2f79fdff5d2eac04aa88

SHA256
f2bf5f4ffb0aa5821a0bc3a354250462f0dcb3c12b73c3ea0bb9ea55d2a8455f

SHA512
e0a547ee319c702d4f3f27d09207a40ad973217961e168089fca140f5cfc081c74c6ac2dc2110a48e8459d5d8b276e4716cd2ee3c499bde71aec30ff8b008cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9b05054-debd-4236-a659-95c7340fb34c.vbs

Filesize
801B

MD5
496ebeb29bbe23cc026aa5e7af15998f

SHA1
a6a224f0cdf0b7c19ebd9830190f1bf023f2caa6

SHA256
1cfd1a4f00e1b7750c2ed0dc1c01749fe79ec08d6af46988da09d5020b328067

SHA512
cb0f895b08170dea4f584fa84bfc04f8f1201ea4cf70a171efdeade674037e8cf96b5a4acb5c64afb24ca2f8e448dabade617785a7e84e6211e16e166ce8437a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c19f21f1-e561-4d41-a535-f3e5a6f2769f.vbs

Filesize
801B

MD5
9a40b81c9ebd1a68e6d9e83024e003ea

SHA1
ac88713e9d161ffb2d1bdce489b94eaf9b43c7c9

SHA256
d9a73dcc8c3a85c106e6bde16d6af6a7cb23debaad961cac7538b525ef6466fd

SHA512
8dc8f61873d0412aac817ec408dfd35dc3807cf6aa189dc7337a0f8329dfb65ad7da421d94a517d9b40b7c52567fc478c396f0a4abe41bcf504c18eed4861c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa9f6d12-266b-40cc-9c5d-f7381bb07f57.vbs

Filesize
801B

MD5
e8f103e47a39ec1f04549e9b7cbd1577

SHA1
39f31d6f00219def453999695627ff83a7d0b480

SHA256
dd4e40fd306107d32ab24df39cf38b7590c632ef10051ebe9224e7a5585e0e47

SHA512
300f93ba7f4fd61f1c32080ca55a4bd1e69dbe11e886692283de57ca6b52f8d28265c083f0837a1e2b30c7e519a6c5fef6846cae3912399a31d300db796f72e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5c83924b285dddde589fe990d83bba57

SHA1
e8f6bd8d3eb2f59eef5bb1a73d2514fe1827ecda

SHA256
f707667b05ff31dcd8b4a8619e4de35a6e3c541d5acbe994f4281ffc45c22c47

SHA512
2d8d3f2cecb6e64118b7b5c905d108cca3c82b7faf6253719899dbb33994d3945ab58524aa4f1e362f74352b89ccd95c6563d27903b29ae160cac97178c348d4

Download Submit
memory/1440-435-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1664-399-0x00000000000A0000-0x000000000028A000-memory.dmp

Filesize
1.9MB

Download
memory/1780-411-0x0000000001230000-0x000000000141A000-memory.dmp

Filesize
1.9MB

Download
memory/1780-412-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/1872-328-0x0000000000BD0000-0x0000000000DBA000-memory.dmp

Filesize
1.9MB

Download
memory/2040-10-0x0000000000E30000-0x0000000000E38000-memory.dmp

Filesize
32KB

Download
memory/2040-4-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2040-210-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2040-14-0x000000001A990000-0x000000001A99A000-memory.dmp

Filesize
40KB

Download
memory/2040-224-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-15-0x000000001AD70000-0x000000001AD7E000-memory.dmp

Filesize
56KB

Download
memory/2040-1-0x0000000001010000-0x00000000011FA000-memory.dmp

Filesize
1.9MB

Download
memory/2040-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-16-0x000000001AD80000-0x000000001AD88000-memory.dmp

Filesize
32KB

Download
memory/2040-364-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-17-0x000000001AD90000-0x000000001AD9C000-memory.dmp

Filesize
48KB

Download
memory/2040-13-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/2040-3-0x0000000000BD0000-0x0000000000BEC000-memory.dmp

Filesize
112KB

Download
memory/2040-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/2040-12-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/2040-9-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/2040-8-0x0000000000DD0000-0x0000000000E26000-memory.dmp

Filesize
344KB

Download
memory/2040-7-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2040-18-0x000000001ADA0000-0x000000001ADAC000-memory.dmp

Filesize
48KB

Download
memory/2040-6-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2068-283-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2068-266-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2612-375-0x0000000001120000-0x000000000130A000-memory.dmp

Filesize
1.9MB

Download
memory/2700-387-0x0000000000250000-0x000000000043A000-memory.dmp

Filesize
1.9MB

Download