13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
80s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Size

1.9MB
MD5

e3e41d9c5ff14ac3d6b241919529b0bf
SHA1

2dbfc71860ca38a1400e38c14cfce3692d18c70a
SHA256

a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0
SHA512

64d8683c41f4fa3247da647d856cd18f8a6332d99344612d86e2321bccfc50ea339d12f40f0bd2ceb19850d4beeda2182fbf03ea40a0cbaa4388e486d6fb4f30
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4708	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4708	schtasks.exe	88

UAC bypass 3 TTPs 18 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
4132	powershell.exe
876	powershell.exe
2056	powershell.exe
3032	powershell.exe
2448	powershell.exe
4148	powershell.exe
1792	powershell.exe
640	powershell.exe
4036	powershell.exe
4664	powershell.exe
4588	powershell.exe
4244	powershell.exe
3304	powershell.exe
4408	powershell.exe
2360	powershell.exe
4976	powershell.exe
3920	powershell.exe
3436	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 5 IoCs

pid	Process
5904	RuntimeBroker.exe
5252	RuntimeBroker.exe
1708	RuntimeBroker.exe
1868	RuntimeBroker.exe
5884	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD072.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDBD5.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\5940a34987c991	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXE872.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\dllhost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\7a0fd90576e088	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXE3DB.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\RCXEF8D.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\RCXF00B.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\ee2ad38f3d4382	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXE35D.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXE8F0.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\reports\Registry.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD071.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXD286.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\dllhost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDC53.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXF998.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\Registry.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXD297.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXF997.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\1c6f6ec434daca	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RCXD519.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\tracing\RCXDE58.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\tracing\RuntimeBroker.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\tracing\RuntimeBroker.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\tracing\9e8d7a4ca61bd9	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RCXD529.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\tracing\RCXDE59.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXF21F.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXF220.tmp	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\22eafd247d37c3	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
File created	C:\Windows\Prefetch\ReadyBoot\55b276f4edf653	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3532	schtasks.exe
980	schtasks.exe
5112	schtasks.exe
4132	schtasks.exe
1684	schtasks.exe
4100	schtasks.exe
3220	schtasks.exe
4316	schtasks.exe
4408	schtasks.exe
2132	schtasks.exe
4660	schtasks.exe
3572	schtasks.exe
3016	schtasks.exe
4952	schtasks.exe
2876	schtasks.exe
5092	schtasks.exe
4584	schtasks.exe
220	schtasks.exe
1904	schtasks.exe
1424	schtasks.exe
3868	schtasks.exe
5064	schtasks.exe
3324	schtasks.exe
1960	schtasks.exe
3960	schtasks.exe
3920	schtasks.exe
1480	schtasks.exe
952	schtasks.exe
972	schtasks.exe
1616	schtasks.exe
1420	schtasks.exe
212	schtasks.exe
4960	schtasks.exe
4104	schtasks.exe
2808	schtasks.exe
1700	schtasks.exe
1048	schtasks.exe
4452	schtasks.exe
1248	schtasks.exe
3448	schtasks.exe
4084	schtasks.exe
1976	schtasks.exe
400	schtasks.exe
1964	schtasks.exe
2416	schtasks.exe
1252	schtasks.exe
1008	schtasks.exe
4116	schtasks.exe
1060	schtasks.exe
2496	schtasks.exe
2216	schtasks.exe
3304	schtasks.exe
2192	schtasks.exe
3332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
640	powershell.exe
640	powershell.exe
2056	powershell.exe
4132	powershell.exe
2056	powershell.exe
4132	powershell.exe
4976	powershell.exe
4976	powershell.exe
3304	powershell.exe
3304	powershell.exe
3436	powershell.exe
3436	powershell.exe
4664	powershell.exe
4664	powershell.exe
4036	powershell.exe
4036	powershell.exe
876	powershell.exe
2360	powershell.exe
876	powershell.exe
2360	powershell.exe
3920	powershell.exe
4940	powershell.exe
4940	powershell.exe
4588	powershell.exe
4588	powershell.exe
3920	powershell.exe
3032	powershell.exe
3032	powershell.exe
4148	powershell.exe
4148	powershell.exe
4244	powershell.exe
4244	powershell.exe
4408	powershell.exe
4408	powershell.exe
1792	powershell.exe
1792	powershell.exe
2448	powershell.exe
2448	powershell.exe
4244	powershell.exe
4588	powershell.exe
4664	powershell.exe
1792	powershell.exe
3304	powershell.exe
4132	powershell.exe
4132	powershell.exe
4976	powershell.exe
4408	powershell.exe
4976	powershell.exe
2056	powershell.exe
2056	powershell.exe
640	powershell.exe
640	powershell.exe
3436	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	5904	RuntimeBroker.exe
Token: SeDebugPrivilege	5252	RuntimeBroker.exe
Token: SeDebugPrivilege	1708	RuntimeBroker.exe
Token: SeDebugPrivilege	1868	RuntimeBroker.exe
Token: SeDebugPrivilege	5884	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4148	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	149
PID 3824 wrote to memory of 4148	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	149
PID 3824 wrote to memory of 3304	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	150
PID 3824 wrote to memory of 3304	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	150
PID 3824 wrote to memory of 4244	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	151
PID 3824 wrote to memory of 4244	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	151
PID 3824 wrote to memory of 4588	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	152
PID 3824 wrote to memory of 4588	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	152
PID 3824 wrote to memory of 4976	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	154
PID 3824 wrote to memory of 4976	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	154
PID 3824 wrote to memory of 4132	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	155
PID 3824 wrote to memory of 4132	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	155
PID 3824 wrote to memory of 2360	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	156
PID 3824 wrote to memory of 2360	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	156
PID 3824 wrote to memory of 2448	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	158
PID 3824 wrote to memory of 2448	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	158
PID 3824 wrote to memory of 4408	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	159
PID 3824 wrote to memory of 4408	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	159
PID 3824 wrote to memory of 4664	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	160
PID 3824 wrote to memory of 4664	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	160
PID 3824 wrote to memory of 4940	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	161
PID 3824 wrote to memory of 4940	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	161
PID 3824 wrote to memory of 4036	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	162
PID 3824 wrote to memory of 4036	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	162
PID 3824 wrote to memory of 640	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	163
PID 3824 wrote to memory of 640	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	163
PID 3824 wrote to memory of 3436	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	164
PID 3824 wrote to memory of 3436	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	164
PID 3824 wrote to memory of 1792	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	166
PID 3824 wrote to memory of 1792	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	166
PID 3824 wrote to memory of 3032	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	167
PID 3824 wrote to memory of 3032	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	167
PID 3824 wrote to memory of 2056	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	168
PID 3824 wrote to memory of 2056	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	168
PID 3824 wrote to memory of 876	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	169
PID 3824 wrote to memory of 876	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	169
PID 3824 wrote to memory of 3920	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	170
PID 3824 wrote to memory of 3920	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	170
PID 3824 wrote to memory of 2248	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	187
PID 3824 wrote to memory of 2248	3824	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe	187
PID 2248 wrote to memory of 5148	2248	cmd.exe	189
PID 2248 wrote to memory of 5148	2248	cmd.exe	189
PID 2248 wrote to memory of 5904	2248	cmd.exe	190
PID 2248 wrote to memory of 5904	2248	cmd.exe	190
PID 5904 wrote to memory of 5760	5904	RuntimeBroker.exe	191
PID 5904 wrote to memory of 5760	5904	RuntimeBroker.exe	191
PID 5904 wrote to memory of 2876	5904	RuntimeBroker.exe	192
PID 5904 wrote to memory of 2876	5904	RuntimeBroker.exe	192
PID 5760 wrote to memory of 5252	5760	WScript.exe	198
PID 5760 wrote to memory of 5252	5760	WScript.exe	198
PID 5252 wrote to memory of 2152	5252	RuntimeBroker.exe	202
PID 5252 wrote to memory of 2152	5252	RuntimeBroker.exe	202
PID 5252 wrote to memory of 2680	5252	RuntimeBroker.exe	203
PID 5252 wrote to memory of 2680	5252	RuntimeBroker.exe	203
PID 2152 wrote to memory of 1708	2152	WScript.exe	205
PID 2152 wrote to memory of 1708	2152	WScript.exe	205
PID 1708 wrote to memory of 2060	1708	RuntimeBroker.exe	206
PID 1708 wrote to memory of 2060	1708	RuntimeBroker.exe	206
PID 1708 wrote to memory of 2832	1708	RuntimeBroker.exe	207
PID 1708 wrote to memory of 2832	1708	RuntimeBroker.exe	207
PID 2060 wrote to memory of 1868	2060	WScript.exe	208
PID 2060 wrote to memory of 1868	2060	WScript.exe	208
PID 1868 wrote to memory of 1756	1868	RuntimeBroker.exe	209
PID 1868 wrote to memory of 1756	1868	RuntimeBroker.exe	209

System policy modification 1 TTPs 18 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe
"C:\Users\Admin\AppData\Local\Temp\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\reports\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NMBBAnYlRA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5148
- - C:\Recovery\WindowsRE\RuntimeBroker.exe
    "C:\Recovery\WindowsRE\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d37e0e6-a35e-4d21-ad20-d736eeecb6a1.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5760
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5252
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca9b813-6419-4fcb-a693-0d78552c68bf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63f3b365-1b00-4f24-b599-30ccc2f20fd0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbc60344-cf79-4178-9b0b-2689cb0c6a95.vbs"
        10⤵
        
        PID:1756
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c93b2703-5327-4e6f-a4c2-d688ff3ab476.vbs"
        12⤵
        
        PID:5220
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        13⤵
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328fbc6f-ebfb-4bde-b3f2-c2570f9a6536.vbs"
        14⤵
        
        PID:6128
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        15⤵
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c61b940-aea2-4222-b620-05cf2640a768.vbs"
        16⤵
        
        PID:5700
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        17⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d045f065-324a-4135-8631-b0dbf5c973b7.vbs"
        18⤵
        
        PID:2936
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        19⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca1248c-3817-4ec2-840b-62fe680e2f95.vbs"
        20⤵
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c788fa45-452b-4c61-a6c7-db04b7b3c64a.vbs"
        20⤵
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74b90a7d-c654-4596-b2e5-39b27f3978a1.vbs"
        18⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96558aa6-e03d-490b-aa3f-9491510fe06c.vbs"
        16⤵
        
        PID:3156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7accb456-e61c-4997-b3e6-c6b8b9428ed3.vbs"
        14⤵
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7893b99-0f00-4a36-8317-bb958315f3c9.vbs"
        12⤵
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f5eec5-0298-47f9-90c2-aaf83f078d8e.vbs"
        10⤵
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6ff641d-1600-469a-a4a2-6013ed966394.vbs"
        8⤵
        
        PID:2832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94cad585-faa9-485d-833b-8c991aa03550.vbs"
        6⤵
        
        PID:2680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3936fef-3325-4cb1-a062-a20cff1a2df0.vbs"
      4⤵
      PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OneDrive\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OneDrive\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\reports\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\MsEdgeCrashpad\reports\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0a" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0a" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\lsass.exe

Filesize
1.9MB

MD5
7679c77ee1e86237e3ecebaf80bdbe7d

SHA1
7072e3398d6177d9f7043135a5572ccd8f62712d

SHA256
baa2919bde33713760c0cba10c4531f47f62974c8bdb9112eb167a536f799178

SHA512
a87420e15924e58af0da43c5996a97bcacc415b6625be9602fa2115034097051ea0bd5ca539a80ca1c60861d5afa1ace4a9e7f9d3be3c8fa5ae9042be670524b

Download Submit
C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe

Filesize
1.9MB

MD5
408468d6e10e1fb0f03688766d09c1af

SHA1
acd35598e46ea0d37a3eeb29c5fca53a64809fc9

SHA256
98ce6c58d5d04286c5ace29277ab31d0cafeb1a261974404115501c796674d65

SHA512
c655f15b78345ea95505e5af4b635754548f561ee61a1cb781099db30ea11c71061f667e5b9e3b1c28b36074ab5ecd6c873cc6a6d5bb9442093fbf32819c4ca2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe

Filesize
1.9MB

MD5
50d1f0613859d1682a17998de39bda4a

SHA1
02687e047c851e8e2725497d863588508f88768c

SHA256
655bca14f482b9576d68e5f18c39acfa9b245f1fd295607768478836faf18e33

SHA512
789a7207b1ef1945fef3c50e258f737f0752ca93466c3e6bef0e4f152df696512195cbdbb0a602646108618abcb3e7a8bf2eff8b69ac4a79c4a0663201fc3876

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

Filesize
1.9MB

MD5
8cfeb344854fc090707624e41750bdd4

SHA1
5fcaac52d9ef6bd5906d94611890ba7156b807b7

SHA256
a93622229bd6c271fb5f3cb773a4a5a77b50678d9ba0136440c6518f164a221a

SHA512
5c5866943be21a1928ec796705f32b1550910c918f19c043dff05068ec6667583d8737323992463709a697d291a13ab1c8ed25c162dee3ceb716d41621563447

Download Submit
C:\Program Files\MsEdgeCrashpad\reports\Registry.exe

Filesize
1.9MB

MD5
e02dd386e5aa1063a5e06674a992e5eb

SHA1
391deec0beb0039c3de6a339f8df26c1d6ceaab9

SHA256
90146155a7bed79b830111f936bb20a758d512d9c146a6db6a78b415c0fd18fe

SHA512
07c7bfebfbfcdf40fc6423e5ff21e274c9341833a1483f5bcced57a9dee2f8ca4b795eeb6f1280082f9149fe0c0a4fad07c7edada06fe130a42fd4bb8cdcdd15

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\explorer.exe

Filesize
1.9MB

MD5
9df4091ffae6be75a6b9f12660f96716

SHA1
d08dbf678c620f4c052040673f7e9cefec425645

SHA256
0fcbb37639eca0ecd7768c6ef608dfac68aeaa9f95b74c3425b419d32bed1e53

SHA512
82d771e37ffa61ae8ef79b4dcadf06f8f356a1489f67ba5d57c9042dd630d714b8fabb4dad47ae757930dc37e43e41ea538a36fae66c594973ea6b48109bd106

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.9MB

MD5
6b6bf658ff088c6c4c8e75437ea33b54

SHA1
3fa98f08e55601465002824851f30320e87e8725

SHA256
7c6645a021f747e9644ff7a0fd0a56af076dc464e156285912d2c3e75e7dd898

SHA512
660a409a6f80e7509be9aadbe2cf9aa801bdb9a339e968854e2b9b4c26f529b72e68e1b9144a185e69ce3624cc0fdb359443492bd5795d913db1122642eb2e50

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.9MB

MD5
79631eae4339e4ce404cea395dca1cd5

SHA1
dcd46c1e67ee99f8da7608107d211b85a0e04d84

SHA256
5bfed39023a2772ea29ba8234b9158bde8b5f27f63396d9c47038497a4653dc7

SHA512
a056dd4378187ece2715df04db224fbd99305eef2c71f894df68e1073aa7d7a95c7cdb6eacaa09245e2fcf96f0551628b1ea78c2ef7f61972170844745075f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
97ddd18a32d584958b41172d299ef349

SHA1
b217ed812355e6405a4c8965039a4f8f6b0a86ae

SHA256
76d557743db3e6342eeb93d93a334de194eab98a6f106b1fab2a50472f181594

SHA512
30d9d358f5fceb29fa1e023d01049a5756c15969750c3aa311f1a85d4d10404f6b059d9b6ba0174ba1dd4c7a8b331924408e14fb36f07655b26421eb9501c1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7cfa57226f15f18e8c29720a8a6efc8b

SHA1
fef3b41b9715cd37a0bb9ab323fc9aa62158d55b

SHA256
53d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb

SHA512
d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf894941144c587568593db71ccb1243

SHA1
3c7d428e83697342bc3d53a52b6a90f1dac739bc

SHA256
95e4bddd5c8915f1803b4842a2076709a0fc7d3988f62e12719735204e0f43bd

SHA512
3f0f6dcf08471ea1147e56b8baf72b3576289c8e884537d9c295a0b881ecd58d8d2a877b73e88685bea54a037e6ce3600cceb04f3df493827cc95e389053683a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68bf9e6d0adb2ef3481ca14096fb649c

SHA1
16ca4ae4e06b787cb7ce84d9520fe27d09800063

SHA256
f450abac163b8b6e1390084d47356b54bfcde6c0411924907d24c727e964025e

SHA512
3dee6b307cb014ada181e92e2358f40eebfd3c7e19ee3f33ffbe7a600f4052a73a8120d64eb51639ae23d64c94ad7fc60fda740f6c7487ff8285602dd24a024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d37e0e6-a35e-4d21-ad20-d736eeecb6a1.vbs

Filesize
715B

MD5
0dd8e5e6778d71043d8fa051f986f123

SHA1
c9b4abeb30cd114d1448246329bf1d3ebaab5ff4

SHA256
0e447d29ca409d8e8ef629553e88eb56c8b112b56f2e39130b48783a2d662d6b

SHA512
d4f484b7d1364f0ad9065fd7d026a32f4ed891200c22be901a8cc663358e93a32f0e6b40a173d4505962ac4b8bfbedf560fe611e33d2f74ef573084d1fcfe63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ca9b813-6419-4fcb-a693-0d78552c68bf.vbs

Filesize
715B

MD5
7c629470a362a8f0478722e0766c8386

SHA1
f0726682e93370e7229b4d6c175411f50fb10e69

SHA256
3cb57617c18c3d8226db8f65ef7f5d992501fb629c8439ffab0d7f6aabeae936

SHA512
08d10dcf4a9e2455c5845e1b9f01b6ce3c6b4713657d13ed7d84f89ab881aaf4b554f19a162faf3f2babbb4010d060ee1f39f24042e49d388ae5863105659f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\328fbc6f-ebfb-4bde-b3f2-c2570f9a6536.vbs

Filesize
715B

MD5
1c841f8a507eb51fb5476cbdf3057ccb

SHA1
0e0151c495baf43525be29d91501d2c0051ba895

SHA256
170f932ac9ad51ce0bdef6e0834f2d55fe57bc806de047e9546002c2f7f6cdb8

SHA512
56940cf2e80437129770f69d2327fdae3989fd520fde855586c37eb0b24c82c76bb5dc2ff9d7cfa029b2237dab81ba27296eeabb44561ed7ea9eafbdab6d3212

Download Submit
C:\Users\Admin\AppData\Local\Temp\63f3b365-1b00-4f24-b599-30ccc2f20fd0.vbs

Filesize
715B

MD5
5f49fd2046fd5fde963c35438ab50859

SHA1
140139ba16a41cb51d4c43bc80f1792cb76c5fc2

SHA256
4b7b691ded0815ddb7727221bf422097fe78c57c9de0da4602cb6c235b05171a

SHA512
0aa559221b69dc1516f822db974ca41042c1db6d3f5de8b2e2412f8ca514cca6a3b71b1070f31b4976a1d6b5c6ed01081ea8937c627e35aab4cac738a69046ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c61b940-aea2-4222-b620-05cf2640a768.vbs

Filesize
715B

MD5
b196037a298a50e99d0fc149445f64d7

SHA1
ba8ebca34b2336d6a05f7b6616e8eddd0d0ff07e

SHA256
a745c85c2d378ce9d482de2d0f8e1e487958a5a97318762c51cc7efc46ab964b

SHA512
1b836f7931d97c6bab41e88700c99034fe270ca9d16d3cc6843316f90e6d23904de6636e10296d33c02ab4b7586d5ea2a6ccaa19140e6066b7c35a7d7da842f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMBBAnYlRA.bat

Filesize
204B

MD5
76447cc6c09520ef20da5330c8cafe22

SHA1
5d23c7183c7d6178462815207b25465ac867cfa7

SHA256
1a5964d77b177082b308fb4cfc248cfc4361099b373ad20af48dbe7bf1f917d4

SHA512
c9dce24f3e63cc07175cac66ea2eaa1f07a9d593b8374cee28ba5822784fe020dc80f97e0980f7d25cc2ea248fd6cd3cc278e7aaf55970d891783e8023e7853b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1drymk0.cts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3936fef-3325-4cb1-a062-a20cff1a2df0.vbs

Filesize
491B

MD5
41ea79ab5d90598ed4a565fa3dcf0eaa

SHA1
67b24c6b30d15817f08e7880dbaeaacf9da50956

SHA256
6390d3c372e06442cccf86b053d424a5053e70ce9182882adc339ff631ef6029

SHA512
7e42813154f1676614e8d8952b912886e22f64acadc61ce2df497cad226e9c3a774e062d80ccd7eb00aff7bd5cda0bfca4da91574264ace651f61483039d8f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\aca1248c-3817-4ec2-840b-62fe680e2f95.vbs

Filesize
715B

MD5
e30e16b40fcd50f6853269e8605023e3

SHA1
d1624f274a08a127e0cba4908fbdbc4d39c756bb

SHA256
a1f48942c8db86a712c0081807080d8774f32ead7ae35e9008cbef75a7680ed6

SHA512
01d6144f1168c99410213a111e071abf6d3807b06fe85f373c03157ec990c71462e58e4427a92d8d710b7ab01b5b381361dd9a5149a386e787b5deda4b547e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbc60344-cf79-4178-9b0b-2689cb0c6a95.vbs

Filesize
715B

MD5
5c3fd09a77fb52a9ce0d5dd9e8b3e66b

SHA1
f45402cb6aae187b78c80535d80b010efeb927bb

SHA256
87791484dfe6fc157ff80340067fa64b8d6e6325654e346ffd2cd6639780e384

SHA512
aa475dc59391f61ad5deff7a93893ead1d7e5f0d317a43060ab9181893b0ad121fdd869bb0dcc15483124e2801dd6b43e4a1996edf1e3f298fd2f25f692a5182

Download Submit
C:\Users\Admin\AppData\Local\Temp\c93b2703-5327-4e6f-a4c2-d688ff3ab476.vbs

Filesize
715B

MD5
df1b040d9cd5542fc7f44ffe2b736590

SHA1
0f7fb2c76e467b6347c80ccc3105b9a05e3a5c4e

SHA256
2e089927a4635d8dd634dd99f316de1d6f05b8a16a959ad8b8bab0c48e3fa9ed

SHA512
9387dc7565dcc2d62b5282f76c046ab1e199d43f639f1a799c9b955ed753907c38a2b72089da1260dce3c218c2ce22a43246b5db756d5633b0225affb18cf153

Download Submit
C:\Users\Admin\AppData\Local\Temp\d045f065-324a-4135-8631-b0dbf5c973b7.vbs

Filesize
715B

MD5
10a8edb42bf064eeefc84d0d05e7067e

SHA1
43cdbc73e6ac125224ea470af11dcd7baae07ebc

SHA256
4c2d25921ab351fa2a49828caa9b7f5ccfe07383dd22bdbac1c867cbf9204c82

SHA512
cfb9d21f7e392f0e7bd9b2c2d954596561b4ca97a87e75b79bc73d81b7aa2dcc67a1ef409031e2be0790ba0cb89565c85390e1287c81b7e11624d97f5c76d603

Download Submit
C:\Users\Admin\AppData\Local\Temp\d55df18342801a2c24ff6a2ffc2c1a886e6e9ed7.exe

Filesize
1.6MB

MD5
cd0161c8fe07b10702af8edc00743708

SHA1
6691a45d36de1ac2b31cf1f20f6088b4a2044f11

SHA256
391eaea76b299f73c8ddfb02424642ba52eaf62e8ebcfb02ad5069ffbc1e36a7

SHA512
a7cab145f0e950e206b993492e10e1cf3479ba11b374828373adb82f3b6e996b83e0532634c28cd4a5782e38920caadf391c975d1a2eb4b860f898232f6b98b7

Download Submit
C:\Users\Admin\OneDrive\csrss.exe

Filesize
1.9MB

MD5
e3e41d9c5ff14ac3d6b241919529b0bf

SHA1
2dbfc71860ca38a1400e38c14cfce3692d18c70a

SHA256
a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0

SHA512
64d8683c41f4fa3247da647d856cd18f8a6332d99344612d86e2321bccfc50ea339d12f40f0bd2ceb19850d4beeda2182fbf03ea40a0cbaa4388e486d6fb4f30

Download Submit
memory/1708-524-0x000000001CFF0000-0x000000001D0F2000-memory.dmp

Filesize
1.0MB

Download
memory/1708-512-0x000000001C9F0000-0x000000001CA02000-memory.dmp

Filesize
72KB

Download
memory/1708-523-0x000000001CFF0000-0x000000001D0F2000-memory.dmp

Filesize
1.0MB

Download
memory/1868-526-0x000000001CBF0000-0x000000001CC02000-memory.dmp

Filesize
72KB

Download
memory/1868-537-0x000000001D2A0000-0x000000001D3A2000-memory.dmp

Filesize
1.0MB

Download
memory/2056-283-0x0000027B65750000-0x0000027B65772000-memory.dmp

Filesize
136KB

Download
memory/3824-17-0x000000001BD10000-0x000000001BD1E000-memory.dmp

Filesize
56KB

Download
memory/3824-9-0x000000001BA50000-0x000000001BAA6000-memory.dmp

Filesize
344KB

Download
memory/3824-211-0x00007FF83DF90000-0x00007FF83EA51000-memory.dmp

Filesize
10.8MB

Download
memory/3824-187-0x00007FF83DF93000-0x00007FF83DF95000-memory.dmp

Filesize
8KB

Download
memory/3824-10-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/3824-14-0x000000001C590000-0x000000001CAB8000-memory.dmp

Filesize
5.2MB

Download
memory/3824-1-0x00000000006E0000-0x00000000008CA000-memory.dmp

Filesize
1.9MB

Download
memory/3824-2-0x00007FF83DF90000-0x00007FF83EA51000-memory.dmp

Filesize
10.8MB

Download
memory/3824-4-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

Filesize
320KB

Download
memory/3824-15-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/3824-16-0x000000001BD00000-0x000000001BD0A000-memory.dmp

Filesize
40KB

Download
memory/3824-0-0x00007FF83DF93000-0x00007FF83DF95000-memory.dmp

Filesize
8KB

Download
memory/3824-18-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/3824-19-0x000000001BD30000-0x000000001BD3C000-memory.dmp

Filesize
48KB

Download
memory/3824-20-0x000000001BD40000-0x000000001BD4C000-memory.dmp

Filesize
48KB

Download
memory/3824-11-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/3824-13-0x000000001BB10000-0x000000001BB22000-memory.dmp

Filesize
72KB

Download
memory/3824-3-0x0000000001080000-0x000000000109C000-memory.dmp

Filesize
112KB

Download
memory/3824-5-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/3824-311-0x00007FF83DF90000-0x00007FF83EA51000-memory.dmp

Filesize
10.8MB

Download
memory/3824-8-0x0000000002A50000-0x0000000002A5A000-memory.dmp

Filesize
40KB

Download
memory/3824-6-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3824-7-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/5904-487-0x000000001D550000-0x000000001D5A6000-memory.dmp

Filesize
344KB

Download
memory/5904-488-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/5904-486-0x0000000000BC0000-0x0000000000DAA000-memory.dmp

Filesize
1.9MB

Download