13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
119s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8b0399c704553c85dfd0ab584536333.exe
Size

1.9MB
MD5

a8b0399c704553c85dfd0ab584536333
SHA1

62aea1857adbb4160c94beb5c8a599c0b6064a07
SHA256

2614012e702c04f31efd94532e4d8331b5a8d2ec0a2f7b98cdaf4c02942c469e
SHA512

65cf46ce9d75e7395d77c2025a9ab8552cfebc3b979c0c1596f9b3114b0699a11882c6dc1d312b0d3a2e14cf887525990b2612372a990748f6b31914f03f7904
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5228	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5520	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5620	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5880	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4636	schtasks.exe	87

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5408	powershell.exe
4224	powershell.exe
5916	powershell.exe
5220	powershell.exe
3356	powershell.exe
5836	powershell.exe
804	powershell.exe
2940	powershell.exe
5816	powershell.exe
6116	powershell.exe
1376	powershell.exe
5588	powershell.exe
3116	powershell.exe
2840	powershell.exe
4432	powershell.exe
2564	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a8b0399c704553c85dfd0ab584536333.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	a8b0399c704553c85dfd0ab584536333.exe

Executes dropped EXE 6 IoCs

pid	Process
3700	OfficeClickToRun.exe
4312	OfficeClickToRun.exe
2504	OfficeClickToRun.exe
4216	OfficeClickToRun.exe
5488	OfficeClickToRun.exe
2796	OfficeClickToRun.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8b0399c704553c85dfd0ab584536333.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4692_1191653417\RCX8316.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX6D29.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files\edge_BITS_4692_1191653417\RCX8298.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX7689.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files\edge_BITS_4552_402817754\RCX6B04.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\MSBuild\dwm.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX879E.tmp	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files\edge_BITS_4552_402817754\f3b6ecef712a24	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files\edge_BITS_4692_1191653417\38384e6a620884	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\e6c9b481da804f	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\MSBuild\dwm.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX6593.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX879D.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files\edge_BITS_4552_402817754\RCX6B15.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX6592.tmp	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\MSBuild\6cb0b6c459d5d3	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\38384e6a620884	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX6D3A.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX760B.tmp	a8b0399c704553c85dfd0ab584536333.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tracing\explorer.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Windows\tracing\explorer.exe	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Windows\tracing\7a0fd90576e088	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCX788E.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCX78FC.tmp	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Windows\tracing\RCX7E01.tmp	a8b0399c704553c85dfd0ab584536333.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\9e8d7a4ca61bd9	a8b0399c704553c85dfd0ab584536333.exe
File opened for modification	C:\Windows\tracing\RCX7D83.tmp	a8b0399c704553c85dfd0ab584536333.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	a8b0399c704553c85dfd0ab584536333.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4656	schtasks.exe
436	schtasks.exe
2948	schtasks.exe
4496	schtasks.exe
1116	schtasks.exe
5880	schtasks.exe
4808	schtasks.exe
3872	schtasks.exe
432	schtasks.exe
5520	schtasks.exe
1404	schtasks.exe
4592	schtasks.exe
4752	schtasks.exe
4000	schtasks.exe
2088	schtasks.exe
5000	schtasks.exe
1488	schtasks.exe
5712	schtasks.exe
2188	schtasks.exe
5620	schtasks.exe
3968	schtasks.exe
1656	schtasks.exe
3668	schtasks.exe
5496	schtasks.exe
4912	schtasks.exe
5188	schtasks.exe
5024	schtasks.exe
4880	schtasks.exe
4840	schtasks.exe
5584	schtasks.exe
3096	schtasks.exe
5312	schtasks.exe
5228	schtasks.exe
3236	schtasks.exe
2392	schtasks.exe
6128	schtasks.exe
1924	schtasks.exe
5200	schtasks.exe
2976	schtasks.exe
4760	schtasks.exe
4824	schtasks.exe
2852	schtasks.exe
5260	schtasks.exe
1512	schtasks.exe
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
2832	a8b0399c704553c85dfd0ab584536333.exe
5816	powershell.exe
5816	powershell.exe
3116	powershell.exe
3116	powershell.exe
5220	powershell.exe
5220	powershell.exe
2564	powershell.exe
2564	powershell.exe
2940	powershell.exe
2940	powershell.exe
1376	powershell.exe
1376	powershell.exe
5836	powershell.exe
5836	powershell.exe
2840	powershell.exe
2840	powershell.exe
6116	powershell.exe
6116	powershell.exe
5408	powershell.exe
5408	powershell.exe
5588	powershell.exe
5588	powershell.exe
4432	powershell.exe
4432	powershell.exe
4224	powershell.exe
4224	powershell.exe
3356	powershell.exe
3356	powershell.exe
804	powershell.exe
804	powershell.exe
5916	powershell.exe
5916	powershell.exe
4224	powershell.exe
804	powershell.exe
3356	powershell.exe
5816	powershell.exe
5816	powershell.exe
3116	powershell.exe
2840	powershell.exe
1376	powershell.exe
5220	powershell.exe
5588	powershell.exe
2940	powershell.exe
5408	powershell.exe
5836	powershell.exe
2564	powershell.exe
6116	powershell.exe
4432	powershell.exe
5916	powershell.exe
3700	OfficeClickToRun.exe
4312	OfficeClickToRun.exe
4312	OfficeClickToRun.exe
2504	OfficeClickToRun.exe
4216	OfficeClickToRun.exe
5488	OfficeClickToRun.exe
2796	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	a8b0399c704553c85dfd0ab584536333.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	5836	powershell.exe
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	5588	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	3700	OfficeClickToRun.exe
Token: SeDebugPrivilege	4312	OfficeClickToRun.exe
Token: SeDebugPrivilege	2504	OfficeClickToRun.exe
Token: SeDebugPrivilege	4216	OfficeClickToRun.exe
Token: SeDebugPrivilege	5488	OfficeClickToRun.exe
Token: SeDebugPrivilege	2796	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 5816	2832	a8b0399c704553c85dfd0ab584536333.exe	138
PID 2832 wrote to memory of 5816	2832	a8b0399c704553c85dfd0ab584536333.exe	138
PID 2832 wrote to memory of 5836	2832	a8b0399c704553c85dfd0ab584536333.exe	139
PID 2832 wrote to memory of 5836	2832	a8b0399c704553c85dfd0ab584536333.exe	139
PID 2832 wrote to memory of 6116	2832	a8b0399c704553c85dfd0ab584536333.exe	140
PID 2832 wrote to memory of 6116	2832	a8b0399c704553c85dfd0ab584536333.exe	140
PID 2832 wrote to memory of 5408	2832	a8b0399c704553c85dfd0ab584536333.exe	141
PID 2832 wrote to memory of 5408	2832	a8b0399c704553c85dfd0ab584536333.exe	141
PID 2832 wrote to memory of 2940	2832	a8b0399c704553c85dfd0ab584536333.exe	143
PID 2832 wrote to memory of 2940	2832	a8b0399c704553c85dfd0ab584536333.exe	143
PID 2832 wrote to memory of 3356	2832	a8b0399c704553c85dfd0ab584536333.exe	145
PID 2832 wrote to memory of 3356	2832	a8b0399c704553c85dfd0ab584536333.exe	145
PID 2832 wrote to memory of 804	2832	a8b0399c704553c85dfd0ab584536333.exe	147
PID 2832 wrote to memory of 804	2832	a8b0399c704553c85dfd0ab584536333.exe	147
PID 2832 wrote to memory of 5220	2832	a8b0399c704553c85dfd0ab584536333.exe	148
PID 2832 wrote to memory of 5220	2832	a8b0399c704553c85dfd0ab584536333.exe	148
PID 2832 wrote to memory of 2840	2832	a8b0399c704553c85dfd0ab584536333.exe	149
PID 2832 wrote to memory of 2840	2832	a8b0399c704553c85dfd0ab584536333.exe	149
PID 2832 wrote to memory of 5916	2832	a8b0399c704553c85dfd0ab584536333.exe	150
PID 2832 wrote to memory of 5916	2832	a8b0399c704553c85dfd0ab584536333.exe	150
PID 2832 wrote to memory of 2564	2832	a8b0399c704553c85dfd0ab584536333.exe	151
PID 2832 wrote to memory of 2564	2832	a8b0399c704553c85dfd0ab584536333.exe	151
PID 2832 wrote to memory of 3116	2832	a8b0399c704553c85dfd0ab584536333.exe	153
PID 2832 wrote to memory of 3116	2832	a8b0399c704553c85dfd0ab584536333.exe	153
PID 2832 wrote to memory of 4224	2832	a8b0399c704553c85dfd0ab584536333.exe	179
PID 2832 wrote to memory of 4224	2832	a8b0399c704553c85dfd0ab584536333.exe	179
PID 2832 wrote to memory of 5588	2832	a8b0399c704553c85dfd0ab584536333.exe	155
PID 2832 wrote to memory of 5588	2832	a8b0399c704553c85dfd0ab584536333.exe	155
PID 2832 wrote to memory of 4432	2832	a8b0399c704553c85dfd0ab584536333.exe	156
PID 2832 wrote to memory of 4432	2832	a8b0399c704553c85dfd0ab584536333.exe	156
PID 2832 wrote to memory of 1376	2832	a8b0399c704553c85dfd0ab584536333.exe	157
PID 2832 wrote to memory of 1376	2832	a8b0399c704553c85dfd0ab584536333.exe	157
PID 2832 wrote to memory of 4584	2832	a8b0399c704553c85dfd0ab584536333.exe	170
PID 2832 wrote to memory of 4584	2832	a8b0399c704553c85dfd0ab584536333.exe	170
PID 4584 wrote to memory of 4352	4584	cmd.exe	172
PID 4584 wrote to memory of 4352	4584	cmd.exe	172
PID 4584 wrote to memory of 3700	4584	cmd.exe	174
PID 4584 wrote to memory of 3700	4584	cmd.exe	174
PID 3700 wrote to memory of 2372	3700	OfficeClickToRun.exe	175
PID 3700 wrote to memory of 2372	3700	OfficeClickToRun.exe	175
PID 3700 wrote to memory of 1460	3700	OfficeClickToRun.exe	176
PID 3700 wrote to memory of 1460	3700	OfficeClickToRun.exe	176
PID 2372 wrote to memory of 4312	2372	WScript.exe	180
PID 2372 wrote to memory of 4312	2372	WScript.exe	180
PID 4312 wrote to memory of 6100	4312	OfficeClickToRun.exe	183
PID 4312 wrote to memory of 6100	4312	OfficeClickToRun.exe	183
PID 4312 wrote to memory of 3968	4312	OfficeClickToRun.exe	184
PID 4312 wrote to memory of 3968	4312	OfficeClickToRun.exe	184
PID 6100 wrote to memory of 2504	6100	WScript.exe	189
PID 6100 wrote to memory of 2504	6100	WScript.exe	189
PID 2504 wrote to memory of 788	2504	OfficeClickToRun.exe	190
PID 2504 wrote to memory of 788	2504	OfficeClickToRun.exe	190
PID 2504 wrote to memory of 3300	2504	OfficeClickToRun.exe	191
PID 2504 wrote to memory of 3300	2504	OfficeClickToRun.exe	191
PID 788 wrote to memory of 4216	788	WScript.exe	192
PID 788 wrote to memory of 4216	788	WScript.exe	192
PID 4216 wrote to memory of 1440	4216	OfficeClickToRun.exe	193
PID 4216 wrote to memory of 1440	4216	OfficeClickToRun.exe	193
PID 4216 wrote to memory of 2564	4216	OfficeClickToRun.exe	194
PID 4216 wrote to memory of 2564	4216	OfficeClickToRun.exe	194
PID 1440 wrote to memory of 5488	1440	WScript.exe	196
PID 1440 wrote to memory of 5488	1440	WScript.exe	196
PID 5488 wrote to memory of 5812	5488	OfficeClickToRun.exe	197
PID 5488 wrote to memory of 5812	5488	OfficeClickToRun.exe	197

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a8b0399c704553c85dfd0ab584536333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe
"C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a8b0399c704553c85dfd0ab584536333.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\a8b0399c704553c85dfd0ab584536333.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrkXqxjWk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4352
- - C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
    "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dc4fcaa-e66b-4957-8685-90a8c6640d3a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4312
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\025edc31-8289-4035-b772-5962360f3624.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:6100
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b63537-9274-446b-b08b-cd39e3107f0d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe9572a-98a5-4021-a8aa-11c34df1b37b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a2daa6e-71ac-4ae6-aa9f-7747c5194527.vbs"
        12⤵
        
        PID:5812
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e234bfa6-5af8-49b3-a87d-25072770fbcc.vbs"
        14⤵
        
        PID:736
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        15⤵
        
        PID:804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a49cc11f-033c-4ff6-807b-80b72b93b37b.vbs"
        16⤵
        
        PID:1828
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        17⤵
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b924ace-b67f-4b62-bbd4-67e9558b1f4f.vbs"
        18⤵
        
        PID:5100
        
        C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe"
        19⤵
        
        PID:4764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1cddb33-6a23-49d4-9bc9-c2f0b6d062f9.vbs"
        20⤵
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63ae81e9-264b-413e-9631-c069672ca9e0.vbs"
        20⤵
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94bb4d0e-478a-4752-9ce6-63332c3563fb.vbs"
        18⤵
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\130e05ff-7a58-4211-8ed5-e95d1976823e.vbs"
        16⤵
        
        PID:5696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18bacf7b-e72f-4bc1-8b45-73f70079fba7.vbs"
        14⤵
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96732667-b523-4401-ba87-45da3b375557.vbs"
        12⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e6306b6-3767-4dcf-93b7-615e05d93331.vbs"
        10⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d110691-5344-47f7-a5d7-87699dae1aa3.vbs"
        8⤵
        
        PID:3300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af547684-67ea-41fb-90bf-8b5e880ab339.vbs"
        6⤵
        
        PID:3968
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df834ca-1b00-4c44-8b86-feab611d00ca.vbs"
      4⤵
      PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4552_402817754\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a8b0399c704553c85dfd0ab584536333a" /sc MINUTE /mo 5 /tr "'C:\aff403968f1bfcc42131676322798b50\a8b0399c704553c85dfd0ab584536333.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a8b0399c704553c85dfd0ab584536333" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\a8b0399c704553c85dfd0ab584536333.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a8b0399c704553c85dfd0ab584536333a" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\a8b0399c704553c85dfd0ab584536333.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5620

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\fr-FR\SearchApp.exe

Filesize
1.9MB

MD5
fc65763fb8fb6af61cb8667966a9e3af

SHA1
f2ef797d5e0b04f86f517e07cf7e7c389ed00390

SHA256
b7cbd921236685d83704e7f6f81cb052ed6aecc100af4ff565483902a5d3f569

SHA512
6a1e6477f060fd15a2f830f772de8abaa92f9ff346de8632f75200c62d5d6f1b8faa4f2a4f34f170740dfb789d99151547fb4ebfaf1999efc3764ba77610581d

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\OfficeClickToRun.exe

Filesize
1.1MB

MD5
a3cf7ece9dbefb254832ddaad6027351

SHA1
a50030e925b2b6db14ffb8a39de6a0f3821bd722

SHA256
136fa9516634831cf048a6c7a2af3d73349a7fd3fe434efa63b066f17f8eb2ce

SHA512
447dbd7cd0b1d2005d7109adbd142c6cfacdd84edc4e3ed23ea4c6dd42af5de7d9ec567d228d7e7e95c5f470e38a1e556e3eba2844f6675059f1298e3a998aeb

Download Submit
C:\Program Files\edge_BITS_4692_1191653417\SearchApp.exe

Filesize
1.9MB

MD5
0a67a668ba0e06fc199166f0091b7198

SHA1
2440caf4ddc77ddb9f2f6343ee544d887a20a89e

SHA256
adda65530b7660170ccdba00e03fb88d19c200550d093134070ef4b0d64f1225

SHA512
b9b8adbb2e27f962a64ee7c8102a7c684af697a9caa098389b5708bc3f78c176da6ad82a770989bd7af83586d5045df590214dd72b5d302dd46dd25f109f121d

Download Submit
C:\ProgramData\regid.1991-06.com.microsoft\RuntimeBroker.exe

Filesize
1.9MB

MD5
a8b0399c704553c85dfd0ab584536333

SHA1
62aea1857adbb4160c94beb5c8a599c0b6064a07

SHA256
2614012e702c04f31efd94532e4d8331b5a8d2ec0a2f7b98cdaf4c02942c469e

SHA512
65cf46ce9d75e7395d77c2025a9ab8552cfebc3b979c0c1596f9b3114b0699a11882c6dc1d312b0d3a2e14cf887525990b2612372a990748f6b31914f03f7904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caf46b906a58e37d9a9d5830cca40ef7

SHA1
ba5b7fc4d909707ac0b0d23b0474a4ce4be344ea

SHA256
616b72a430081d6878826dc6ea2f1e4d3c890a7e084049fcaf30dcd2147727fd

SHA512
ba93462da88fea2be2fb3eecae32597c6c0248e77c6e05b43e0573a040f0784364e7abafede416c9eec466d9446a03d940628c977c45751b987a5da69c14ed00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdbc304f3d894fc63c481c99aa258017

SHA1
47cd3a7cae4dbf6bdd92532bbb69224a75221b86

SHA256
58c02d17c622f9ffc1744d26a3be409d7a95796119bcea540e54dcf687c8abb3

SHA512
18923c6b620a47d59377bdffd8dbf9717750a52980530cd67c169704649e471b1583eda2045cc7db84e560a9672759f8ea0c3a5ab45d4f328e17aa6e0ca5fae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
928aa3523bb69cdd703ecd7417c74f1a

SHA1
965b5027b95dfbc9d1394b4790ce691439221448

SHA256
a3af5372295f417ab2a0064edcbd0f1dd0af1c1d5e65eef34e7e2f4c398a2477

SHA512
8b83e147437dd3f8f3cbac03ceb4f8bdcfd2bd024f90e312941ff7479caa950fd31b35cafbfedb20424fbf27065d407fbb330837ecf441ed88bc3c7ff84dd0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9038073858225f9afc939a0a2385005d

SHA1
ccd8ee1416a8e738628ffd01f39eca6324000563

SHA256
3fc794e69bf73ea36eccc866688e3ba9303224c00f264f4b771bdb536035240e

SHA512
cb0f4422b84975595744bf183a71527b053cf738f19aa4ed1008c35d5ea6fb9e2c8ae142a81eeae2091abf2a17e24c6beca488a9c3ea6b6d2d989e3a58a52d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bcebe662dcddf8a8c942299b507205e0

SHA1
74c92b01e2b8c147f2f6e39ef7a95b171252ad37

SHA256
1aa7e8cd174ef0191e4aa20a0d71c447ecba9cca979ccb0b921d8275c4aad610

SHA512
bb6156cc9a37d8e978b54c7a91d3362eb759b02a58c434633f76ebea793674b8b5633dcbce9ac8297bf97d92fdae49a6bfa85df0e8fa0a204628d65c7074b4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\025edc31-8289-4035-b772-5962360f3624.vbs

Filesize
742B

MD5
a2a7a70b225ce1ef403ce83579ed7f98

SHA1
e62a64e9e8b34d8a8a0fd537ef788ba3e900c72a

SHA256
35c223ee4d778d6998d1365bb94a76d96c6a7a84c8bd303a7b7e2ea44ac47d46

SHA512
e7e2eff412978f31ab3d16f32d6b145eef40df6792864dbeaac3131b553be5b0bfb14b8ea965b30bff4556c767a21d8299edb7ccf690866b496546ff0e625f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dc4fcaa-e66b-4957-8685-90a8c6640d3a.vbs

Filesize
742B

MD5
d414365d3c1e90a45825b8830f599d36

SHA1
2084ee643c53ec8e8a99af70c16c663db23deb70

SHA256
e494abe72e135d4de2ae7581c51fb2bbfca06d65ddaace433e4328b885b47b4f

SHA512
5cceb94a406173b760593bf3a719764f6ce9960ceeecd5edea92f426178c9aa53a113db1dbf843a80d0c1e6a2f00f2603ae44ead620da33bc2b18617dedba3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b924ace-b67f-4b62-bbd4-67e9558b1f4f.vbs

Filesize
742B

MD5
4231eaa8447627a088bf72afb5505312

SHA1
68c735737daaaf8395f9fae9cc1b63179a937025

SHA256
5d1ba0f52ac0c5d9f3ec68880b26fe9df19df6cabea57ee2dc19bed9c697d89a

SHA512
6055e0dd9ce25b18321fac2c5eb7ef95eb5c0a93e397bc7be2ae233ff409975335413c0dff17a3e213c55d3fa2106afd9404268c417510fdb96ec9a13ffeb926

Download Submit
C:\Users\Admin\AppData\Local\Temp\4df834ca-1b00-4c44-8b86-feab611d00ca.vbs

Filesize
518B

MD5
70c53c257d14fcbbda5d43f9b31408fd

SHA1
3d8995256ddf0576ab4130f1065b4ba35d7c1c73

SHA256
bc664efd6b90554be20966ec1db992b065f8f39fbd17fb721acc5c1d7d1708bb

SHA512
0b8799b07d256efa52333e962c727e8c089bb4c1d07fcb61b4e2a5044213a2ea7a552848495393ade5ee9d21a48329d6602f28047537c542b325b5f94f1cba95

Download Submit
C:\Users\Admin\AppData\Local\Temp\79b63537-9274-446b-b08b-cd39e3107f0d.vbs

Filesize
742B

MD5
5186f4446568aaa627ee38984cef0c94

SHA1
706c30a268dfebe978ddb9c3abd38ddec94b6389

SHA256
0f405f86b6838300e744ff4c0940a9175a1bdbb410fa5d7edf5c76a03e4d8d2a

SHA512
5f60c1cc1341e306e3cdf9495cb5015459364c1f2cf897ffbc7193073f6399c6dd27acc1c0517fc06def31da5b904f75de918bd8b4f3666d9e14115e77f9f261

Download Submit
C:\Users\Admin\AppData\Local\Temp\98589c10b7b2a38d61ad28fef5e8ae2745f86f05.exe

Filesize
923KB

MD5
6bc615038328e85dd07c15db9823e1b9

SHA1
30547f266d436a8d253a57a450ccd40e3c25fc55

SHA256
4c356b1ef3503a900638a8aa6872f735de06c59b00de274020bba72510154d22

SHA512
7c5047306d228b3055ff6a115559bff356e9b5c78b8f2852ba62b810cb108d38e13ba57aead889cc62018bea58e90f60451a1f3d15af74c1259322cdab3d1969

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a2daa6e-71ac-4ae6-aa9f-7747c5194527.vbs

Filesize
742B

MD5
843f9966ebde37693853af52fb70476c

SHA1
d876468b291f5653dce735090df100daff6e3901

SHA256
30e460e8ae07e580fa25edbfc5db4a39c8a285292fa03665e33fd2a570749821

SHA512
cfed8157516be50c49a2a990ac8f6e21e756a3340daf2d4067513a556db1353f684a1482b11c294eb1fa27025c5a96f2a0abd95d0a9a2175b607f865712fac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbbizhem.aco.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1cddb33-6a23-49d4-9bc9-c2f0b6d062f9.vbs

Filesize
742B

MD5
8b62dd810ebaaf2d4640356cf4948e04

SHA1
d525099710d60032b1762bb184e48c3da3c1d019

SHA256
449d7424caac2c7ff315bc3f8863ca6378ae880df2a043ad8189ba0a5e3968c8

SHA512
97bc6c962d471098f4b125526587cb8138dc0b6aa8195d2bb447816a9456ae2a529a2f2ae24507518d02aa7808bc618ab890defab1f4832e1f8cbc5d40bf3e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a49cc11f-033c-4ff6-807b-80b72b93b37b.vbs

Filesize
741B

MD5
d2d586d6bcadf333c51e56488f6a2334

SHA1
32431a241020a9013e1c11a474b568f0079b2210

SHA256
4fe3274df07dd88fc6c114a9c73781e902735d844f27abf0ad86e1176a33392b

SHA512
14058e32c72c7d2f784ad9e479f58a4d80506ec5379c5e39eee18299a8749d319d567515567c8fa876d0f1f0096abb699e81527c6191b162b2c76f513135b4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\e234bfa6-5af8-49b3-a87d-25072770fbcc.vbs

Filesize
742B

MD5
48717a9ec4819322d6726488759b189f

SHA1
7cadfbd019d2cd3057285679a5e98d233b76b165

SHA256
4aa4ec73c8ac7cc366de30c67b6a4330388cc8a9c904eaa44fbbd86729aa91c3

SHA512
429b8835090a15a5599819562bfb04a4034be23991466f64c897b7b806f6aea3b4771ab605eb8e96c3ae93a1c52867908c456cca47558993d91b7ea4f53a3f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebe9572a-98a5-4021-a8aa-11c34df1b37b.vbs

Filesize
742B

MD5
9890579abb806e17548f7eaf68ce1122

SHA1
957c0b14f95fca459e334156d43e889a65be8765

SHA256
7ba0cf740ffcb6fa38d4957a7a45fa6a050594f7edf0544529444aa2bf5342e0

SHA512
eb5cfbad69fa349f28f0698eae58e47004b0ee9695138094430bf3e880904c152796b85873e7ce9b244ef160c5e26d3a124a6d88c39ca0cacd2a3f775241d756

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrkXqxjWk.bat

Filesize
231B

MD5
68fcf773d3e07cc2bbe491b430db7427

SHA1
f8a365d407a2c11bd96711428bbdcfbc9b67c7b6

SHA256
2211a13ba42337226dbb5e9215e68212ab5b8961bedfc65474f8af360718f304

SHA512
0fa555e4a1ddfcafb7fface7ffedecda8f3fbf55f96cd1b2a9dea9910ddd66cdc73e1475d82ada06f57dfb90adfe5cb6e5538d8de14350efc725368db0fd13ee

Download Submit
C:\Windows\RemotePackages\RemoteDesktops\RCX78FC.tmp

Filesize
1.9MB

MD5
0eb7aab813288a232aaeca49c95f1987

SHA1
640920cb13bd7e1bc6a79bdd16a1981d1d1ce8d3

SHA256
a3466646fda4254510733ec58d30616acc9d70ffc73d953723f9bef6269c1e96

SHA512
71716e6cc861d351a426ed5269deb1472873b574babf7e3a0fe7d870226fd568f994d089cb4b257c85e34ea924a669168a88630a8000e5fd424efd9db20c69ac

Download Submit
C:\Windows\tracing\explorer.exe

Filesize
1.9MB

MD5
a046b24027420b677c1c5409a2ddee25

SHA1
95bd68899fe0d352bcb153faff8130712906cf1e

SHA256
012635e0e394137a4bb50381b8f9bbc83e04326ebef3b39d553668531e12be64

SHA512
c172ab555bbf7eac40e761660a136deb4a1a2a2104284d7a634306cc08ddfa1dd56d6e191e23e8dc2df4f8307cccee7a9670d4051bb13b5aae9e35d3e2e45173

Download Submit
C:\aff403968f1bfcc42131676322798b50\a8b0399c704553c85dfd0ab584536333.exe

Filesize
1.9MB

MD5
3a84985e2545cd31f29e5b939b04597e

SHA1
0efcc50d9179934f2e73d28db6586d6410d70c8b

SHA256
7e085f6061d175794a2f8ac609a7515a45064b4dd78aff172d5a8ec6416d1c0a

SHA512
a062161fa9e2ca023895e25da7294ba2c81851379a88694b417691bdcc7d52cd8eda1903d36e40d483f7038d75583a835e9a1bcf5f6a8ab5d995b0b31bac4305

Download Submit
C:\f9532e701a889cdd91b8\backgroundTaskHost.exe

Filesize
1.9MB

MD5
68f39ec2ea28099beb55c4600c8740c6

SHA1
395ed95f7091414c445ca8eba0e2641d9f009cf2

SHA256
5d9e04640dcb91007b984eb335d2a3a4350932c489c57163d97146c95698a971

SHA512
ef0e25af5625db53914dafac52f8641a25f50b98b49946af790746e1c74c7bf3404181b44fd5c0c36074a5bf6f39d7275b4209b93b57fd906c6ac99141d10711

Download Submit
memory/2504-450-0x000000001B0B0000-0x000000001B106000-memory.dmp

Filesize
344KB

Download
memory/2796-484-0x0000000002500000-0x0000000002556000-memory.dmp

Filesize
344KB

Download
memory/2796-485-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/2832-18-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/2832-8-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/2832-1-0x0000000000770000-0x000000000095A000-memory.dmp

Filesize
1.9MB

Download
memory/2832-218-0x00007FFF59F90000-0x00007FFF5AA51000-memory.dmp

Filesize
10.8MB

Download
memory/2832-195-0x00007FFF59F93000-0x00007FFF59F95000-memory.dmp

Filesize
8KB

Download
memory/2832-16-0x000000001BD80000-0x000000001BD8A000-memory.dmp

Filesize
40KB

Download
memory/2832-20-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/2832-17-0x000000001BD90000-0x000000001BD9E000-memory.dmp

Filesize
56KB

Download
memory/2832-0-0x00007FFF59F93000-0x00007FFF59F95000-memory.dmp

Filesize
8KB

Download
memory/2832-19-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/2832-15-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/2832-2-0x00007FFF59F90000-0x00007FFF5AA51000-memory.dmp

Filesize
10.8MB

Download
memory/2832-14-0x000000001C620000-0x000000001CB48000-memory.dmp

Filesize
5.2MB

Download
memory/2832-3-0x000000001B650000-0x000000001B66C000-memory.dmp

Filesize
112KB

Download
memory/2832-6-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/2832-5-0x000000001B670000-0x000000001B678000-memory.dmp

Filesize
32KB

Download
memory/2832-4-0x000000001BAE0000-0x000000001BB30000-memory.dmp

Filesize
320KB

Download
memory/2832-7-0x000000001B690000-0x000000001B6A6000-memory.dmp

Filesize
88KB

Download
memory/2832-10-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

Filesize
48KB

Download
memory/2832-11-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/2832-13-0x000000001BB90000-0x000000001BBA2000-memory.dmp

Filesize
72KB

Download
memory/2832-9-0x000000001BB30000-0x000000001BB86000-memory.dmp

Filesize
344KB

Download
memory/2832-256-0x00007FFF59F90000-0x00007FFF5AA51000-memory.dmp

Filesize
10.8MB

Download
memory/3948-508-0x000000001B630000-0x000000001B642000-memory.dmp

Filesize
72KB

Download
memory/4312-443-0x00007FFF6E990000-0x00007FFF6E9EC000-memory.dmp

Filesize
368KB

Download
memory/4312-444-0x00007FFF756F0000-0x00007FFF7571E000-memory.dmp

Filesize
184KB

Download
memory/4312-445-0x00007FFF743B0000-0x00007FFF743D9000-memory.dmp

Filesize
164KB

Download
memory/4312-446-0x00007FFF74380000-0x00007FFF743A5000-memory.dmp

Filesize
148KB

Download
memory/4312-447-0x00007FFF68230000-0x00007FFF682AD000-memory.dmp

Filesize
500KB

Download
memory/4312-432-0x000000001B710000-0x000000001B766000-memory.dmp

Filesize
344KB

Download
memory/4764-520-0x000000001B210000-0x000000001B266000-memory.dmp

Filesize
344KB

Download
memory/5816-246-0x00000201AAA60000-0x00000201AAA82000-memory.dmp

Filesize
136KB

Download