dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
900s
max time network
900s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f736c152b3d1812f1142ed0da99e0ac8.exe
Size

5.9MB
MD5

f736c152b3d1812f1142ed0da99e0ac8
SHA1

5df819dd9a3c73b64b33950ecfac1c690fa0f03d
SHA256

78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
SHA512

a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5760	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5952	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4444	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4444	schtasks.exe	89

UAC bypass 3 TTPs 64 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4360	powershell.exe
2656	powershell.exe
2620	powershell.exe
6036	powershell.exe
2424	powershell.exe
4344	powershell.exe
228	powershell.exe
264	powershell.exe
5412	powershell.exe
3500	powershell.exe
3144	powershell.exe
5648	powershell.exe
5196	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f736c152b3d1812f1142ed0da99e0ac8.exe

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 51 IoCs

pid	Process
3016	sysmon.exe
5020	sysmon.exe
4924	sysmon.exe
4996	sysmon.exe
100	sysmon.exe
3392	sysmon.exe
4920	sysmon.exe
2596	sysmon.exe
5020	sysmon.exe
1872	sysmon.exe
3872	sysmon.exe
1408	sysmon.exe
5944	sysmon.exe
3320	sysmon.exe
1564	sysmon.exe
2716	sysmon.exe
5744	sysmon.exe
1952	sysmon.exe
5492	sysmon.exe
3636	sysmon.exe
1092	sysmon.exe
5880	Idle.exe
632	sysmon.exe
5028	Idle.exe
6064	sysmon.exe
4700	Idle.exe
5820	OfficeClickToRun.exe
4616	sysmon.exe
5160	unsecapp.exe
3996	sysmon.exe
6088	sysmon.exe
5328	sysmon.exe
3864	dllhost.exe
2748	taskhostw.exe
6140	sppsvc.exe
6116	sysmon.exe
5744	Idle.exe
5908	f736c152b3d1812f1142ed0da99e0ac8.exe
2432	sysmon.exe
5000	f736c152b3d1812f1142ed0da99e0ac8.exe
4100	upfc.exe
4904	f736c152b3d1812f1142ed0da99e0ac8.exe
1732	OfficeClickToRun.exe
4360	sysmon.exe
1428	unsecapp.exe
3872	backgroundTaskHost.exe
6088	f736c152b3d1812f1142ed0da99e0ac8.exe
3068	f736c152b3d1812f1142ed0da99e0ac8.exe
3352	f736c152b3d1812f1142ed0da99e0ac8.exe
4240	Idle.exe
5048	f736c152b3d1812f1142ed0da99e0ac8.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
3016	sysmon.exe
3016	sysmon.exe
5020	sysmon.exe
5020	sysmon.exe
4924	sysmon.exe
4924	sysmon.exe
4996	sysmon.exe
4996	sysmon.exe
100	sysmon.exe
100	sysmon.exe
3392	sysmon.exe
3392	sysmon.exe
4920	sysmon.exe
4920	sysmon.exe
2596	sysmon.exe
2596	sysmon.exe
5020	sysmon.exe
5020	sysmon.exe
1872	sysmon.exe
1872	sysmon.exe
3872	sysmon.exe
3872	sysmon.exe
1408	sysmon.exe
1408	sysmon.exe
5944	sysmon.exe
5944	sysmon.exe
3320	sysmon.exe
3320	sysmon.exe
1564	sysmon.exe
1564	sysmon.exe
2716	sysmon.exe
2716	sysmon.exe
5744	sysmon.exe
5744	sysmon.exe
1952	sysmon.exe
1952	sysmon.exe
5492	sysmon.exe
5492	sysmon.exe
3636	sysmon.exe
3636	sysmon.exe
1092	sysmon.exe
1092	sysmon.exe
5880	Idle.exe
5880	Idle.exe
632	sysmon.exe
632	sysmon.exe
5028	Idle.exe
5028	Idle.exe
6064	sysmon.exe
6064	sysmon.exe
4700	Idle.exe
4700	Idle.exe
5820	OfficeClickToRun.exe
4616	sysmon.exe
5160	unsecapp.exe
5820	OfficeClickToRun.exe
4616	sysmon.exe
5160	unsecapp.exe
3996	sysmon.exe
3996	sysmon.exe
6088	sysmon.exe
6088	sysmon.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Uninstall Information\unsecapp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX85D7.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\edge_BITS_4540_95347660\RCX8869.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8D00.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows NT\sysmon.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\sysmon.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7968.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX7C0B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\edge_BITS_4540_95347660\RCX8858.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\62ab93cd72465b	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\edge_BITS_4540_95347660\5940a34987c991	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX79E6.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX8A6E.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX8A6F.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\RCX8F35.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Uninstall Information\unsecapp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX85C6.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Idle.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX812F.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows NT\121e5b5079f7c0	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Idle.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX7BFA.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX8D11.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\6ccacd8608530f	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\uk-UA\RCX8F34.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\6ccacd8608530f	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Uninstall Information\29c1c3cc0f7685	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\edge_BITS_4540_95347660\dllhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX80B1.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\edge_BITS_4540_95347660\dllhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\OfficeClickToRun.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\TAPI\e6c9b481da804f	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\TAPI\RCX9169.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\TAPI\RCX91A8.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\TAPI\OfficeClickToRun.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5564	schtasks.exe
4664	schtasks.exe
4812	schtasks.exe
2236	schtasks.exe
4140	schtasks.exe
3320	schtasks.exe
1428	schtasks.exe
5772	schtasks.exe
4908	schtasks.exe
4136	schtasks.exe
5824	schtasks.exe
5192	schtasks.exe
1500	schtasks.exe
2332	schtasks.exe
1264	schtasks.exe
4224	schtasks.exe
3020	schtasks.exe
4192	schtasks.exe
5008	schtasks.exe
4916	schtasks.exe
1672	schtasks.exe
1696	schtasks.exe
4076	schtasks.exe
3488	schtasks.exe
5164	schtasks.exe
5528	schtasks.exe
4472	schtasks.exe
2116	schtasks.exe
5760	schtasks.exe
3052	schtasks.exe
1140	schtasks.exe
3160	schtasks.exe
3836	schtasks.exe
6104	schtasks.exe
740	schtasks.exe
5952	schtasks.exe
3688	schtasks.exe
4876	schtasks.exe
5568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
832	f736c152b3d1812f1142ed0da99e0ac8.exe
4360	powershell.exe
4360	powershell.exe
2656	powershell.exe
2656	powershell.exe
5412	powershell.exe
5412	powershell.exe
4344	powershell.exe
4344	powershell.exe
5196	powershell.exe
5196	powershell.exe
3144	powershell.exe
3144	powershell.exe
5648	powershell.exe
5648	powershell.exe
264	powershell.exe
264	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3016	sysmon.exe
Token: SeDebugPrivilege	5020	sysmon.exe
Token: SeDebugPrivilege	4924	sysmon.exe
Token: SeDebugPrivilege	4996	sysmon.exe
Token: SeDebugPrivilege	100	sysmon.exe
Token: SeDebugPrivilege	3392	sysmon.exe
Token: SeDebugPrivilege	4920	sysmon.exe
Token: SeDebugPrivilege	2596	sysmon.exe
Token: SeDebugPrivilege	5020	sysmon.exe
Token: SeDebugPrivilege	1872	sysmon.exe
Token: SeDebugPrivilege	3872	sysmon.exe
Token: SeDebugPrivilege	1408	sysmon.exe
Token: SeDebugPrivilege	5944	sysmon.exe
Token: SeDebugPrivilege	3320	sysmon.exe
Token: SeDebugPrivilege	1564	sysmon.exe
Token: SeDebugPrivilege	2716	sysmon.exe
Token: SeDebugPrivilege	5744	sysmon.exe
Token: SeDebugPrivilege	1952	sysmon.exe
Token: SeDebugPrivilege	5492	sysmon.exe
Token: SeDebugPrivilege	3636	sysmon.exe
Token: SeDebugPrivilege	1092	sysmon.exe
Token: SeDebugPrivilege	5880	Idle.exe
Token: SeDebugPrivilege	632	sysmon.exe
Token: SeDebugPrivilege	5028	Idle.exe
Token: SeDebugPrivilege	6064	sysmon.exe
Token: SeDebugPrivilege	4700	Idle.exe
Token: SeDebugPrivilege	5820	OfficeClickToRun.exe
Token: SeDebugPrivilege	4616	sysmon.exe
Token: SeDebugPrivilege	5160	unsecapp.exe
Token: SeDebugPrivilege	3996	sysmon.exe
Token: SeDebugPrivilege	6088	sysmon.exe
Token: SeDebugPrivilege	5328	sysmon.exe
Token: SeDebugPrivilege	3864	dllhost.exe
Token: SeDebugPrivilege	2748	taskhostw.exe
Token: SeDebugPrivilege	6140	sppsvc.exe
Token: SeDebugPrivilege	6116	sysmon.exe
Token: SeDebugPrivilege	5744	Idle.exe
Token: SeDebugPrivilege	5908	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	2432	sysmon.exe
Token: SeDebugPrivilege	5000	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	4100	upfc.exe
Token: SeDebugPrivilege	4904	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	4360	sysmon.exe
Token: SeDebugPrivilege	1428	unsecapp.exe
Token: SeDebugPrivilege	3872	backgroundTaskHost.exe
Token: SeDebugPrivilege	6088	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	3068	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	3352	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	4240	Idle.exe
Token: SeDebugPrivilege	5048	f736c152b3d1812f1142ed0da99e0ac8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 5196	832	f736c152b3d1812f1142ed0da99e0ac8.exe	135
PID 832 wrote to memory of 5196	832	f736c152b3d1812f1142ed0da99e0ac8.exe	135
PID 832 wrote to memory of 2424	832	f736c152b3d1812f1142ed0da99e0ac8.exe	136
PID 832 wrote to memory of 2424	832	f736c152b3d1812f1142ed0da99e0ac8.exe	136
PID 832 wrote to memory of 6036	832	f736c152b3d1812f1142ed0da99e0ac8.exe	137
PID 832 wrote to memory of 6036	832	f736c152b3d1812f1142ed0da99e0ac8.exe	137
PID 832 wrote to memory of 5648	832	f736c152b3d1812f1142ed0da99e0ac8.exe	138
PID 832 wrote to memory of 5648	832	f736c152b3d1812f1142ed0da99e0ac8.exe	138
PID 832 wrote to memory of 3144	832	f736c152b3d1812f1142ed0da99e0ac8.exe	139
PID 832 wrote to memory of 3144	832	f736c152b3d1812f1142ed0da99e0ac8.exe	139
PID 832 wrote to memory of 3500	832	f736c152b3d1812f1142ed0da99e0ac8.exe	140
PID 832 wrote to memory of 3500	832	f736c152b3d1812f1142ed0da99e0ac8.exe	140
PID 832 wrote to memory of 2620	832	f736c152b3d1812f1142ed0da99e0ac8.exe	142
PID 832 wrote to memory of 2620	832	f736c152b3d1812f1142ed0da99e0ac8.exe	142
PID 832 wrote to memory of 5412	832	f736c152b3d1812f1142ed0da99e0ac8.exe	144
PID 832 wrote to memory of 5412	832	f736c152b3d1812f1142ed0da99e0ac8.exe	144
PID 832 wrote to memory of 2656	832	f736c152b3d1812f1142ed0da99e0ac8.exe	145
PID 832 wrote to memory of 2656	832	f736c152b3d1812f1142ed0da99e0ac8.exe	145
PID 832 wrote to memory of 264	832	f736c152b3d1812f1142ed0da99e0ac8.exe	146
PID 832 wrote to memory of 264	832	f736c152b3d1812f1142ed0da99e0ac8.exe	146
PID 832 wrote to memory of 228	832	f736c152b3d1812f1142ed0da99e0ac8.exe	147
PID 832 wrote to memory of 228	832	f736c152b3d1812f1142ed0da99e0ac8.exe	147
PID 832 wrote to memory of 4344	832	f736c152b3d1812f1142ed0da99e0ac8.exe	148
PID 832 wrote to memory of 4344	832	f736c152b3d1812f1142ed0da99e0ac8.exe	148
PID 832 wrote to memory of 4360	832	f736c152b3d1812f1142ed0da99e0ac8.exe	149
PID 832 wrote to memory of 4360	832	f736c152b3d1812f1142ed0da99e0ac8.exe	149
PID 832 wrote to memory of 2520	832	f736c152b3d1812f1142ed0da99e0ac8.exe	161
PID 832 wrote to memory of 2520	832	f736c152b3d1812f1142ed0da99e0ac8.exe	161
PID 2520 wrote to memory of 3356	2520	cmd.exe	163
PID 2520 wrote to memory of 3356	2520	cmd.exe	163
PID 2520 wrote to memory of 3016	2520	cmd.exe	164
PID 2520 wrote to memory of 3016	2520	cmd.exe	164
PID 3016 wrote to memory of 924	3016	sysmon.exe	165
PID 3016 wrote to memory of 924	3016	sysmon.exe	165
PID 3016 wrote to memory of 4808	3016	sysmon.exe	166
PID 3016 wrote to memory of 4808	3016	sysmon.exe	166
PID 924 wrote to memory of 5020	924	WScript.exe	170
PID 924 wrote to memory of 5020	924	WScript.exe	170
PID 5020 wrote to memory of 1872	5020	sysmon.exe	171
PID 5020 wrote to memory of 1872	5020	sysmon.exe	171
PID 5020 wrote to memory of 4392	5020	sysmon.exe	172
PID 5020 wrote to memory of 4392	5020	sysmon.exe	172
PID 1872 wrote to memory of 4924	1872	WScript.exe	176
PID 1872 wrote to memory of 4924	1872	WScript.exe	176
PID 4924 wrote to memory of 4280	4924	sysmon.exe	177
PID 4924 wrote to memory of 4280	4924	sysmon.exe	177
PID 4924 wrote to memory of 1076	4924	sysmon.exe	178
PID 4924 wrote to memory of 1076	4924	sysmon.exe	178
PID 4280 wrote to memory of 4996	4280	WScript.exe	179
PID 4280 wrote to memory of 4996	4280	WScript.exe	179
PID 4996 wrote to memory of 4984	4996	sysmon.exe	180
PID 4996 wrote to memory of 4984	4996	sysmon.exe	180
PID 4996 wrote to memory of 6096	4996	sysmon.exe	181
PID 4996 wrote to memory of 6096	4996	sysmon.exe	181
PID 4984 wrote to memory of 100	4984	WScript.exe	183
PID 4984 wrote to memory of 100	4984	WScript.exe	183
PID 100 wrote to memory of 2864	100	sysmon.exe	184
PID 100 wrote to memory of 2864	100	sysmon.exe	184
PID 100 wrote to memory of 1088	100	sysmon.exe	185
PID 100 wrote to memory of 1088	100	sysmon.exe	185
PID 2864 wrote to memory of 3392	2864	WScript.exe	186
PID 2864 wrote to memory of 3392	2864	WScript.exe	186
PID 3392 wrote to memory of 5444	3392	sysmon.exe	187
PID 3392 wrote to memory of 5444	3392	sysmon.exe	187

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/2b5f15c5afe01f70d7f71092/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fe11fc83a38900fcf766413d81eba9/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7BGbiaqdIl.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3356
- - C:\Program Files (x86)\Windows NT\sysmon.exe
    "C:\Program Files (x86)\Windows NT\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3016
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444a51af-2820-4031-a5fb-79078c2f8478.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ddef7a-9f1f-4740-b611-02e0efc6f4ea.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0e5a81c-3c45-4ea8-9639-d44397343b87.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50108f37-844f-4d5e-82b6-9c9fbc0596b6.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6329485-617a-4bf2-9b2d-1710c0b3c23a.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b65423a-89b2-4245-b738-ad139945d6b2.vbs"
        14⤵
        
        PID:5444
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c685ce94-d48b-426a-b786-1fbda1ff2b27.vbs"
        16⤵
        
        PID:1968
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e28a254-0945-45ca-b9ca-173670fa2efa.vbs"
        18⤵
        
        PID:4836
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09bf5318-c6f0-498b-b29a-cf56ab61c62f.vbs"
        20⤵
        
        PID:1484
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd1d1032-64b4-4c6a-afeb-dcbe61ace87a.vbs"
        22⤵
        
        PID:936
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d17bd4-cc0d-4cae-89b0-bdce1ee9aca0.vbs"
        24⤵
        
        PID:5796
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1429a299-c2b6-46b0-bf95-eca3073bd848.vbs"
        26⤵
        
        PID:1816
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a07cb76f-5a80-4871-a2e5-4a4ccd18c8d1.vbs"
        28⤵
        
        PID:2700
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01155697-f075-440f-a91f-c95ef526a6fa.vbs"
        30⤵
        
        PID:1476
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\877d6fd4-7148-4ca1-9351-ea2cf2d80e72.vbs"
        32⤵
        
        PID:4620
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cd0bf73-6d17-4a62-ad27-ea395c1e327c.vbs"
        34⤵
        
        PID:2640
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        35⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a13150df-dac6-44c2-b476-cdbee3b25b6a.vbs"
        36⤵
        
        PID:5924
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        37⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe97f8e7-2ce2-4992-bed2-29e066c284b8.vbs"
        38⤵
        
        PID:512
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        39⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\373b8f2e-8cf2-443d-893e-1bd2271fc607.vbs"
        40⤵
        
        PID:1504
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        41⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6898d4db-d4c5-4291-be86-a359f67f6d37.vbs"
        42⤵
        
        PID:5468
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        43⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7cb3860-7115-4679-95e7-3d6a54bbd919.vbs"
        44⤵
        
        PID:6140
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        45⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a188efcf-683b-464f-8a51-7434658e3cd9.vbs"
        46⤵
        
        PID:3400
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        47⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca20f16-c1c5-4ddc-9357-f6b9b1623eec.vbs"
        48⤵
        
        PID:5236
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        49⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c88d39a-07ee-4a05-abfa-58a152a324bf.vbs"
        50⤵
        
        PID:3652
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        51⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf18efd-f06d-4c13-ae2e-4c678e658091.vbs"
        52⤵
        
        PID:5304
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        53⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b058e638-1aba-429b-a3ec-a581416af250.vbs"
        54⤵
        
        PID:2192
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        55⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82cfbd75-48c8-426b-9f77-2c24ec146012.vbs"
        56⤵
        
        PID:5048
        
        C:\Program Files (x86)\Windows NT\sysmon.exe
        
        "C:\Program Files (x86)\Windows NT\sysmon.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9811b8ea-747e-40a6-9685-3839914828e2.vbs"
        56⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f2c78f2-0e3d-4c5c-be5f-cfc6705767d6.vbs"
        54⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe14144-ed74-4032-be77-5306ad6d9a91.vbs"
        52⤵
        
        PID:5148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c4fdce8-0c3c-445a-b18b-ae78f7c9b065.vbs"
        50⤵
        
        PID:4216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe69534-feb2-42ee-9572-55ba3ff93404.vbs"
        48⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\860c17be-99ff-4bd6-9d42-2118e7161381.vbs"
        46⤵
        
        PID:5216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b978b80-a475-4102-a749-698689342215.vbs"
        44⤵
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5eaa81e4-5c0f-4fb8-a35d-0ac7f37c4a10.vbs"
        42⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e8818a6-bd8c-41b8-811a-5b42187490a9.vbs"
        40⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\feb29b56-46f7-41aa-9ceb-fc0c519684ec.vbs"
        38⤵
        
        PID:5640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aeeb166-21ae-43c7-963b-8e43cf4e55d9.vbs"
        36⤵
        
        PID:3684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bf1c060-e752-47bd-be07-f549ba1f583d.vbs"
        34⤵
        
        PID:6052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80d0927c-68b4-4210-b89e-ae4cd176e6ae.vbs"
        32⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\169382de-19b7-40e7-8f34-3bc5458f52da.vbs"
        30⤵
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be3e2fba-b2f1-45a9-982a-212586f3149a.vbs"
        28⤵
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e30513-7013-4fa1-8936-39a1a5179679.vbs"
        26⤵
        
        PID:5252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da026fc9-bccc-4133-9f4a-067a0252b480.vbs"
        24⤵
        
        PID:5240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c4a4b78-dfb5-4a88-bc16-c924957caa47.vbs"
        22⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97b2cc14-4d8a-4591-8e5d-ae27aea5ac58.vbs"
        20⤵
        
        PID:5716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e12656c-f3e3-464f-b116-84c49ab32a1f.vbs"
        18⤵
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0455770b-1bab-41f8-b64b-804f67a7f1c4.vbs"
        16⤵
        
        PID:3220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c93cf40-66a9-4ed2-b208-06b47b1c5c2d.vbs"
        14⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14d3032c-fed8-47ac-8569-dba2fa1adeae.vbs"
        12⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc4ec4e2-a457-40d1-901c-0cae0cd2d56e.vbs"
        10⤵
        
        PID:6096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\950867bd-7d95-4980-8d89-379937b12b5e.vbs"
        8⤵
        
        PID:1076
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fde5957-9e18-490c-be77-217943f22c77.vbs"
        6⤵
        
        PID:4392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2874d546-e1eb-4a4e-8e54-548ba4b172c8.vbs"
      4⤵
      PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\fe11fc83a38900fcf766413d81eba9\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\fe11fc83a38900fcf766413d81eba9\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\fe11fc83a38900fcf766413d81eba9\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8f" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8f" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4540_95347660\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4540_95347660\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4540_95347660\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe
"C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5880
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba3661b-adb6-42f1-9bc3-8098ea87b81a.vbs"
  2⤵
  PID:4012
- - C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe
    "C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8ffd5c-15e1-404d-a0f2-41aba4334de4.vbs"
      4⤵
      PID:5784
    - - C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe
        
        "C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14011250-75a6-4a77-bf70-3101079c57c4.vbs"
      4⤵
      PID:3972
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46004295-9f6d-4931-812d-33be7248c5b9.vbs"
  2⤵
  PID:1636

C:\Windows\TAPI\OfficeClickToRun.exe
C:\Windows\TAPI\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\Program Files (x86)\Windows NT\sysmon.exe
"C:\Program Files (x86)\Windows NT\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files\Uninstall Information\unsecapp.exe
"C:\Program Files\Uninstall Information\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Program Files\edge_BITS_4540_95347660\dllhost.exe
"C:\Program Files\edge_BITS_4540_95347660\dllhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\fe11fc83a38900fcf766413d81eba9\sppsvc.exe
C:\fe11fc83a38900fcf766413d81eba9\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe
"C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5908
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\057de83f-24a2-442a-b310-e284f98956bb.vbs"
  2⤵
  PID:840
- - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:5000
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d235ab1-b051-4910-aab4-430927af36f7.vbs"
      4⤵
      PID:5544
    - - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0a7097e-e717-4866-8ea8-1f11b8610a5b.vbs"
        6⤵
        
        PID:5924
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe545d3-d9f7-412d-ad63-aa012af068ed.vbs"
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603fcdd5-64df-4e66-8043-d9c31bb4cc15.vbs"
        10⤵
        
        PID:4620
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b2f1278-8cc7-437d-bb27-ce1bc44b830a.vbs"
        12⤵
        
        PID:3980
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d9e2bc-7ce7-4ff1-a029-b1d3d296b792.vbs"
        14⤵
        
        PID:3416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4b973e8-c583-4d0c-aa88-4eee2d192d3d.vbs"
        14⤵
        
        PID:5364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e55e65-9f86-4aad-a8bd-d54f3c6a057a.vbs"
        12⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8169bdd-cdde-4611-b066-6fbf44d2e619.vbs"
        10⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8853d58c-6a0b-4cda-b4d8-6da9f739c072.vbs"
        8⤵
        
        PID:3480
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f361f1-33ae-4e00-bc2d-661e7b118306.vbs"
        6⤵
        
        PID:5628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eafde245-823d-4ee1-88b7-8adce7ab4e6f.vbs"
      4⤵
      PID:3304
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e279ff-990e-45ca-bfa5-dee1353ef508.vbs"
  2⤵
  PID:4120

C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\TAPI\OfficeClickToRun.exe
C:\Windows\TAPI\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files (x86)\Windows NT\sysmon.exe
"C:\Program Files (x86)\Windows NT\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files\Uninstall Information\unsecapp.exe
"C:\Program Files\Uninstall Information\unsecapp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Recovery\WindowsRE\backgroundTaskHost.exe
C:\Recovery\WindowsRE\backgroundTaskHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe
"C:\Program Files (x86)\Internet Explorer\uk-UA\Idle.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\sysmon.exe

Filesize
5.9MB

MD5
32d4bed2ddb5863845e8c616a8cce307

SHA1
5c57f47afe26a158a81df6626b96f067de80583a

SHA256
4150de99406d30086c154627c325c1aeadc8872862d42fa5cbf7af25a4af6782

SHA512
5c11074652829d2b95faedb3ebb0ab5eee384044bf5e3eba1ea60b91187ec147937f8097a42697ca44668f1cec8841c524a2a231f6651998d853ecaef9bd69f0

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\f736c152b3d1812f1142ed0da99e0ac8.exe

Filesize
5.9MB

MD5
cb08210529284e8b7d217b311f20c012

SHA1
b77213f83b969a60c9d11940cd46094168fc1e29

SHA256
df05cf4f540a6d54b0fb34ec9935a16aac7d01880bc4b636899248ce41777fdf

SHA512
d5cffcd0bb0b1ae7d5caed0716d48ed727c32f9d2c7dbeea22221dd89154c290c380fc5bab23d550bbb4053ddb86b54fb5b22be2525bdd35730144d14c162248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
b78f0793c3ef1d417e56d34b656b40bb

SHA1
4a622f8022516098cb5aae35a5953bde039111a7

SHA256
67090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb

SHA512
ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5224a8af64b17b8a36247f8bda22bc94

SHA1
841edc986867d9813534b217790e76b017c48617

SHA256
464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

SHA512
041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b65423a-89b2-4245-b738-ad139945d6b2.vbs

Filesize
720B

MD5
edaf3aa0833ed86775f7633e913d518d

SHA1
115732e01cb2ad331dd7e0a43c579a819649233b

SHA256
4002d59906731205cbad524d4a75fae5f6d40d4459b78c48b183190a3d90ef8f

SHA512
23c927102b472f8ff2ed0a83da410c1b0402c36f7826e4a5c0c2556e7020a8ee166376e9ded76a8cf8415cfa47109fc57da25ec848d2fee8c213992fb030c247

Download Submit
C:\Users\Admin\AppData\Local\Temp\14011250-75a6-4a77-bf70-3101079c57c4.vbs

Filesize
507B

MD5
986f238c72e12cf5b15827a8ae3e9ef7

SHA1
d1fac5da0447007eeb990474c96d77fd777f8915

SHA256
08a42bd79f14c4ac9bd8866dc4fcab76edc39c1cfc4113759c8f0a1b9532cde9

SHA512
8258e61334a997306c37b478fc873dd987b43e18ecb9a0a46ea6281bc4c28e4b6e61bd79aa7980923bf9fd545d3987eaeedbde534f9453ca69cd706f20400345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1429a299-c2b6-46b0-bf95-eca3073bd848.vbs

Filesize
720B

MD5
c67fa75ae2d2de58f7d291cd66d86d47

SHA1
7ec05c1e6f0140ee0d6463f9114dd25473aafe98

SHA256
319de5af2a2062f08a71a34f306b396a96ecc4c6393e4e32c8adda85802904ea

SHA512
fe39dd9a50728342b23d2a8b97903294c6f4128f8dc5db587138a56647a0587f5d2d9e0c1f21b21b15343f84df1ef3fbfdc2472c68ec006b10b3a7e0f91d0d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\2874d546-e1eb-4a4e-8e54-548ba4b172c8.vbs

Filesize
496B

MD5
591363703c30cbe8849c6ed3a5ee1a5c

SHA1
d1f2c6ebc3f87daf13b532dcf447199a84f79da1

SHA256
66baa977b8042a1f35b59fd8d694ee65efb4e974c2e04302c6f68f24cf964b5d

SHA512
2efef0ce8b0d93f51f581d40d38af8330d2734b706ba833d2f7ee70ea7b8698919e1306b690f7161afdecb9f3f1cc188a12c94ebd6a17fa898a5778eb25ea305

Download Submit
C:\Users\Admin\AppData\Local\Temp\444a51af-2820-4031-a5fb-79078c2f8478.vbs

Filesize
720B

MD5
9e1a24636e53ed51d694aba67ed8c74c

SHA1
b7bad7f12fe23f8b88403bb501d74bae37f2c61e

SHA256
4d7f535fb17f066022648bf7f3ec4e5fd7fc380e8630721425f13490b736baec

SHA512
3e8a03694ed7eb7fcc66c1d7012703f5ec5e895566c6ede838282b2a92a533f7d38ad8cd01ecfda4a08f2d693fb1071e3c800c432c570e5d117ccec411e75315

Download Submit
C:\Users\Admin\AppData\Local\Temp\50108f37-844f-4d5e-82b6-9c9fbc0596b6.vbs

Filesize
720B

MD5
c9f317b266975f8795c3029eff5e5d40

SHA1
079d29d0f381ff30473aea5d9976f9104cda8ca7

SHA256
792fecb8ac88e6bd927c88b81fe789353d1ac1c95776892076ff1570c4df4f52

SHA512
139b9d97a8ad22da5f050f04c7eb282caddcb4206266936636a85b5bdc2c3496f876f4f388564054978c501e7fd5764d7b8cf656c477d5d4a136225013725859

Download Submit
C:\Users\Admin\AppData\Local\Temp\60d17bd4-cc0d-4cae-89b0-bdce1ee9aca0.vbs

Filesize
720B

MD5
7cda003e6217c1b07b0dd97ea332a69c

SHA1
f422d6c20f194b71e1a6f5a2acf4b8bbee26cfa7

SHA256
94e3446a940784383edfdcf841e3f3d234bdbf7a8ca0368162ab1312e4571fe6

SHA512
13691926a9eb1c833e3645ccf29d8709fe9cd65f20a8499d590a64455336506f240ae7d20600aa99cd3c89c27cb8444f9aa681ac9b3d30ef8c2e632f32ebdfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e28a254-0945-45ca-b9ca-173670fa2efa.vbs

Filesize
720B

MD5
a903f822027abe019f7dc22142be360e

SHA1
c0736743bc2395aca0d53979c11ef0d884fc66de

SHA256
c70ccac89a7e6f1375deeaedb7963171e9bf09f9ac3dd4ab27e30db01076b100

SHA512
3fcf585302c131fb83d4797bf4820bf620bdbbf2dfb7acb927ed5375376745d70928cfa018f77cff709013c5060daa5b1535985f262d4ec8a20af090458fadc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BGbiaqdIl.bat

Filesize
209B

MD5
098523248bed6af994a969341c302b8d

SHA1
e5a3be3a7e64e01ed1c7b350dc3fc948ba4b0d28

SHA256
613a9a8ae763a0fbc50bd8d01d6deb894109c8f16c01a76aadd504690936a17c

SHA512
08fe25c626e995612c1dedaa7a151f47151bb2d03178ef863c38b063f6f6b0461bb0edd5d9d32b8a54439be9cb0feddc9d3c018e6b4739ca5046299d5c411af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duhaqepc.4wt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6329485-617a-4bf2-9b2d-1710c0b3c23a.vbs

Filesize
719B

MD5
90768ecc1de8eba7e07468f08d948b7b

SHA1
18e7b71685bacb9c225024c8015a672885cc8dbb

SHA256
c58887cb543e5fc1b738fde597c7bed167a0613830ba0698188f10000ad1df72

SHA512
58363c194226f467678a2555e08982214f6a52e393f559aab0d337d9a796ba23988b2b848dd827e01a5d802df5ab242b2e58d7a303e8a547e0ca5fd1756a5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\c685ce94-d48b-426a-b786-1fbda1ff2b27.vbs

Filesize
720B

MD5
01cf9c5c347bfe2bfa2dc49a283ff764

SHA1
edd6392c0121293e1e52589895ce6a7818fafaf4

SHA256
dc650e638c7a67ebda42f8c71a75e9526f45279589f7e80564d46faff340a231

SHA512
ee2a1d1706cf1138af2ce4fcfb60b448ae265b049f26741a49a07f524b0753ca658b2bfa4662df0c30ee065380af3a66ffbba3c0b2a1c0d4aa6260664fc4082a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd1d1032-64b4-4c6a-afeb-dcbe61ace87a.vbs

Filesize
720B

MD5
812896307ac845f6b75172db58937e4e

SHA1
2f2117fda0fbb6109fc1c4c8c2d24a990140de03

SHA256
bc060748780bec0f2da4b8d01bf75c9a7268baf4254ce426ef66b69f2c26310d

SHA512
1236950004286a55dde7a73aff14079f8bcc842166513d2c2be1de871c7fc5b65b0113ea435e4067f2092b27450c0fbe4b27c58ef65190c899e86630862fc097

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5ddef7a-9f1f-4740-b611-02e0efc6f4ea.vbs

Filesize
720B

MD5
c59c1e885d50bf6a9d782361b133ebda

SHA1
98b89375fcb9f3aafab1d4c1798505673be8c559

SHA256
6aa8f4b4126f389ddd68b146ee470222fae4a78477b030fcb869845994de8fa7

SHA512
d10dc98f15f97f35c39926207668220a26f25e86f0a4c3298b6954478c9845cbf6e5daa7b6512c05e7d1a41ef2ac7167ac2be5ce113f8b0a85db51311fb89fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0e5a81c-3c45-4ea8-9639-d44397343b87.vbs

Filesize
720B

MD5
85226af7693d2c59f5b5a5bc3fd7cf9e

SHA1
ce2f923c1a96aa23bf16204295c5550317ecc379

SHA256
1dd4788b1ddef9a87f59ff50dcf23870138dde3aef766812de4efaa82eedfe84

SHA512
3022e8eff20d5719263cf72199ae561ac3d793ff827cb9ee958b3c9270a09bd8dca58181245d63f66fd3e26251610cd2c6041c6fcf0cdaa68b792e6c1cb518c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eafde245-823d-4ee1-88b7-8adce7ab4e6f.vbs

Filesize
542B

MD5
db652fa7387a5a19df218d37ad0a35f1

SHA1
c46f0d38a6a8168afc1e654c23ae32948cb90355

SHA256
3d1482e9c40f206bed70dbcfe01414b6b44e2191ea9673205cd6bed83ec4bca1

SHA512
d22a8bef2386b027a256d5b4843aa8d14f6667e2d4909ffd98970f2c571188c1b1933691424411dfa8859bdb4b8a832915d77ed2e548122461d83e1aa2174974

Download Submit
C:\Users\Default\Desktop\Idle.exe

Filesize
5.9MB

MD5
f736c152b3d1812f1142ed0da99e0ac8

SHA1
5df819dd9a3c73b64b33950ecfac1c690fa0f03d

SHA256
78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

SHA512
a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

Download Submit
C:\Users\Default\Desktop\Idle.exe

Filesize
5.9MB

MD5
1d3db9da7b2999d97417564c73d85d00

SHA1
ab0f77c8b8a9de58bdc222cc50b9ce19cfb24ba7

SHA256
e6cbf6fb0294703961bfe56a4b6c595809931b419f75bd38a879dca4e1d65807

SHA512
22919d42374bd0fb66d6052bb9ac70a8d1203ae028a98ad0cc46a545fac43f0d1d75ee209795ee1369682e88e4ea8ddb69b80350b93e68689e2dccd9c9d7f141

Download Submit
memory/100-432-0x000000001BD40000-0x000000001BD52000-memory.dmp

Filesize
72KB

Download
memory/632-617-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

Filesize
72KB

Download
memory/832-20-0x000000001DD30000-0x000000001DD38000-memory.dmp

Filesize
32KB

Download
memory/832-17-0x000000001DCC0000-0x000000001DCCA000-memory.dmp

Filesize
40KB

Download
memory/832-35-0x000000001E030000-0x000000001E038000-memory.dmp

Filesize
32KB

Download
memory/832-34-0x000000001E020000-0x000000001E02E000-memory.dmp

Filesize
56KB

Download
memory/832-33-0x000000001DF10000-0x000000001DF1A000-memory.dmp

Filesize
40KB

Download
memory/832-32-0x000000001DF00000-0x000000001DF0C000-memory.dmp

Filesize
48KB

Download
memory/832-31-0x000000001DEF0000-0x000000001DEF8000-memory.dmp

Filesize
32KB

Download
memory/832-29-0x000000001DDD0000-0x000000001DDDC000-memory.dmp

Filesize
48KB

Download
memory/832-28-0x000000001DDB0000-0x000000001DDB8000-memory.dmp

Filesize
32KB

Download
memory/832-38-0x000000001E060000-0x000000001E06C000-memory.dmp

Filesize
48KB

Download
memory/832-39-0x000000001E070000-0x000000001E078000-memory.dmp

Filesize
32KB

Download
memory/832-40-0x000000001E080000-0x000000001E08A000-memory.dmp

Filesize
40KB

Download
memory/832-41-0x000000001E090000-0x000000001E09C000-memory.dmp

Filesize
48KB

Download
memory/832-199-0x00007FF8ECC93000-0x00007FF8ECC95000-memory.dmp

Filesize
8KB

Download
memory/832-222-0x00007FF8ECC90000-0x00007FF8ED751000-memory.dmp

Filesize
10.8MB

Download
memory/832-1-0x0000000000DE0000-0x00000000016D8000-memory.dmp

Filesize
9.0MB

Download
memory/832-36-0x000000001E040000-0x000000001E04E000-memory.dmp

Filesize
56KB

Download
memory/832-248-0x00007FF8ECC90000-0x00007FF8ED751000-memory.dmp

Filesize
10.8MB

Download
memory/832-30-0x000000001DDE0000-0x000000001DDEC000-memory.dmp

Filesize
48KB

Download
memory/832-25-0x000000001E300000-0x000000001E828000-memory.dmp

Filesize
5.2MB

Download
memory/832-27-0x000000001DDA0000-0x000000001DDAC000-memory.dmp

Filesize
48KB

Download
memory/832-26-0x000000001DD90000-0x000000001DD9C000-memory.dmp

Filesize
48KB

Download
memory/832-0-0x00007FF8ECC93000-0x00007FF8ECC95000-memory.dmp

Filesize
8KB

Download
memory/832-21-0x000000001DD40000-0x000000001DD4C000-memory.dmp

Filesize
48KB

Download
memory/832-24-0x000000001DD60000-0x000000001DD72000-memory.dmp

Filesize
72KB

Download
memory/832-22-0x000000001DD50000-0x000000001DD58000-memory.dmp

Filesize
32KB

Download
memory/832-2-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/832-3-0x00007FF8ECC90000-0x00007FF8ED751000-memory.dmp

Filesize
10.8MB

Download
memory/832-19-0x000000001DD20000-0x000000001DD2C000-memory.dmp

Filesize
48KB

Download
memory/832-16-0x000000001DDC0000-0x000000001DDD0000-memory.dmp

Filesize
64KB

Download
memory/832-18-0x000000001DCD0000-0x000000001DD26000-memory.dmp

Filesize
344KB

Download
memory/832-37-0x000000001E050000-0x000000001E058000-memory.dmp

Filesize
32KB

Download
memory/832-4-0x0000000001CC0000-0x0000000001CCE000-memory.dmp

Filesize
56KB

Download
memory/832-15-0x000000001C380000-0x000000001C388000-memory.dmp

Filesize
32KB

Download
memory/832-12-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/832-14-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/832-13-0x000000001DCB0000-0x000000001DCC2000-memory.dmp

Filesize
72KB

Download
memory/832-8-0x000000001DB60000-0x000000001DBB0000-memory.dmp

Filesize
320KB

Download
memory/832-9-0x0000000003940000-0x0000000003948000-memory.dmp

Filesize
32KB

Download
memory/832-5-0x0000000001CD0000-0x0000000001CDE000-memory.dmp

Filesize
56KB

Download
memory/832-7-0x0000000003920000-0x000000000393C000-memory.dmp

Filesize
112KB

Download
memory/832-11-0x000000001C340000-0x000000001C356000-memory.dmp

Filesize
88KB

Download
memory/832-10-0x0000000003950000-0x0000000003960000-memory.dmp

Filesize
64KB

Download
memory/832-6-0x0000000003910000-0x0000000003918000-memory.dmp

Filesize
32KB

Download
memory/1872-496-0x000000001CB10000-0x000000001CB22000-memory.dmp

Filesize
72KB

Download
memory/1952-573-0x000000001D380000-0x000000001D392000-memory.dmp

Filesize
72KB

Download
memory/3016-381-0x000000001CC80000-0x000000001CC92000-memory.dmp

Filesize
72KB

Download
memory/3016-379-0x0000000000FD0000-0x00000000018C8000-memory.dmp

Filesize
9.0MB

Download
memory/3352-739-0x000000001C090000-0x000000001C0A2000-memory.dmp

Filesize
72KB

Download
memory/3996-650-0x000000001C0E0000-0x000000001C0F2000-memory.dmp

Filesize
72KB

Download
memory/4360-233-0x0000025969300000-0x0000025969322000-memory.dmp

Filesize
136KB

Download
memory/4920-458-0x000000001BD40000-0x000000001BD52000-memory.dmp

Filesize
72KB

Download
memory/4920-457-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download
memory/4924-407-0x00000000034A0000-0x00000000034B2000-memory.dmp

Filesize
72KB

Download
memory/5020-483-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/5028-626-0x000000001CE00000-0x000000001CE12000-memory.dmp

Filesize
72KB

Download
memory/5048-749-0x000000001BF90000-0x000000001BFA2000-memory.dmp

Filesize
72KB

Download
memory/5328-667-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

Filesize
72KB

Download
memory/5492-582-0x0000000003130000-0x0000000003142000-memory.dmp

Filesize
72KB

Download
memory/5880-607-0x00000000034A0000-0x00000000034B2000-memory.dmp

Filesize
72KB

Download
memory/5908-690-0x00000000001B0000-0x0000000000AA8000-memory.dmp

Filesize
9.0MB

Download
memory/6064-635-0x000000001D8E0000-0x000000001D8F2000-memory.dmp

Filesize
72KB

Download