4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
896s
max time network
887s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f926cc363c27c542c23e14398096eda8.exe
Size

1.9MB
MD5

f926cc363c27c542c23e14398096eda8
SHA1

03442d6ea4a9acd36987b916ffe0261810e6dbfd
SHA256

ec0c9de9d6eef69bfe2c220f21971d4acc91004194cd8cf993a2bd34a04e31df
SHA512

581d105843a37d51aed86b071aed97c4188cb4bc8aed8b8c9bd9f7c297d5b3ba79d1d93f0a3d9bb5da89dbb445385838f7df229bec27b36d46b13757eb16491f
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 64 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
744	powershell.exe
3140	powershell.exe
3432	powershell.exe
3872	powershell.exe
5112	powershell.exe
1844	powershell.exe
3796	powershell.exe
3312	powershell.exe
4796	powershell.exe
1256	powershell.exe
3144	powershell.exe
1604	powershell.exe
2980	powershell.exe
3996	powershell.exe
4620	powershell.exe
4496	powershell.exe
3912	powershell.exe
5068	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f926cc363c27c542c23e14398096eda8.exe

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	f926cc363c27c542c23e14398096eda8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 64 IoCs

pid	Process
5356	sysmon.exe
3736	sysmon.exe
4616	sysmon.exe
5204	sysmon.exe
5276	sysmon.exe
3956	sysmon.exe
5220	sysmon.exe
2380	sysmon.exe
5508	sysmon.exe
6052	sysmon.exe
3132	sysmon.exe
5680	sysmon.exe
4456	sysmon.exe
4236	sysmon.exe
4024	sysmon.exe
2844	sysmon.exe
4040	sysmon.exe
1604	sysmon.exe
5744	sysmon.exe
760	sysmon.exe
5228	sysmon.exe
2388	sysmon.exe
4892	sysmon.exe
5480	sysmon.exe
2708	RuntimeBroker.exe
6016	sysmon.exe
3992	sysmon.exe
5876	sysmon.exe
3300	sysmon.exe
6020	TextInputHost.exe
5008	spoolsv.exe
4540	Idle.exe
4844	sysmon.exe
4600	sysmon.exe
4752	sysmon.exe
1484	upfc.exe
4128	sysmon.exe
3928	sysmon.exe
548	Registry.exe
3324	sysmon.exe
3268	sysmon.exe
2840	sysmon.exe
4556	sysmon.exe
384	sysmon.exe
5164	sysmon.exe
1020	sysmon.exe
5940	taskhostw.exe
2844	f926cc363c27c542c23e14398096eda8.exe
2568	sysmon.exe
5592	taskhostw.exe
712	taskhostw.exe
5476	taskhostw.exe
1800	taskhostw.exe
3664	sysmon.exe
3320	RuntimeBroker.exe
3996	OfficeClickToRun.exe
5736	dllhost.exe
5216	taskhostw.exe
4628	taskhostw.exe
4300	taskhostw.exe
760	taskhostw.exe
2844	taskhostw.exe
2708	taskhostw.exe
1008	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f926cc363c27c542c23e14398096eda8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCX6BBD.tmp	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6ccacd8608530f	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX6E3F.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX75B7.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX7626.tmp	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\e6c9b481da804f	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\upfc.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX6EBD.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCX7A4F.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCX7ABD.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\upfc.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\ea1d8f6d871115	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCX6BBC.tmp	f926cc363c27c542c23e14398096eda8.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Windows\Cursors\TextInputHost.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCX6124.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\Cursors\RCX632A.tmp	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX7CC3.tmp	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Windows\Cursors\22eafd247d37c3	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\Cursors\RCX6329.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	f926cc363c27c542c23e14398096eda8.exe
File created	C:\Windows\PolicyDefinitions\de-DE\26efc900edbce0	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCX60B6.tmp	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\Cursors\TextInputHost.exe	f926cc363c27c542c23e14398096eda8.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX7CC2.tmp	f926cc363c27c542c23e14398096eda8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f926cc363c27c542c23e14398096eda8.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe
1620	schtasks.exe
1572	schtasks.exe
1908	schtasks.exe
2380	schtasks.exe
2804	schtasks.exe
1664	schtasks.exe
892	schtasks.exe
3208	schtasks.exe
3084	schtasks.exe
4388	schtasks.exe
3340	schtasks.exe
3432	schtasks.exe
3764	schtasks.exe
4652	schtasks.exe
4660	schtasks.exe
2472	schtasks.exe
2448	schtasks.exe
1452	schtasks.exe
2616	schtasks.exe
3724	schtasks.exe
2904	schtasks.exe
3036	schtasks.exe
1732	schtasks.exe
1600	schtasks.exe
1104	schtasks.exe
1456	schtasks.exe
1700	schtasks.exe
1844	schtasks.exe
3052	schtasks.exe
4836	schtasks.exe
4728	schtasks.exe
4756	schtasks.exe
5112	schtasks.exe
1200	schtasks.exe
1640	schtasks.exe
3144	schtasks.exe
460	schtasks.exe
4360	schtasks.exe
4816	schtasks.exe
4412	schtasks.exe
3076	schtasks.exe
180	schtasks.exe
4396	schtasks.exe
944	schtasks.exe
1984	schtasks.exe
2544	schtasks.exe
2580	schtasks.exe
3556	schtasks.exe
4272	schtasks.exe
4584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	f926cc363c27c542c23e14398096eda8.exe
468	f926cc363c27c542c23e14398096eda8.exe
468	f926cc363c27c542c23e14398096eda8.exe
468	f926cc363c27c542c23e14398096eda8.exe
468	f926cc363c27c542c23e14398096eda8.exe
3144	powershell.exe
3144	powershell.exe
1604	powershell.exe
1604	powershell.exe
5112	powershell.exe
5112	powershell.exe
2980	powershell.exe
2980	powershell.exe
1256	powershell.exe
1256	powershell.exe
5068	powershell.exe
5068	powershell.exe
3312	powershell.exe
3312	powershell.exe
4496	powershell.exe
4496	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
3996	powershell.exe
3996	powershell.exe
3140	powershell.exe
3140	powershell.exe
744	powershell.exe
744	powershell.exe
3912	powershell.exe
3912	powershell.exe
3796	powershell.exe
3796	powershell.exe
5112	powershell.exe
4796	powershell.exe
4796	powershell.exe
3872	powershell.exe
3872	powershell.exe
3432	powershell.exe
3432	powershell.exe
1844	powershell.exe
1844	powershell.exe
3872	powershell.exe
2980	powershell.exe
3144	powershell.exe
3144	powershell.exe
1604	powershell.exe
1604	powershell.exe
1256	powershell.exe
5068	powershell.exe
3912	powershell.exe
3796	powershell.exe
3312	powershell.exe
4796	powershell.exe
3140	powershell.exe
4496	powershell.exe
744	powershell.exe
3432	powershell.exe
3996	powershell.exe
1844	powershell.exe
5356	sysmon.exe
5356	sysmon.exe
3736	sysmon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	468	f926cc363c27c542c23e14398096eda8.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	5356	sysmon.exe
Token: SeDebugPrivilege	3736	sysmon.exe
Token: SeDebugPrivilege	4616	sysmon.exe
Token: SeDebugPrivilege	5204	sysmon.exe
Token: SeDebugPrivilege	5276	sysmon.exe
Token: SeDebugPrivilege	3956	sysmon.exe
Token: SeDebugPrivilege	5220	sysmon.exe
Token: SeDebugPrivilege	2380	sysmon.exe
Token: SeDebugPrivilege	5508	sysmon.exe
Token: SeDebugPrivilege	6052	sysmon.exe
Token: SeDebugPrivilege	3132	sysmon.exe
Token: SeDebugPrivilege	5680	sysmon.exe
Token: SeDebugPrivilege	4456	sysmon.exe
Token: SeDebugPrivilege	4236	sysmon.exe
Token: SeDebugPrivilege	4024	sysmon.exe
Token: SeDebugPrivilege	2844	sysmon.exe
Token: SeDebugPrivilege	4040	sysmon.exe
Token: SeDebugPrivilege	1604	sysmon.exe
Token: SeDebugPrivilege	5744	sysmon.exe
Token: SeDebugPrivilege	760	sysmon.exe
Token: SeDebugPrivilege	5228	sysmon.exe
Token: SeDebugPrivilege	2388	sysmon.exe
Token: SeDebugPrivilege	4892	sysmon.exe
Token: SeDebugPrivilege	5480	sysmon.exe
Token: SeDebugPrivilege	2708	RuntimeBroker.exe
Token: SeDebugPrivilege	6016	sysmon.exe
Token: SeDebugPrivilege	3992	sysmon.exe
Token: SeDebugPrivilege	5876	sysmon.exe
Token: SeDebugPrivilege	3300	sysmon.exe
Token: SeDebugPrivilege	6020	TextInputHost.exe
Token: SeDebugPrivilege	5008	spoolsv.exe
Token: SeDebugPrivilege	4540	Idle.exe
Token: SeDebugPrivilege	4844	sysmon.exe
Token: SeDebugPrivilege	4600	sysmon.exe
Token: SeDebugPrivilege	4752	sysmon.exe
Token: SeDebugPrivilege	1484	upfc.exe
Token: SeDebugPrivilege	4128	sysmon.exe
Token: SeDebugPrivilege	3928	sysmon.exe
Token: SeDebugPrivilege	548	Registry.exe
Token: SeDebugPrivilege	3324	sysmon.exe
Token: SeDebugPrivilege	3268	sysmon.exe
Token: SeDebugPrivilege	2840	sysmon.exe
Token: SeDebugPrivilege	4556	sysmon.exe
Token: SeDebugPrivilege	384	sysmon.exe
Token: SeDebugPrivilege	5164	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1844	468	f926cc363c27c542c23e14398096eda8.exe	146
PID 468 wrote to memory of 1844	468	f926cc363c27c542c23e14398096eda8.exe	146
PID 468 wrote to memory of 2980	468	f926cc363c27c542c23e14398096eda8.exe	147
PID 468 wrote to memory of 2980	468	f926cc363c27c542c23e14398096eda8.exe	147
PID 468 wrote to memory of 5112	468	f926cc363c27c542c23e14398096eda8.exe	148
PID 468 wrote to memory of 5112	468	f926cc363c27c542c23e14398096eda8.exe	148
PID 468 wrote to memory of 4496	468	f926cc363c27c542c23e14398096eda8.exe	149
PID 468 wrote to memory of 4496	468	f926cc363c27c542c23e14398096eda8.exe	149
PID 468 wrote to memory of 4620	468	f926cc363c27c542c23e14398096eda8.exe	151
PID 468 wrote to memory of 4620	468	f926cc363c27c542c23e14398096eda8.exe	151
PID 468 wrote to memory of 1604	468	f926cc363c27c542c23e14398096eda8.exe	152
PID 468 wrote to memory of 1604	468	f926cc363c27c542c23e14398096eda8.exe	152
PID 468 wrote to memory of 3144	468	f926cc363c27c542c23e14398096eda8.exe	153
PID 468 wrote to memory of 3144	468	f926cc363c27c542c23e14398096eda8.exe	153
PID 468 wrote to memory of 1256	468	f926cc363c27c542c23e14398096eda8.exe	154
PID 468 wrote to memory of 1256	468	f926cc363c27c542c23e14398096eda8.exe	154
PID 468 wrote to memory of 3872	468	f926cc363c27c542c23e14398096eda8.exe	155
PID 468 wrote to memory of 3872	468	f926cc363c27c542c23e14398096eda8.exe	155
PID 468 wrote to memory of 4796	468	f926cc363c27c542c23e14398096eda8.exe	156
PID 468 wrote to memory of 4796	468	f926cc363c27c542c23e14398096eda8.exe	156
PID 468 wrote to memory of 3432	468	f926cc363c27c542c23e14398096eda8.exe	157
PID 468 wrote to memory of 3432	468	f926cc363c27c542c23e14398096eda8.exe	157
PID 468 wrote to memory of 3140	468	f926cc363c27c542c23e14398096eda8.exe	159
PID 468 wrote to memory of 3140	468	f926cc363c27c542c23e14398096eda8.exe	159
PID 468 wrote to memory of 744	468	f926cc363c27c542c23e14398096eda8.exe	160
PID 468 wrote to memory of 744	468	f926cc363c27c542c23e14398096eda8.exe	160
PID 468 wrote to memory of 3996	468	f926cc363c27c542c23e14398096eda8.exe	161
PID 468 wrote to memory of 3996	468	f926cc363c27c542c23e14398096eda8.exe	161
PID 468 wrote to memory of 5068	468	f926cc363c27c542c23e14398096eda8.exe	163
PID 468 wrote to memory of 5068	468	f926cc363c27c542c23e14398096eda8.exe	163
PID 468 wrote to memory of 3912	468	f926cc363c27c542c23e14398096eda8.exe	164
PID 468 wrote to memory of 3912	468	f926cc363c27c542c23e14398096eda8.exe	164
PID 468 wrote to memory of 3312	468	f926cc363c27c542c23e14398096eda8.exe	165
PID 468 wrote to memory of 3312	468	f926cc363c27c542c23e14398096eda8.exe	165
PID 468 wrote to memory of 3796	468	f926cc363c27c542c23e14398096eda8.exe	166
PID 468 wrote to memory of 3796	468	f926cc363c27c542c23e14398096eda8.exe	166
PID 468 wrote to memory of 5356	468	f926cc363c27c542c23e14398096eda8.exe	182
PID 468 wrote to memory of 5356	468	f926cc363c27c542c23e14398096eda8.exe	182
PID 5356 wrote to memory of 6020	5356	sysmon.exe	183
PID 5356 wrote to memory of 6020	5356	sysmon.exe	183
PID 5356 wrote to memory of 5168	5356	sysmon.exe	184
PID 5356 wrote to memory of 5168	5356	sysmon.exe	184
PID 6020 wrote to memory of 3736	6020	WScript.exe	185
PID 6020 wrote to memory of 3736	6020	WScript.exe	185
PID 3736 wrote to memory of 5248	3736	sysmon.exe	186
PID 3736 wrote to memory of 5248	3736	sysmon.exe	186
PID 3736 wrote to memory of 4748	3736	sysmon.exe	187
PID 3736 wrote to memory of 4748	3736	sysmon.exe	187
PID 5248 wrote to memory of 4616	5248	WScript.exe	196
PID 5248 wrote to memory of 4616	5248	WScript.exe	196
PID 4616 wrote to memory of 5800	4616	sysmon.exe	197
PID 4616 wrote to memory of 5800	4616	sysmon.exe	197
PID 4616 wrote to memory of 1748	4616	sysmon.exe	198
PID 4616 wrote to memory of 1748	4616	sysmon.exe	198
PID 5800 wrote to memory of 5204	5800	WScript.exe	199
PID 5800 wrote to memory of 5204	5800	WScript.exe	199
PID 5204 wrote to memory of 3648	5204	sysmon.exe	200
PID 5204 wrote to memory of 3648	5204	sysmon.exe	200
PID 5204 wrote to memory of 5960	5204	sysmon.exe	201
PID 5204 wrote to memory of 5960	5204	sysmon.exe	201
PID 3648 wrote to memory of 5276	3648	WScript.exe	203
PID 3648 wrote to memory of 5276	3648	WScript.exe	203
PID 5276 wrote to memory of 3884	5276	sysmon.exe	204
PID 5276 wrote to memory of 3884	5276	sysmon.exe	204

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f926cc363c27c542c23e14398096eda8.exe
"C:\Users\Admin\AppData\Local\Temp\f926cc363c27c542c23e14398096eda8.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f926cc363c27c542c23e14398096eda8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\9067c5701a2f6bcc5b\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
  "C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eb517b1-5c46-40f7-8f04-e5c706f24850.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6020
  - - C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
      C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d500b4f5-c0b1-4390-927d-7a7d42931bde.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5248
      - C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90399c3-3796-4138-8592-60904ac550f6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544164e3-4c70-4d58-96cc-d71969984898.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77920baa-b88b-43d1-80d2-a9e84f1a32ef.vbs"
        11⤵
        
        PID:3884
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c389cdf8-5c9d-45ce-b15a-f47479a70bb7.vbs"
        13⤵
        
        PID:4216
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c7968b3-3134-473b-b56e-4e06a1e4dc53.vbs"
        15⤵
        
        PID:3092
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4579324-20ff-4a69-8646-a779d1eddbfd.vbs"
        17⤵
        
        PID:4868
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c39e8b1-b69f-4638-8727-f6931abd06d4.vbs"
        19⤵
        
        PID:5944
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b85d883-4b6d-454c-b5db-ce9c2154aef6.vbs"
        21⤵
        
        PID:1048
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff00a287-4305-439e-9979-9fabfb823688.vbs"
        23⤵
        
        PID:5320
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b68cae8d-59b7-4353-a433-970c5e356f16.vbs"
        25⤵
        
        PID:4580
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c49f3f07-14a2-4bdb-a9c3-bdc86fb4e576.vbs"
        27⤵
        
        PID:3788
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b76cebf-4ee0-4ef6-95fc-00e086f8e45e.vbs"
        29⤵
        
        PID:3648
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\752c14be-86be-4afe-840a-96022f6e35e8.vbs"
        31⤵
        
        PID:4084
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecb33377-26db-4209-9694-e5b0d3f49923.vbs"
        33⤵
        
        PID:1096
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259f9f8d-8583-4c2a-9f02-869cbaf20b74.vbs"
        35⤵
        
        PID:5232
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        36⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\214e4782-60cc-4fd4-b3fa-f8b1888991ed.vbs"
        37⤵
        
        PID:4300
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        38⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaa407c-1764-433e-9739-9097be04b5ef.vbs"
        39⤵
        
        PID:1552
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        40⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1332ef6-1b21-45e5-8707-aab4a526e928.vbs"
        41⤵
        
        PID:4452
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        42⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b23499cb-d2d7-48a1-9b0d-075bc21167ae.vbs"
        43⤵
        
        PID:1048
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        44⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e3b66dc-3aa7-43d3-85b7-b1fab8f238bc.vbs"
        45⤵
        
        PID:5288
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe208e4d-4d6f-454a-afcb-96ff6d96d7de.vbs"
        47⤵
        
        PID:4580
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        48⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f41f6a-8eb7-40b3-9ac7-825e9b37d73f.vbs"
        49⤵
        
        PID:4152
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        50⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c75e8ff9-a779-4ee8-8e8a-ec887b4bdc18.vbs"
        51⤵
        
        PID:5388
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        52⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a034cb00-4767-4270-bcb7-0109534ccc9e.vbs"
        53⤵
        
        PID:3316
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        54⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\013ceb9d-1206-46db-81f5-394f053fda1d.vbs"
        55⤵
        
        PID:452
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        56⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b50cb0f8-e1e6-41b5-9cf3-0c80619ff812.vbs"
        57⤵
        
        PID:6072
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        58⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06d7915a-6074-49f6-91d3-c64f1a2d7e18.vbs"
        59⤵
        
        PID:4176
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        60⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92108d13-df97-457c-89b6-b56e4d5ab93a.vbs"
        61⤵
        
        PID:5064
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        62⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93a1f960-3c30-45fd-8f10-a2cc759aaf9e.vbs"
        63⤵
        
        PID:3904
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        64⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5615dac3-a8cc-4357-8059-e4b3c833425a.vbs"
        65⤵
        
        PID:1292
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        66⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a142288-d021-499f-ace0-a1dfc7b93674.vbs"
        67⤵
        
        PID:3572
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        68⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87fd3ad7-0e46-495e-95fa-8d50903fc2e9.vbs"
        69⤵
        
        PID:1808
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        70⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25b234ce-0a2b-4e60-b5e6-2ceaf9d89874.vbs"
        71⤵
        
        PID:5876
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        72⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406472d0-2966-4a22-b680-69ab2de220be.vbs"
        73⤵
        
        PID:5556
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        74⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e6420c-bd78-4a32-a049-6f8e828ca3c9.vbs"
        75⤵
        
        PID:4232
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        76⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73d4c89-b560-43d6-a93f-0508ba5134c4.vbs"
        77⤵
        
        PID:2052
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        78⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        System policy modification
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cf8db54-100c-4940-9039-a5e5280c5b15.vbs"
        79⤵
        
        PID:4924
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        
        C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
        80⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c401ce-0b5d-4700-92f5-7b723054c663.vbs"
        79⤵
        
        PID:6092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0be540c8-b159-4752-b2c0-6b2797a994d2.vbs"
        77⤵
        
        PID:5420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb8209af-3841-4bc6-be8a-8ee836fd62bb.vbs"
        75⤵
        
        PID:3740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afacc516-d8a7-4150-9715-ee2d295fd484.vbs"
        73⤵
        
        PID:6020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc333821-eb1f-482c-a1af-6c4982624d42.vbs"
        71⤵
        
        PID:5620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5e20f3a-dac8-4c09-9599-6f8e1f244e80.vbs"
        69⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1607c919-1b6c-49a3-afc0-35a5889fc47b.vbs"
        67⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5326c84f-b762-4115-b00f-d350e0131ab4.vbs"
        65⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fa0dde-25be-4abb-96d3-18e2711fc0ce.vbs"
        63⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328323cb-5c51-4c57-b4c5-367c30a777b0.vbs"
        61⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c8601c8-9f39-4ec0-abb5-6d66fa58bb4a.vbs"
        59⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f9aeb0-7bab-4f5f-b4d8-53d6dce238f5.vbs"
        57⤵
        
        PID:4140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d682c8-58b4-4f66-b693-c79da76cf204.vbs"
        55⤵
        
        PID:6068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee6e252-fbc2-4a4d-a1d0-a4ebabca09ac.vbs"
        53⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\691939e0-744f-4912-b7b2-11842ac69f59.vbs"
        51⤵
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32767d7-84f8-4112-9c01-9ad17568442c.vbs"
        49⤵
        
        PID:5840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f09e19-1fd5-42b0-acde-5b27daa471a8.vbs"
        47⤵
        
        PID:5500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0992057b-ee52-452d-bdd2-532ef42d42ba.vbs"
        45⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43d1844-7167-46e8-acd7-2e848e5b9930.vbs"
        43⤵
        
        PID:3476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef580c56-cf7b-4456-8492-0965a22a720a.vbs"
        41⤵
        
        PID:5324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f3fb7ca-9571-4642-90b9-b84f456a3963.vbs"
        39⤵
        
        PID:3800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b53c318-8e50-48f9-8a24-7333723bc725.vbs"
        37⤵
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6a67674-27f9-4261-ae89-05aed0ae2835.vbs"
        35⤵
        
        PID:5400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab339a57-7396-4a5a-81f7-2063a9338364.vbs"
        33⤵
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99e60afb-2381-4bb8-83f9-993a629fa2ad.vbs"
        31⤵
        
        PID:5496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b66341e-af1c-4786-81f9-763d8de8177e.vbs"
        29⤵
        
        PID:5704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82b4d624-518a-4db0-b7be-14003235f6f2.vbs"
        27⤵
        
        PID:3820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5dce09-ade1-4e97-86f2-1f6319fe2797.vbs"
        25⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\932d0eb4-1070-406e-a7c3-20cad13f2b5a.vbs"
        23⤵
        
        PID:5272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f19abb8-1325-48fd-ae7d-6ff9350d5741.vbs"
        21⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9ff7f9-c7bf-440c-9533-cf1d47685533.vbs"
        19⤵
        
        PID:5816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab5d352c-95af-4473-8083-b74002376f4b.vbs"
        17⤵
        
        PID:5196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70d412ae-5733-4313-a3d8-950235e0dbe2.vbs"
        15⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341b94bd-d202-423d-ab98-555a67fad5e0.vbs"
        13⤵
        
        PID:5456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a149f6f5-a59b-4b3f-b117-97a4b469009f.vbs"
        11⤵
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\459ab7d4-33ef-48f1-ae1f-3ad3a792fc81.vbs"
        9⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c724429b-6110-427f-99a2-735af1c19343.vbs"
        7⤵
        
        PID:1748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bcdf25f-fda7-413f-a1b8-17803135e8e1.vbs"
        5⤵
        
        PID:4748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f5802f3-a38d-4139-8c52-12e7f12b156d.vbs"
    3⤵
    PID:5168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8f" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8f" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Cursors\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\9067c5701a2f6bcc5b\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\9067c5701a2f6bcc5b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\9067c5701a2f6bcc5b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8f" /sc MINUTE /mo 5 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8" /sc ONLOGON /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f926cc363c27c542c23e14398096eda8f" /sc MINUTE /mo 13 /tr "'C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe
C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\Cursors\TextInputHost.exe
C:\Windows\Cursors\TextInputHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe
C:\95a9da8d6083c53f11d88fcfaf8c\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Users\Public\AccountPictures\Idle.exe
C:\Users\Public\AccountPictures\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Program Files\Windows Sidebar\Gadgets\upfc.exe
"C:\Program Files\Windows Sidebar\Gadgets\upfc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Recovery\WindowsRE\Registry.exe
C:\Recovery\WindowsRE\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\SendTo\taskhostw.exe
C:\Users\Admin\SendTo\taskhostw.exe
1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
PID:5940
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a04f9f-43a2-4f72-9565-9b33def070d4.vbs"
  2⤵
  PID:4536
- - C:\Users\Admin\SendTo\taskhostw.exe
    C:\Users\Admin\SendTo\taskhostw.exe
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    PID:5592
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc659de-baf7-4646-82fe-39f01ac19a4f.vbs"
      4⤵
      PID:5368
    - - C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:712
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d12f88c-42d3-4286-80c8-4378c22c49a3.vbs"
        6⤵
        
        PID:5568
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c59a56-090b-410f-a335-15d0a50d83eb.vbs"
        8⤵
        
        PID:4452
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01480cb7-7fb4-40c2-9230-a8f91476687f.vbs"
        10⤵
        
        PID:5824
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:5216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94dc46a9-5bc2-46d8-b5df-e2d2bd4a6551.vbs"
        12⤵
        
        PID:2112
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7638d270-5be2-457c-b634-09abad43e4f3.vbs"
        14⤵
        
        PID:5268
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dd54bf2-c12c-4849-9092-e3b588c03b2a.vbs"
        16⤵
        
        PID:5396
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef183341-18f7-4f1a-b5b5-8ef2d3bf02b8.vbs"
        18⤵
        
        PID:2404
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d43496-56dc-46bc-b2ae-08a04975cccb.vbs"
        20⤵
        
        PID:4588
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71319392-f631-48af-b4fc-9397ca605fff.vbs"
        22⤵
        
        PID:5776
        
        C:\Users\Admin\SendTo\taskhostw.exe
        
        C:\Users\Admin\SendTo\taskhostw.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5038ecc-2bd9-4b9a-b41b-156de33a3faa.vbs"
        24⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc83899-c5ed-41eb-9331-3207671298b7.vbs"
        24⤵
        
        PID:5152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8961b630-5f74-4a1d-abf4-16f5d0e45f4f.vbs"
        22⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9607ab-b0d9-4762-87c9-f91e20102c69.vbs"
        20⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3531973-1c0e-4053-9838-fc05139c93e5.vbs"
        18⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6662bc7-07a9-4aee-9ef1-d2db3dd9a82b.vbs"
        16⤵
        
        PID:5316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88c792da-390c-4b50-a3a9-fea86ac56fa7.vbs"
        14⤵
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81bd8dc6-57ee-421e-9885-66f70ee05236.vbs"
        12⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18024423-05c0-46cf-855b-9c83ff947b88.vbs"
        10⤵
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\822b4022-d745-4aaf-b036-9e55a014ee56.vbs"
        8⤵
        
        PID:3436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7017c80-1587-4a2b-ad09-44269c680305.vbs"
        6⤵
        
        PID:4904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f93f32ac-0a53-4539-87a0-be7c55ea5a38.vbs"
      4⤵
      PID:4988
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f99a40-2bcf-4ba4-8ded-7205333d5e9b.vbs"
  2⤵
  PID:3372

C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe
C:\95a9da8d6083c53f11d88fcfaf8c\f926cc363c27c542c23e14398096eda8.exe
1⤵
- Executes dropped EXE
PID:2844

C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
C:\95a9da8d6083c53f11d88fcfaf8c\sysmon.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe
C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Recovery\WindowsRE\OfficeClickToRun.exe
C:\Recovery\WindowsRE\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
1⤵
- Executes dropped EXE
PID:5736

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9067c5701a2f6bcc5b\dllhost.exe

Filesize
1.9MB

MD5
bcdbaaaacd8f3153d4d8ed6013cdc968

SHA1
8b4375f0c8c24363fe42fb6ec97afe6955789614

SHA256
4f1bcfd1e3e92d500344e5ab5237a7a912e68fa8de02598f3a9f6e035d57032c

SHA512
284c7ab3e2c870a72b1dd1e59d0ae96b06872b3897e573e1ecac5790cb1ab62364a891ff664c2421d691feee824930cc22444445b4717c391776990920d8146b

Download Submit
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe

Filesize
1.9MB

MD5
35dd56815c2b7f48964b4ff1fa7ad74d

SHA1
a76f4e3691455c98990e517d776159cb9a70e2ec

SHA256
6983ba10286163f1c3541dcdf178b9b25c4919b6298b1332892d9ebcb955a6ad

SHA512
7a8df4ec359df77955d30bdedbfed121e9a07d17ef2f83489b33af6b86cd33447499a050a601f3096a77c061f04e545983930730d971823af910f5be5afe0e98

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\Idle.exe

Filesize
1.9MB

MD5
b19d433935f28f79e27fefbc8c98097b

SHA1
281d3192edfa51862795f1b706b92b2a2f1b0831

SHA256
0cbdede65b69662a02e1079b2cc52a4e7a56c9d9e2485b2c147d9f33db7a9ca2

SHA512
667d1c4b2753af2d34b29b49986dddbf4acb87f15dd41807414212974d6850b5f21b56ee3fadd28b6a8a7a13cdb3037ca186c9610e37ff0a00b20751505b490c

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\upfc.exe

Filesize
1.9MB

MD5
efcc57141dfc4983b3ec085f8488f227

SHA1
5e0e599e531b54658b06b7b7eb95487cb791e55d

SHA256
33d2323a0f0a84a278beaa86d27b85fd84dbd652fc6e2f8f564324f487939b0c

SHA512
617e7dc01a0ae647bd73907c4e857e47fb7769f4603f6db778ae16afa3d20903b35f385009decad92cfa1b6a17f8e8178e1782e0fdc0e41136cf8e41231702fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
f0ed8114654e67181c966be15f6c534f

SHA1
bacac27eef523e2a88f6403553afb9ddf39b98cf

SHA256
92418fdf40a52321b102a8bde739b0c2d40d9ddbac91866d02553e511bd38791

SHA512
85052a182a3ea12c7bf2be22b46686d21822dd5dc236b3c08e2ed1f81479c3b4c9afedb0bc50a8423d0ae27777dfac170eb0ca36032bb941a34f1024cc89353a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
abff63ab7ec3c9f245328f48df37265a

SHA1
be04f390cd7c320cb76768616f6c8bdb52552cac

SHA256
a28453da873c6787b348483d7329e3b664e12d3bf2495a67708acd75390ba8f1

SHA512
b482f9fdc8b43c04abcdb57036e7a92cafb4562c09bd44cb3b4d56b8b9457bd0dc2a7e3e7cef18dc18283eb9c03fb96095531fef3c0796d21e000bf8b0e0538f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
79a11bc629c54beffe541507473ca6c5

SHA1
7d1d78c10bfdb5e338ae4831f32a571a1362e3f6

SHA256
b75463c0765737425c2000412d88de89e64c69594cdbf48914b7973b32d4d919

SHA512
dcdf2dcfd3063a72096e3486bdd11b6a76a126320e3fc859543cac30e4d628b6bb873367d9c537657494d84ed3531cff355373a51af1ccda0c9be7b23356770a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc05a4f71923730b4eed5cb63f86aeed

SHA1
798199489ad94c55021a92ec812b320ed90b5711

SHA256
557afa6640a2b8ba319b55ac8d6b4b79e8e4bcda916870baa5f74dc9bd937650

SHA512
fe0bfd9ffdfebf5c10320e0701a3dad1da28b826395154ba95f53ea76b2e68a3e6504e539b504aa24a276877ebdbfd1e3fc6c1a2763bb80d17bc69471388656b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5224a8af64b17b8a36247f8bda22bc94

SHA1
841edc986867d9813534b217790e76b017c48617

SHA256
464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

SHA512
041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa06cb40f97ab488651f3aebd1e07736

SHA1
5094da2f768387c80a0e879ef43ffbdc677ddc97

SHA256
d792dfc55ca10a274ff6ace7d3f5bf6d4cfc9dcefd7c0e9b8aa714fff8988b82

SHA512
e3d49f6cb6b50acd6e93c9bc2b46cffa238d1d28b26f1c549267f32abdfd239c75a261b7bab9edcce606f35b8ca632676efaca3f2b1bbdb9bb739115f6003af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b85d883-4b6d-454c-b5db-ce9c2154aef6.vbs

Filesize
718B

MD5
fdb808d4395559f9991fae6bae78e68d

SHA1
afb429271b56a2eff0a0361fb92964d1dd2a164b

SHA256
763743fb95cecd2ff32cfed9153803c9bb298b062951420461dd8784a1bf5a83

SHA512
f074e709fb4d799a776c1fd795a42ce70c96d8d815c134d105a3426302df18e642b8a05651fa787465bc7b3a7bfca0971d6c7541dd9ed77cf178331848baa3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c39e8b1-b69f-4638-8727-f6931abd06d4.vbs

Filesize
718B

MD5
753a0e905d963211da52314ff9189d68

SHA1
79743f8e3505213f28e2a111635bf987ec657467

SHA256
f4969de9d7bac275ad2353e81c367fb3be52fa563618c9ceed8d9b2a8bb17ef1

SHA512
47fa56f08273a26059355f304f055bbd2c25739a8b5389aeecafc7db56eb76f1f90dfe81b8e8827db2530975692cfe8e0e02d1f12f0e3f679b514335bc4cadbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\544164e3-4c70-4d58-96cc-d71969984898.vbs

Filesize
718B

MD5
4b97d5bd02f973fea183597ad94245b3

SHA1
3f4631ba611dc7e22cb0bfe5cc8f6448268ee546

SHA256
9e73d8bffd1234ddfebeff4f5bbd24128c4856482b85ec269d6072b96b37ee34

SHA512
ad9f4326ea4370f76c5c717018514b4838a643a257fdc9666291c928323607cf9ff58989516dd31776a4a53bc1a4c290853ad689346eb72da930d87dc79d680b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f5802f3-a38d-4139-8c52-12e7f12b156d.vbs

Filesize
494B

MD5
abbb129adcb9fd33ca031d9beb2529b3

SHA1
cbbba58fdfe7d8df7a3e0edbcff610956fb674e5

SHA256
9483a28700a33827bbd127af5259139291768fcbcd7436a6b65406f087a626e8

SHA512
01deb09dc3e6e3c09167ec096986bbe279c1affc5c2ebe7f620e1557a2f3f8aba6ac587805789c9dd8637216555271c5a4ed012c895f4c3dabff1cfb6af161b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\77920baa-b88b-43d1-80d2-a9e84f1a32ef.vbs

Filesize
718B

MD5
e74cd69440fcfe51af4100a29f121420

SHA1
e2fa389628cf182e0f8bc488042ffcce4a30e624

SHA256
1f27c7ca677eb248ecb78b16b8ee27cb23e2da5089bc62652eac6f0f9d4bba3f

SHA512
d2ebc2038523a296e814faf968af39b63326a359aefef9077adf1fa35f00b2b7d94514c18caecdd9aa971e4ca6e84d79c1062b87d30287ef28568a0afa19a61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7968b3-3134-473b-b56e-4e06a1e4dc53.vbs

Filesize
718B

MD5
b43a7d70185bc76e60aef266951c39c4

SHA1
c62798e4e2a57d8ff57fe797d3304dcf5adfcc6a

SHA256
36843755233b810a8f4aa4430dd9ff9d7e2019f197ecbf65ab5580bb61d0dd2d

SHA512
dcdaef959b2c5fc2ffced3ee6eb656e44f4eb4511a95b3bd589d6ad9aed3275d983a6120ad14b428b115a37e97a6192e2dfcdcd6a9fe41c7627d0c4072158883

Download Submit
C:\Users\Admin\AppData\Local\Temp\8eb517b1-5c46-40f7-8f04-e5c706f24850.vbs

Filesize
718B

MD5
5e38eacdcac3204f7b2846780cab3871

SHA1
e9597e12e52259a7c865cf0b736514e5773ecf00

SHA256
303e29e3c9796a5af603c212293a9b109429b0fdbfb118433ca37630476a6483

SHA512
7412830fb2f69278ea49f2bb25e870197c948e506ac2f42c83bdd5e75bc30191655c3d8acb96975cece1ba211a79e194126cea3d3b97e7ebeee97677f9382788

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lsu4qpq.eu5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c389cdf8-5c9d-45ce-b15a-f47479a70bb7.vbs

Filesize
718B

MD5
577a439575d0265565fd5e080aca94ee

SHA1
b907f0e956a844eb2712d5cb3221f98ecd9019e2

SHA256
55bdfd79e05d458f5b13b1e2a5faeede93cdcffacf1b5a2572acf7a3c1ba7df4

SHA512
d6ef45db6d67bd0300b04a8efe417483624855496038d6f476e79f8748ec3e43b393701b3f2b5bc974e8104671e6b24296eacfc6d5d14eee3725a7044a2b28a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4579324-20ff-4a69-8646-a779d1eddbfd.vbs

Filesize
718B

MD5
8f25f9e8a495f649ae0ea0b20bea4ef2

SHA1
3a6f2404efa659b9d4cd1884fc9d1eb27faaac00

SHA256
0fac8f8dba8dc5b53c2c896d5de41a1344cc3fda2e4926875498d0642150a3a2

SHA512
6c809f33c7457b23f3a8e4b67c466cc784eea7e3d5d6c4ecac8c0a0e2548cf3577c4fdb467e9b7e1bf23c386d0a73833aa76d9c8954712383759483f99f30bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d500b4f5-c0b1-4390-927d-7a7d42931bde.vbs

Filesize
718B

MD5
41d6007cc61c321141bd4094155bad4d

SHA1
5ad6535c2884443a19096fb6c1ca1e85b6b6b01b

SHA256
ba239b8ced09ea80c19a302feebc152dc1093e4c055cdcc8975e7ba0984ef974

SHA512
ef60f09bceeda2e9f40332835b25ae59088ca0586121174f9362027cc3f92f1b0a1dec4893788b4af279409ff85b4a06ff6811817dc0ff285434d33598069cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\f90399c3-3796-4138-8592-60904ac550f6.vbs

Filesize
718B

MD5
a62564a6481b5943a30dd785857d45e6

SHA1
3f3d269d2028e28cfc9c1b555727b9e23417a7fd

SHA256
fa5f9b4af37f2105f36406bfbec56dad63bfcdd73bb896c472be7031a40d9fa0

SHA512
f39e1682b08e7ee802bb1aef17726e8f59846f362b3cc9a6ccc3ecd0254d1499010e382250fe303576f29c44de3e55b45ffedf7f6b75b6b16d0241714679d195

Download Submit
C:\Users\Admin\AppData\Local\Temp\f93f32ac-0a53-4539-87a0-be7c55ea5a38.vbs

Filesize
487B

MD5
e8033e4cec3dcff38770188290ba3708

SHA1
d9fabf2adcc0eee61c55a89d6ec36aad2cd22e3a

SHA256
699b07eefd0355eec91ada9b3ce8cff3fe41478b94291d57117a974663f72467

SHA512
eb04ff988d5f4c50c7d740c6fde7f04d51e05e518e05db1008dc03d754c263d7c624143a54e2068b1286ba79cb5a2e25d6e4a8d1cf0dc635f1682eb1b2f58a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff00a287-4305-439e-9979-9fabfb823688.vbs

Filesize
718B

MD5
c601198ec00d78f7420e9dce183df8aa

SHA1
59608438cf4f87de9d5dcb0001f89a0210fa2cce

SHA256
64bbb80c60f3f9108bf08c49e7d8aed0354b1e0509fa6aa186036e789c0d1bf5

SHA512
f1daa8df5ac08298126ab7187cd3a84d0a53efb04d598398f38d752952f2a6f2e41ffd75158e52dd9fd2611696868eb749c3d52deb1266f52a861a42ad67e7ba

Download Submit
C:\Windows\Cursors\TextInputHost.exe

Filesize
1.9MB

MD5
f926cc363c27c542c23e14398096eda8

SHA1
03442d6ea4a9acd36987b916ffe0261810e6dbfd

SHA256
ec0c9de9d6eef69bfe2c220f21971d4acc91004194cd8cf993a2bd34a04e31df

SHA512
581d105843a37d51aed86b071aed97c4188cb4bc8aed8b8c9bd9f7c297d5b3ba79d1d93f0a3d9bb5da89dbb445385838f7df229bec27b36d46b13757eb16491f

Download Submit
C:\Windows\PolicyDefinitions\de-DE\f926cc363c27c542c23e14398096eda8.exe

Filesize
1.9MB

MD5
b3240663c24afd180226f81439690a51

SHA1
9ba3b39973520e70dba50750e285b92b9f2bf743

SHA256
c7f2b4f6c6fb20b3327b5bee5a3b18702174c3afc5f3244e5c9cf11dd9665966

SHA512
ca929fe4d5e6ee95da3e0757d612eaf47aa3b23a966656fa39e956b5a93dd1266eea58abb56fa0a809dd68c2af1a3a7a5c4014aa643f78a8e603e07af35c9eec

Download Submit
memory/384-826-0x000000001B470000-0x000000001B482000-memory.dmp

Filesize
72KB

Download
memory/468-4-0x000000001C380000-0x000000001C3D0000-memory.dmp

Filesize
320KB

Download
memory/468-5-0x00000000033D0000-0x00000000033D8000-memory.dmp

Filesize
32KB

Download
memory/468-1-0x0000000000FE0000-0x00000000011CA000-memory.dmp

Filesize
1.9MB

Download
memory/468-222-0x00007FFD5C5B0000-0x00007FFD5D071000-memory.dmp

Filesize
10.8MB

Download
memory/468-204-0x00007FFD5C5B3000-0x00007FFD5C5B5000-memory.dmp

Filesize
8KB

Download
memory/468-3-0x000000001BDE0000-0x000000001BDFC000-memory.dmp

Filesize
112KB

Download
memory/468-0-0x00007FFD5C5B3000-0x00007FFD5C5B5000-memory.dmp

Filesize
8KB

Download
memory/468-7-0x000000001BE00000-0x000000001BE16000-memory.dmp

Filesize
88KB

Download
memory/468-10-0x000000001C340000-0x000000001C34C000-memory.dmp

Filesize
48KB

Download
memory/468-11-0x000000001C350000-0x000000001C358000-memory.dmp

Filesize
32KB

Download
memory/468-14-0x000000001CE70000-0x000000001D398000-memory.dmp

Filesize
5.2MB

Download
memory/468-2-0x00007FFD5C5B0000-0x00007FFD5D071000-memory.dmp

Filesize
10.8MB

Download
memory/468-16-0x000000001C5F0000-0x000000001C5FA000-memory.dmp

Filesize
40KB

Download
memory/468-17-0x000000001C600000-0x000000001C60E000-memory.dmp

Filesize
56KB

Download
memory/468-18-0x000000001C610000-0x000000001C618000-memory.dmp

Filesize
32KB

Download
memory/468-19-0x000000001C620000-0x000000001C62C000-memory.dmp

Filesize
48KB

Download
memory/468-20-0x000000001C630000-0x000000001C63C000-memory.dmp

Filesize
48KB

Download
memory/468-15-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/468-6-0x00000000033F0000-0x0000000003400000-memory.dmp

Filesize
64KB

Download
memory/468-13-0x000000001C360000-0x000000001C372000-memory.dmp

Filesize
72KB

Download
memory/468-9-0x000000001C3D0000-0x000000001C426000-memory.dmp

Filesize
344KB

Download
memory/468-470-0x00007FFD5C5B0000-0x00007FFD5D071000-memory.dmp

Filesize
10.8MB

Download
memory/468-8-0x000000001C330000-0x000000001C33A000-memory.dmp

Filesize
40KB

Download
memory/712-865-0x000000001BC90000-0x000000001BCE6000-memory.dmp

Filesize
344KB

Download
memory/712-866-0x000000001BC20000-0x000000001BC32000-memory.dmp

Filesize
72KB

Download
memory/760-694-0x000000001B780000-0x000000001B7D6000-memory.dmp

Filesize
344KB

Download
memory/1484-771-0x0000000000DA0000-0x0000000000F8A000-memory.dmp

Filesize
1.9MB

Download
memory/1604-678-0x00000000025E0000-0x0000000002636000-memory.dmp

Filesize
344KB

Download
memory/2380-587-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/2708-928-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/2844-920-0x000000001B270000-0x000000001B2C6000-memory.dmp

Filesize
344KB

Download
memory/3268-804-0x0000000002BE0000-0x0000000002C36000-memory.dmp

Filesize
344KB

Download
memory/3324-796-0x000000001B840000-0x000000001B852000-memory.dmp

Filesize
72KB

Download
memory/3736-520-0x000000001B760000-0x000000001B7B6000-memory.dmp

Filesize
344KB

Download
memory/3928-787-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/4024-656-0x0000000002C30000-0x0000000002C42000-memory.dmp

Filesize
72KB

Download
memory/4236-648-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

Filesize
72KB

Download
memory/4620-302-0x0000025AF7B00000-0x0000025AF7B22000-memory.dmp

Filesize
136KB

Download
memory/4628-898-0x0000000002A40000-0x0000000002A52000-memory.dmp

Filesize
72KB

Download
memory/4844-756-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/5592-857-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/5680-633-0x000000001BF00000-0x000000001BF12000-memory.dmp

Filesize
72KB

Download
memory/5736-881-0x00000000001B0000-0x000000000039A000-memory.dmp

Filesize
1.9MB

Download
memory/5744-686-0x0000000002BF0000-0x0000000002C46000-memory.dmp

Filesize
344KB

Download
memory/5876-738-0x000000001BDD0000-0x000000001BDE2000-memory.dmp

Filesize
72KB

Download
memory/5940-848-0x000000001B830000-0x000000001B842000-memory.dmp

Filesize
72KB

Download
memory/6052-610-0x000000001B3D0000-0x000000001B3E2000-memory.dmp

Filesize
72KB

Download