Analysis
-
max time kernel
96s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
Chew7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Chew7.exe
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Chew7.exe
Resource
win10v2004-20220901-en
General
-
Target
Chew7.exe
-
Size
1.6MB
-
MD5
7e91139648b5a14b483486c053d5f4d0
-
SHA1
78ec7fcb573d3ebb9b5110f9319380cc4b510b12
-
SHA256
f747a7679964d088e75fa60241238669104107280feacf29cd0041f1f82e16b7
-
SHA512
50f9e0346c2dbb5c4f945cd1e88ca3bace3439e54c378ffd475dbc692617d535fa3bed8c2b52436303cb46ca3db49173849fbfadb1a693aea0a87b523de3948d
-
SSDEEP
49152:jA3alq/Auj1YD/tmtPIr1PrYD/tmtPIr1Pu:jaY0tgrVY0tgr
Malware Config
Signatures
-
Executes dropped EXE 45 IoCs
Processes:
hale.exeflick.exeflick.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exeflick.exeflick.exepid process 1748 hale.exe 872 flick.exe 1688 flick.exe 1616 bump.exe 1772 flick.exe 1832 bump.exe 636 bump.exe 796 bump.exe 1084 bump.exe 1712 bump.exe 1312 bump.exe 1344 bump.exe 1472 bump.exe 1992 bump.exe 1644 bump.exe 1928 bump.exe 1996 bump.exe 1612 bump.exe 2004 bump.exe 860 bump.exe 1768 bump.exe 1264 bump.exe 1188 bump.exe 904 bump.exe 804 bump.exe 1016 bump.exe 976 bump.exe 568 flick.exe 1044 bump.exe 1692 bump.exe 1092 bump.exe 1704 bump.exe 964 bump.exe 1736 bump.exe 1928 bump.exe 1996 bump.exe 1944 bump.exe 1772 flick.exe 284 bump.exe 1452 bump.exe 1832 bump.exe 904 bump.exe 1784 bump.exe 688 flick.exe 1040 flick.exe -
Possible privilege escalation attempt 37 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1120 icacls.exe 1964 icacls.exe 2012 icacls.exe 1920 icacls.exe 860 takeown.exe 1340 icacls.exe 1504 icacls.exe 2004 icacls.exe 1992 icacls.exe 1048 icacls.exe 1216 icacls.exe 1480 icacls.exe 1672 takeown.exe 992 icacls.exe 1516 icacls.exe 1892 icacls.exe 1516 icacls.exe 1404 takeown.exe 832 icacls.exe 804 icacls.exe 1048 icacls.exe 1640 icacls.exe 1188 icacls.exe 1576 icacls.exe 956 takeown.exe 1336 takeown.exe 1772 icacls.exe 1920 takeown.exe 900 icacls.exe 972 icacls.exe 1080 icacls.exe 608 icacls.exe 2008 takeown.exe 1452 icacls.exe 1524 takeown.exe 556 icacls.exe 608 takeown.exe -
Processes:
resource yara_rule C:\Windows\System32\hale.exe upx behavioral1/memory/1748-67-0x0000000000400000-0x0000000000587000-memory.dmp upx behavioral1/memory/1748-188-0x0000000000400000-0x0000000000587000-memory.dmp upx -
Modifies file permissions 1 TTPs 37 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1340 icacls.exe 972 icacls.exe 1576 icacls.exe 608 icacls.exe 900 icacls.exe 608 takeown.exe 556 icacls.exe 1216 icacls.exe 1480 icacls.exe 1992 icacls.exe 1048 icacls.exe 2008 takeown.exe 1892 icacls.exe 1452 icacls.exe 1080 icacls.exe 956 takeown.exe 2012 icacls.exe 1920 icacls.exe 832 icacls.exe 1120 icacls.exe 1048 icacls.exe 992 icacls.exe 1920 takeown.exe 1504 icacls.exe 1524 takeown.exe 1772 icacls.exe 804 icacls.exe 1516 icacls.exe 1336 takeown.exe 1404 takeown.exe 1516 icacls.exe 1640 icacls.exe 1672 takeown.exe 1188 icacls.exe 1964 icacls.exe 2004 icacls.exe 860 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c717271 = "\"C:\\Windows\\System32\\cmd.exe\" /C START /MIN RD /S /Q \"C:\\ProgramData\\Microsoft\\Windows\\Pending\"^&EXIT" reg.exe -
Drops file in System32 directory 20 IoCs
Processes:
cmd.exeflick.exeflick.exeChew7.exeflick.exeflick.exedescription ioc process File created C:\Windows\System32\slmgr.vbs cmd.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs flick.exe File created C:\Windows\SysWOW64\slmgr.vbs cmd.exe File opened for modification C:\Windows\System32\sppcommdlg.dll cmd.exe File opened for modification C:\Windows\SysWOW64\sppcommdlg.dll flick.exe File opened for modification C:\Windows\System32\winlogon.exe cmd.exe File opened for modification C:\Windows\System32\cwlog.dtl cmd.exe File created C:\Windows\System32\slwga.dll cmd.exe File opened for modification C:\Windows\System32\slwga.dll cmd.exe File created C:\Windows\system32\hale.exe Chew7.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs cmd.exe File opened for modification C:\Windows\SysWOW64\slmgr.vbs flick.exe File opened for modification C:\Windows\System32\slui.exe cmd.exe File created C:\Windows\System32\sppcommdlg.dll cmd.exe File created C:\Windows\System32\sppuinotify.dll cmd.exe File opened for modification C:\Windows\System32\sppuinotify.dll cmd.exe File created C:\Windows\System32\winlogon.exe cmd.exe File opened for modification C:\Windows\System32\slmgr.vbs cmd.exe File opened for modification C:\Windows\SysWOW64\slwga.dll flick.exe File created C:\Windows\System32\slui.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1332 schtasks.exe 1304 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1560 taskkill.exe 540 taskkill.exe -
Modifies registry key 1 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exepid process 1688 reg.exe 344 reg.exe 1844 reg.exe 1636 reg.exe 304 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 44 IoCs
Processes:
flick.exeflick.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exeflick.exeflick.exepid process 872 flick.exe 1688 flick.exe 1616 bump.exe 1772 flick.exe 1832 bump.exe 636 bump.exe 796 bump.exe 1084 bump.exe 1712 bump.exe 1312 bump.exe 1344 bump.exe 1472 bump.exe 1992 bump.exe 1644 bump.exe 1928 bump.exe 1996 bump.exe 1612 bump.exe 2004 bump.exe 860 bump.exe 1768 bump.exe 1264 bump.exe 1188 bump.exe 904 bump.exe 804 bump.exe 1016 bump.exe 976 bump.exe 568 flick.exe 1044 bump.exe 1692 bump.exe 1092 bump.exe 1704 bump.exe 964 bump.exe 1736 bump.exe 1928 bump.exe 1996 bump.exe 1944 bump.exe 1772 flick.exe 284 bump.exe 1452 bump.exe 1832 bump.exe 904 bump.exe 1784 bump.exe 688 flick.exe 1040 flick.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetasklist.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exedescription pid process Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeDebugPrivilege 304 tasklist.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 860 takeown.exe Token: SeTakeOwnershipPrivilege 1920 takeown.exe Token: SeSecurityPrivilege 1048 icacls.exe Token: SeTakeOwnershipPrivilege 1672 takeown.exe Token: SeSecurityPrivilege 1992 icacls.exe Token: SeTakeOwnershipPrivilege 608 takeown.exe Token: SeSecurityPrivilege 1452 icacls.exe Token: SeTakeOwnershipPrivilege 1524 takeown.exe Token: SeSecurityPrivilege 1516 icacls.exe Token: SeTakeOwnershipPrivilege 956 takeown.exe Token: SeSecurityPrivilege 608 icacls.exe Token: SeTakeOwnershipPrivilege 1336 takeown.exe Token: SeSecurityPrivilege 1216 icacls.exe Token: SeTakeOwnershipPrivilege 1404 takeown.exe Token: SeSecurityPrivilege 1480 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chew7.exehale.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1948 wrote to memory of 1560 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 1560 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 1560 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 540 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 540 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 540 1948 Chew7.exe taskkill.exe PID 1948 wrote to memory of 984 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 984 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 984 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 968 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 968 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 968 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 1572 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 1572 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 1572 1948 Chew7.exe schtasks.exe PID 1948 wrote to memory of 1748 1948 Chew7.exe hale.exe PID 1948 wrote to memory of 1748 1948 Chew7.exe hale.exe PID 1948 wrote to memory of 1748 1948 Chew7.exe hale.exe PID 1948 wrote to memory of 1748 1948 Chew7.exe hale.exe PID 1748 wrote to memory of 896 1748 hale.exe cmd.exe PID 1748 wrote to memory of 896 1748 hale.exe cmd.exe PID 1748 wrote to memory of 896 1748 hale.exe cmd.exe PID 1748 wrote to memory of 896 1748 hale.exe cmd.exe PID 896 wrote to memory of 1812 896 cmd.exe cmd.exe PID 896 wrote to memory of 1812 896 cmd.exe cmd.exe PID 896 wrote to memory of 1812 896 cmd.exe cmd.exe PID 896 wrote to memory of 1812 896 cmd.exe cmd.exe PID 1812 wrote to memory of 1712 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1712 1812 cmd.exe reg.exe PID 1812 wrote to memory of 1712 1812 cmd.exe reg.exe PID 1812 wrote to memory of 544 1812 cmd.exe find.exe PID 1812 wrote to memory of 544 1812 cmd.exe find.exe PID 1812 wrote to memory of 544 1812 cmd.exe find.exe PID 1812 wrote to memory of 564 1812 cmd.exe reg.exe PID 1812 wrote to memory of 564 1812 cmd.exe reg.exe PID 1812 wrote to memory of 564 1812 cmd.exe reg.exe PID 1812 wrote to memory of 304 1812 cmd.exe tasklist.exe PID 1812 wrote to memory of 304 1812 cmd.exe tasklist.exe PID 1812 wrote to memory of 304 1812 cmd.exe tasklist.exe PID 1812 wrote to memory of 1504 1812 cmd.exe find.exe PID 1812 wrote to memory of 1504 1812 cmd.exe find.exe PID 1812 wrote to memory of 1504 1812 cmd.exe find.exe PID 1812 wrote to memory of 344 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 344 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 344 1812 cmd.exe cmd.exe PID 344 wrote to memory of 1688 344 cmd.exe reg.exe PID 344 wrote to memory of 1688 344 cmd.exe reg.exe PID 344 wrote to memory of 1688 344 cmd.exe reg.exe PID 1812 wrote to memory of 340 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 340 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 340 1812 cmd.exe cmd.exe PID 340 wrote to memory of 1992 340 cmd.exe reg.exe PID 340 wrote to memory of 1992 340 cmd.exe reg.exe PID 340 wrote to memory of 1992 340 cmd.exe reg.exe PID 1812 wrote to memory of 1616 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 1616 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 1616 1812 cmd.exe cmd.exe PID 1616 wrote to memory of 1636 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1636 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1636 1616 cmd.exe reg.exe PID 1812 wrote to memory of 1632 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 1632 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 1632 1812 cmd.exe cmd.exe PID 1812 wrote to memory of 2008 1812 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chew7.exe"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im hale.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS\PMS /f2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS\ResetDTL /f2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS /f2⤵
-
C:\Windows\system32\hale.exe"C:\Windows\system32\hale.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmd""4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE5⤵
-
C:\Windows\system32\find.exeFIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"5⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f5⤵
-
C:\Windows\system32\tasklist.exeTASKLIST /FI "IMAGENAME eq Chew7.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exeFIND "Chew7.exe"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName6⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TIME /T5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\winsxs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew75⤵
-
C:\Windows\system32\find.exeFIND /I "IntervalMinutes"5⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes /t REG_DWORD /d 3 /f5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes6⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes /t REG_DWORD /d 3 /f5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\System32\slmgr.vbs" wslmt.dll5⤵
-
C:\Windows\system32\fc.exeFC /B "64\slmgr.vbs" "C:\Windows\System32\slmgr.vbs"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slmgr.vbs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\13660.lck" "C:\Windows\System32\slmgr.vbs"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\SysWOW64\slmgr.vbs" wslmt.dll5⤵
-
C:\Windows\system32\fc.exeFC /B "32\slmgr.vbs" "C:\Windows\SysWOW64\slmgr.vbs"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\29802.lck" "C:\Windows\SysWOW64\slmgr.vbs"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\System32\slwga.dll" 64\slwga.dll5⤵
-
C:\Windows\system32\fc.exeFC /B "64\slwga.dll" "C:\Windows\System32\slwga.dll"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slwga.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\14362.lck" "C:\Windows\System32\slwga.dll"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\SysWOW64\slwga.dll" 32\slwga.dll5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x84:xFD -r:x85:xFD -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\System32\slui.exe" wac64.dll5⤵
-
C:\Windows\system32\fc.exeFC /B "64\slui.exe" "C:\Windows\System32\slui.exe"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\slui.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\17773.lck" "C:\Windows\System32\slui.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\fc.exeFC /B "64\sppcommdlg.dll" "C:\Windows\System32\sppcommdlg.dll"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\17278.lck" "C:\Windows\System32\sppcommdlg.dll"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exebump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\find.exeFIND "changed"5⤵
-
C:\Windows\system32\fc.exeFC /B "64\sppuinotify.dll" "C:\Windows\System32\sppuinotify.dll"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\sppuinotify.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\2461.lck" "C:\Windows\System32\sppuinotify.dll"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\fc.exeFC /B "C:\Windows\System32\winlogon.exe" wla64.dll5⤵
-
C:\Windows\system32\fc.exeFC /B "64\winlogon.exe" "C:\Windows\System32\winlogon.exe"5⤵
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\winlogon.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeflick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\7929.lck" "C:\Windows\System32\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""5⤵
-
C:\Windows\system32\find.exeFIND "FAIL:"5⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d "ERROR" /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /TN \Microsoft\Windows\PMS\PMS /TR "'C:\Windows\System32\hale.exe' /nolog" /SC MINUTE /MO 3 /RU SYSTEM /F5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /TN \Microsoft\Windows\PMS\ResetDTL /TR "'C:\Windows\System32\cmd.exe' /C DEL /F /Q '"C:\Windows\System32\cwlog.dtl"'" /SC MINUTE /MO 15 /RU SYSTEM /F5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce5⤵
- Modifies registry key
-
C:\Windows\system32\find.exeFIND "c728074"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce5⤵
- Modifies registry key
-
C:\Windows\system32\find.exeFIND "c717271"5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce5⤵
- Modifies registry key
-
C:\Windows\system32\find.exeFIND /I "/C START /MIN RD /S /Q"5⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce /v "c717271" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.aclFilesize
296B
MD57a3b8ec21ac9956ed258f5b397d281ab
SHA163cc8f5ca73640fa5fae2d20e69ce393a07a873d
SHA256bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683
SHA512ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c
-
C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.aclFilesize
296B
MD57a3b8ec21ac9956ed258f5b397d281ab
SHA163cc8f5ca73640fa5fae2d20e69ce393a07a873d
SHA256bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683
SHA512ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c
-
C:\ProgramData\Microsoft\Windows\Pending\slui.exe.aclFilesize
294B
MD560c00613f4bec9c4b8cc48953ae00cc6
SHA1eee39aec1b8bb85087aac67aae69b497bc23c0db
SHA25633a7fc22454bbd879d3af44f74f98d8cb02b26a45060444aba1846e14421854d
SHA51244556880516c4a5921ae45cda52bf496e9e8e34cba13f4d0d77de898e5036c407e4ad5313c4008c798cd6781b3ceb22094f91c6ba52ad5017a55711f529fd973
-
C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.aclFilesize
296B
MD561975a8f1f2b5a9685c3aa2d921fbf8a
SHA15870879badbe315599676e138e06b7cccdcab03c
SHA256113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80
SHA5123820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236
-
C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.aclMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\slmgr.vbsFilesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\slwga.dllFilesize
14KB
MD519f75d71e4256f5113d64ce2bb66b838
SHA1d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79
SHA256da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f
SHA512a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\sppwmi.dllFilesize
116KB
MD55f5bb7c391d0e98338bf64b19c81f1ff
SHA18c275b466c4076d3c6fd9f62cf9e4a9f1342987a
SHA256d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a
SHA512e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\SLWGA.DLLFilesize
15KB
MD57edc3c01ffe76fbe4f88ed6cf7e93d2a
SHA128f447f52c3601f5771d1d6af8177acc5d18dfc4
SHA256a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7
SHA512003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slmgr.vbsFilesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slui.exeFilesize
341KB
MD54a70dc889e9b792b83c68348709d3edd
SHA1826791f1b69bb85b5f6155982e03bccdb7c22eed
SHA2563c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f
SHA512a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slwga.dllFilesize
15KB
MD5b6d6886149573278cba6abd44c4317f5
SHA12b309f9046bd884b63ecb418fe3ae56c2c82dd6f
SHA256273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3
SHA51256352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\sppwmi.dllFilesize
139KB
MD585eebb24b18781a3d4a8558d8c294a6e
SHA103a6659983cf14e9b2334df9fd32e49079998364
SHA25685d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885
SHA5124fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\sppwmi.dllFilesize
139KB
MD5d745f0b3bfa805ccf82a6a883dd3e441
SHA1e6807f4e035f25dc649fc9222252546b9d5512ca
SHA2562b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450
SHA512e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\systemcpl.dllFilesize
410KB
MD5bb074f35b49eb2ea416962b596281e1e
SHA1355fdb9e66ffad42144b1b6ec4d8eb357ed05d52
SHA256e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e
SHA51282f2dc04aff17a31450d2e66cab47f4f9c00936a9f309647c841432862a02f9c6b915683aa49a53739646cddd4e0e4404da0aab96f228692a767892102708884
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\user32.dllFilesize
984KB
MD5fe70103391a64039a921dbfff9c7ab1b
SHA1e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5
SHA256f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0
SHA512c2158260ed6b797509830be17da926a3658b87d71f7f5e2a6ea603cdf69ab42a7cffb22d4343bc9dcddc6e2561ec8eaed55022c80894e7b8d81ca7bc17dffc62
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\WAC64.DLLFilesize
341KB
MD54a70dc889e9b792b83c68348709d3edd
SHA1826791f1b69bb85b5f6155982e03bccdb7c22eed
SHA2563c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f
SHA512a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\WSLMT.DLLFilesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exeFilesize
19KB
MD52d9a30606a718bfdb4e5e9b6c2939881
SHA1298b80c781aa4e2cb6fc6f4efac9a565b9b13c82
SHA2561f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51
SHA512c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeFilesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeFilesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeFilesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeFilesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exeFilesize
38KB
MD52e2827ba66bfe75bc2fe2d0a02eecc73
SHA197e85467a9a24a89ab9d2969d5cb7275083c04f2
SHA2564cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb
SHA512006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\godo.cmdFilesize
1KB
MD50a9d51896a1a3735884221794a7c65f1
SHA12247c4f4ca88237c28fcd0e799b2dcf39867fefd
SHA2562341170d3fc76a5bbeb2a795c2974ecb42fe20bdf89c01bb0326651d1cfccc5d
SHA512c8ff9c6030cda1b21aac3a9c0ba83bd89a4cf3f2465a53397f977f9a01d8e5ea01b173c0c38345f6c59dc1931a64805567dbf824b6aa3db2f1b12cc80225a6d6
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmdFilesize
337B
MD51f44d34de408d88c7c7c430d9c07f0fe
SHA1512dde52164ff712ed452c565da781cc28d0bff8
SHA256499a44e0a92ae348567408e3331bb636899b415657b02c4c94cf2ab41dd7ef07
SHA51296dec03e66a909b5f9d6bda4646eafd5c3db8172195b01cd113690e95f292217245add88c1abe1dc67b26434d3b14449aae49ee5a949b9d1aa7e211d1ea57889
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\lhed.cmdFilesize
718B
MD5cfc84dfdddbf6e380817d0090007e645
SHA11d7fb4709867a4f41279f509b5c0ca861e1cf10b
SHA256c37fb878856e2dbfdd3cdcfb54f5ee4bf876dc221214052ac273f98418edb841
SHA512bf1a4b0f1a9547e507b79edb2c3c9a0370e96ac754f5288cff2f27004c1c6ac00660d7b374d087ffd0171b99bcd68a6276db9d2b399abd12253a5f8afd08adbd
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\mtmp.cmdFilesize
106B
MD502d7ebad35b5624a751243d101a540ce
SHA14f9f0e0d47c78511ca88776fc86ece16055df66e
SHA2567686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac
SHA51204fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\ownc.cmdFilesize
629B
MD535af56258eecc3bcd990024227382ed0
SHA10b3227e21ca01325913bd3cfa0c0016788e52edd
SHA256d503dd598d6cb900878f9f66152e960212c0486d3a2f9a021724119b05835448
SHA512e324a73be4585aee5727c08d608e92c5ba2cb4cc7d86809a7564f12937d2819c063a28146ebb71b3c41f032a470378c197f5e54d4c8a2906835e93a1e47255af
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\plat.cmdFilesize
886B
MD5fe8a397e3064f711ba04b6babd10558d
SHA178a95aa33d7f8ff38bfae516d90fdcfa51e14ba9
SHA256ef709fe236dfefc40d2ab9c51a27e10914e5e3c316388cc8f937cf3cd09e622f
SHA512161d955714be18f9c6c5ed1f319bab70efa74cd72d9e87bca826601c6ce1c696d69b95b9e224023c62a16c911384bf9990a72125dfc945dea44216e6b1b166dd
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\radd.cmdFilesize
113B
MD50ca0566671854f45d316877cb3b9563b
SHA175ea44bb67f797281703030b2989e91c2723ddb6
SHA256048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3
SHA51212c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\setv.cmdFilesize
1KB
MD5d6c2c11867868f16c4bbd97ec106474e
SHA1c5f01dfbb0916f5a606ac37b7068b3d212ad96f2
SHA256809d5fb8d05569815ff67e9ad520ca64e7c8998e035993cf9ca7f5216e5572db
SHA5126189a07365753cb421f5e754a8e3c27589f159dab58e113c794ad0b5006ce1644af7950155f1ee7d08e6dbc8679789d16d7ee9635e83f7630eb3d839a0e85625
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\tick.cmdFilesize
9KB
MD5574014049e0ed8ff74182fa96f2d1ab3
SHA1454914e6db5d1b47ca50e323e5ab9985edd940c0
SHA256c3148a2f9b901f67e63edd03f256bcb7a8ea071564ee31ec0d602de0f5219699
SHA51251892899f08faae6f5ba861142933d9f5dc425f5fa4c9140b25e8e2e27cd3b87a75bb90d33434e68ec4b9199272f7d784fd9bc617a48d5b8ba86ba79b4dbf08a
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\town.cmdFilesize
309B
MD5574958530816e546394dbc025d8a08eb
SHA1dbdfb40357f60bb6bc4575806f1f924a11302205
SHA25681ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da
SHA512088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1
-
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\tran.cmdFilesize
1KB
MD508d050c91f916dd562a7e9ef9f0e9815
SHA14e2cf6eafe9c60519edd855b9113c0fafac71533
SHA256196701833b1e0c5c7217a2cd92ed70722e7d91f7cff6877cff21e4be5b0af4c9
SHA512de2399c11f846c75dade16e3fc76b60fea017c841950f3b5c92e026f8809c6b77cb416fc747d907255d3302252b7161cbc6029c1dea3eed24d5cb101b95c7ae5
-
C:\Windows\SysWOW64\slmgr.vbsFilesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
C:\Windows\System32\hale.exeFilesize
531KB
MD5f8546857fa2d2e6c9d377d0a840bb1b2
SHA1a2a61a7577c234e2e9dd59288b6671471a1e246d
SHA2568df72ce39b0192fa76a5ffdcc9e82b7e58703116158613df5a12e7e2b8baba94
SHA5127484312747d7782fbce5fd9077071969729dc4734e3116103dbc8805dfd05a9448354e1b6a5edfd4d3d0ba01fa319a20493b4271aba69643c0f300a8e0b75cfd
-
C:\Windows\System32\slmgr.vbsFilesize
105KB
MD52ba3a706f9e5b8a30dd84f53b022a8ee
SHA13aa34c784f16a4f8a5f2b58265f926660b3317f4
SHA256fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55
SHA512ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8
-
C:\Windows\System32\slui.exeFilesize
341KB
MD54a70dc889e9b792b83c68348709d3edd
SHA1826791f1b69bb85b5f6155982e03bccdb7c22eed
SHA2563c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f
SHA512a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a
-
C:\Windows\System32\slwga.dllFilesize
15KB
MD57edc3c01ffe76fbe4f88ed6cf7e93d2a
SHA128f447f52c3601f5771d1d6af8177acc5d18dfc4
SHA256a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7
SHA512003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8
-
memory/304-75-0x0000000000000000-mapping.dmp
-
memory/340-79-0x0000000000000000-mapping.dmp
-
memory/344-77-0x0000000000000000-mapping.dmp
-
memory/540-59-0x0000000000000000-mapping.dmp
-
memory/544-72-0x0000000000000000-mapping.dmp
-
memory/564-74-0x0000000000000000-mapping.dmp
-
memory/564-116-0x0000000000000000-mapping.dmp
-
memory/608-135-0x0000000000000000-mapping.dmp
-
memory/636-149-0x0000000000000000-mapping.dmp
-
memory/688-151-0x0000000000000000-mapping.dmp
-
memory/796-153-0x0000000000000000-mapping.dmp
-
memory/804-99-0x0000000000000000-mapping.dmp
-
memory/832-159-0x0000000000000000-mapping.dmp
-
memory/860-88-0x0000000000000000-mapping.dmp
-
memory/872-110-0x0000000000000000-mapping.dmp
-
memory/896-66-0x0000000000000000-mapping.dmp
-
memory/900-120-0x0000000000000000-mapping.dmp
-
memory/904-145-0x0000000000000000-mapping.dmp
-
memory/952-134-0x0000000000000000-mapping.dmp
-
memory/960-101-0x0000000000000000-mapping.dmp
-
memory/968-61-0x0000000000000000-mapping.dmp
-
memory/972-148-0x0000000000000000-mapping.dmp
-
memory/976-104-0x0000000000000000-mapping.dmp
-
memory/984-60-0x0000000000000000-mapping.dmp
-
memory/1048-112-0x0000000000000000-mapping.dmp
-
memory/1084-157-0x0000000000000000-mapping.dmp
-
memory/1120-107-0x0000000000000000-mapping.dmp
-
memory/1164-93-0x0000000000000000-mapping.dmp
-
memory/1188-142-0x0000000000000000-mapping.dmp
-
memory/1188-92-0x0000000000000000-mapping.dmp
-
memory/1264-91-0x0000000000000000-mapping.dmp
-
memory/1340-136-0x0000000000000000-mapping.dmp
-
memory/1344-117-0x0000000000000000-mapping.dmp
-
memory/1452-139-0x0000000000000000-mapping.dmp
-
memory/1452-90-0x0000000000000000-mapping.dmp
-
memory/1504-76-0x0000000000000000-mapping.dmp
-
memory/1516-115-0x0000000000000000-mapping.dmp
-
memory/1560-58-0x0000000000000000-mapping.dmp
-
memory/1572-62-0x0000000000000000-mapping.dmp
-
memory/1576-155-0x0000000000000000-mapping.dmp
-
memory/1616-128-0x0000000000000000-mapping.dmp
-
memory/1616-81-0x0000000000000000-mapping.dmp
-
memory/1632-83-0x0000000000000000-mapping.dmp
-
memory/1636-82-0x0000000000000000-mapping.dmp
-
memory/1640-126-0x0000000000000000-mapping.dmp
-
memory/1672-119-0x0000000000000000-mapping.dmp
-
memory/1688-121-0x0000000000000000-mapping.dmp
-
memory/1688-78-0x0000000000000000-mapping.dmp
-
memory/1712-71-0x0000000000000000-mapping.dmp
-
memory/1748-65-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/1748-188-0x0000000000400000-0x0000000000587000-memory.dmpFilesize
1.5MB
-
memory/1748-63-0x0000000000000000-mapping.dmp
-
memory/1748-67-0x0000000000400000-0x0000000000587000-memory.dmpFilesize
1.5MB
-
memory/1772-89-0x0000000000000000-mapping.dmp
-
memory/1772-137-0x0000000000000000-mapping.dmp
-
memory/1812-69-0x0000000000000000-mapping.dmp
-
memory/1832-94-0x0000000000000000-mapping.dmp
-
memory/1832-143-0x0000000000000000-mapping.dmp
-
memory/1888-95-0x0000000000000000-mapping.dmp
-
memory/1892-147-0x0000000000000000-mapping.dmp
-
memory/1912-130-0x0000000000000000-mapping.dmp
-
memory/1920-106-0x0000000000000000-mapping.dmp
-
memory/1948-54-0x000007FEF3440000-0x000007FEF3E63000-memory.dmpFilesize
10.1MB
-
memory/1948-57-0x0000000000BB6000-0x0000000000BD5000-memory.dmpFilesize
124KB
-
memory/1948-56-0x0000000000BB6000-0x0000000000BD5000-memory.dmpFilesize
124KB
-
memory/1948-55-0x000007FEF23A0000-0x000007FEF3436000-memory.dmpFilesize
16.6MB
-
memory/1948-189-0x0000000000BB6000-0x0000000000BD5000-memory.dmpFilesize
124KB
-
memory/1964-132-0x0000000000000000-mapping.dmp
-
memory/1992-80-0x0000000000000000-mapping.dmp
-
memory/1992-124-0x0000000000000000-mapping.dmp
-
memory/2004-87-0x0000000000000000-mapping.dmp
-
memory/2008-86-0x0000000000000000-mapping.dmp