2d10cd1527d82331bcf273069f3f1cee83baf50f17267c51689793d3e4639b72

Resubmissions

23-09-2022 03:44

220923-eaf52sghgp 8

21-09-2022 16:46

220921-t92y5agga2 8

Analysis

max time kernel
96s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chew7.exe
Size

1.6MB
MD5

7e91139648b5a14b483486c053d5f4d0
SHA1

78ec7fcb573d3ebb9b5110f9319380cc4b510b12
SHA256

f747a7679964d088e75fa60241238669104107280feacf29cd0041f1f82e16b7
SHA512

50f9e0346c2dbb5c4f945cd1e88ca3bace3439e54c378ffd475dbc692617d535fa3bed8c2b52436303cb46ca3db49173849fbfadb1a693aea0a87b523de3948d
SSDEEP

49152:jA3alq/Auj1YD/tmtPIr1PrYD/tmtPIr1Pu:jaY0tgrVY0tgr

Score

8^/10

discovery exploit persistence upx

Malware Config

Signatures

Executes dropped EXE 45 IoCs

Processes:

hale.exeflick.exeflick.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exeflick.exeflick.exe

pid	process
1748	hale.exe
872	flick.exe
1688	flick.exe
1616	bump.exe
1772	flick.exe
1832	bump.exe
636	bump.exe
796	bump.exe
1084	bump.exe
1712	bump.exe
1312	bump.exe
1344	bump.exe
1472	bump.exe
1992	bump.exe
1644	bump.exe
1928	bump.exe
1996	bump.exe
1612	bump.exe
2004	bump.exe
860	bump.exe
1768	bump.exe
1264	bump.exe
1188	bump.exe
904	bump.exe
804	bump.exe
1016	bump.exe
976	bump.exe
568	flick.exe
1044	bump.exe
1692	bump.exe
1092	bump.exe
1704	bump.exe
964	bump.exe
1736	bump.exe
1928	bump.exe
1996	bump.exe
1944	bump.exe
1772	flick.exe
284	bump.exe
1452	bump.exe
1832	bump.exe
904	bump.exe
1784	bump.exe
688	flick.exe
1040	flick.exe

Possible privilege escalation attempt 37 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
1120	icacls.exe
1964	icacls.exe
2012	icacls.exe
1920	icacls.exe
860	takeown.exe
1340	icacls.exe
1504	icacls.exe
2004	icacls.exe
1992	icacls.exe
1048	icacls.exe
1216	icacls.exe
1480	icacls.exe
1672	takeown.exe
992	icacls.exe
1516	icacls.exe
1892	icacls.exe
1516	icacls.exe
1404	takeown.exe
832	icacls.exe
804	icacls.exe
1048	icacls.exe
1640	icacls.exe
1188	icacls.exe
1576	icacls.exe
956	takeown.exe
1336	takeown.exe
1772	icacls.exe
1920	takeown.exe
900	icacls.exe
972	icacls.exe
1080	icacls.exe
608	icacls.exe
2008	takeown.exe
1452	icacls.exe
1524	takeown.exe
556	icacls.exe
608	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\System32\hale.exe	upx
behavioral1/memory/1748-67-0x0000000000400000-0x0000000000587000-memory.dmp	upx
behavioral1/memory/1748-188-0x0000000000400000-0x0000000000587000-memory.dmp	upx

Modifies file permissions 1 TTPs 37 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
1340	icacls.exe
972	icacls.exe
1576	icacls.exe
608	icacls.exe
900	icacls.exe
608	takeown.exe
556	icacls.exe
1216	icacls.exe
1480	icacls.exe
1992	icacls.exe
1048	icacls.exe
2008	takeown.exe
1892	icacls.exe
1452	icacls.exe
1080	icacls.exe
956	takeown.exe
2012	icacls.exe
1920	icacls.exe
832	icacls.exe
1120	icacls.exe
1048	icacls.exe
992	icacls.exe
1920	takeown.exe
1504	icacls.exe
1524	takeown.exe
1772	icacls.exe
804	icacls.exe
1516	icacls.exe
1336	takeown.exe
1404	takeown.exe
1516	icacls.exe
1640	icacls.exe
1672	takeown.exe
1188	icacls.exe
1964	icacls.exe
2004	icacls.exe
860	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c717271 = "\"C:\\Windows\\System32\\cmd.exe\" /C START /MIN RD /S /Q \"C:\\ProgramData\\Microsoft\\Windows\\Pending\"^&EXIT"	reg.exe

Drops file in System32 directory 20 IoCs

Processes:

cmd.exeflick.exeflick.exeChew7.exeflick.exeflick.exe

description	ioc	process
File created	C:\Windows\System32\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	flick.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\System32\sppcommdlg.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sppcommdlg.dll	flick.exe
File opened for modification	C:\Windows\System32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\System32\cwlog.dtl	cmd.exe
File created	C:\Windows\System32\slwga.dll	cmd.exe
File opened for modification	C:\Windows\System32\slwga.dll	cmd.exe
File created	C:\Windows\system32\hale.exe	Chew7.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	flick.exe
File opened for modification	C:\Windows\System32\slui.exe	cmd.exe
File created	C:\Windows\System32\sppcommdlg.dll	cmd.exe
File created	C:\Windows\System32\sppuinotify.dll	cmd.exe
File opened for modification	C:\Windows\System32\sppuinotify.dll	cmd.exe
File created	C:\Windows\System32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\System32\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slwga.dll	flick.exe
File created	C:\Windows\System32\slui.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1332 schtasks.exe
1304 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

304 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1560 taskkill.exe
540 taskkill.exe
Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

1688 reg.exe
344 reg.exe
1844 reg.exe
1636 reg.exe
304 reg.exe

pid	process
1332	schtasks.exe
1304	schtasks.exe

pid	process
304	tasklist.exe

pid	process
1560	taskkill.exe
540	taskkill.exe

pid	process
1688	reg.exe
344	reg.exe
1844	reg.exe
1636	reg.exe
304	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 44 IoCs

Processes:

flick.exeflick.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exebump.exeflick.exebump.exebump.exebump.exebump.exebump.exeflick.exeflick.exe

pid	process
872	flick.exe
1688	flick.exe
1616	bump.exe
1772	flick.exe
1832	bump.exe
636	bump.exe
796	bump.exe
1084	bump.exe
1712	bump.exe
1312	bump.exe
1344	bump.exe
1472	bump.exe
1992	bump.exe
1644	bump.exe
1928	bump.exe
1996	bump.exe
1612	bump.exe
2004	bump.exe
860	bump.exe
1768	bump.exe
1264	bump.exe
1188	bump.exe
904	bump.exe
804	bump.exe
1016	bump.exe
976	bump.exe
568	flick.exe
1044	bump.exe
1692	bump.exe
1092	bump.exe
1704	bump.exe
964	bump.exe
1736	bump.exe
1928	bump.exe
1996	bump.exe
1944	bump.exe
1772	flick.exe
284	bump.exe
1452	bump.exe
1832	bump.exe
904	bump.exe
1784	bump.exe
688	flick.exe
1040	flick.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

taskkill.exetaskkill.exetasklist.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

description	pid	process
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	304	tasklist.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	860	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeSecurityPrivilege	1048	icacls.exe
Token: SeTakeOwnershipPrivilege	1672	takeown.exe
Token: SeSecurityPrivilege	1992	icacls.exe
Token: SeTakeOwnershipPrivilege	608	takeown.exe
Token: SeSecurityPrivilege	1452	icacls.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeSecurityPrivilege	1516	icacls.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeSecurityPrivilege	608	icacls.exe
Token: SeTakeOwnershipPrivilege	1336	takeown.exe
Token: SeSecurityPrivilege	1216	icacls.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeSecurityPrivilege	1480	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Chew7.exehale.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1560	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 1560	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 1560	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 540	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 540	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 540	1948	Chew7.exe	taskkill.exe
PID 1948 wrote to memory of 984	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 984	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 984	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 968	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 968	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 968	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 1572	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 1572	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 1572	1948	Chew7.exe	schtasks.exe
PID 1948 wrote to memory of 1748	1948	Chew7.exe	hale.exe
PID 1948 wrote to memory of 1748	1948	Chew7.exe	hale.exe
PID 1948 wrote to memory of 1748	1948	Chew7.exe	hale.exe
PID 1948 wrote to memory of 1748	1948	Chew7.exe	hale.exe
PID 1748 wrote to memory of 896	1748	hale.exe	cmd.exe
PID 1748 wrote to memory of 896	1748	hale.exe	cmd.exe
PID 1748 wrote to memory of 896	1748	hale.exe	cmd.exe
PID 1748 wrote to memory of 896	1748	hale.exe	cmd.exe
PID 896 wrote to memory of 1812	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 1812	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 1812	896	cmd.exe	cmd.exe
PID 896 wrote to memory of 1812	896	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1712	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 1712	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 1712	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 564	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 564	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 564	1812	cmd.exe	reg.exe
PID 1812 wrote to memory of 304	1812	cmd.exe	tasklist.exe
PID 1812 wrote to memory of 304	1812	cmd.exe	tasklist.exe
PID 1812 wrote to memory of 304	1812	cmd.exe	tasklist.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	find.exe
PID 1812 wrote to memory of 344	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 344	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 344	1812	cmd.exe	cmd.exe
PID 344 wrote to memory of 1688	344	cmd.exe	reg.exe
PID 344 wrote to memory of 1688	344	cmd.exe	reg.exe
PID 344 wrote to memory of 1688	344	cmd.exe	reg.exe
PID 1812 wrote to memory of 340	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 340	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 340	1812	cmd.exe	cmd.exe
PID 340 wrote to memory of 1992	340	cmd.exe	reg.exe
PID 340 wrote to memory of 1992	340	cmd.exe	reg.exe
PID 340 wrote to memory of 1992	340	cmd.exe	reg.exe
PID 1812 wrote to memory of 1616	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1616	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1616	1812	cmd.exe	cmd.exe
PID 1616 wrote to memory of 1636	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1636	1616	cmd.exe	reg.exe
PID 1616 wrote to memory of 1636	1616	cmd.exe	reg.exe
PID 1812 wrote to memory of 1632	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1632	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1632	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 2008	1812	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\Chew7.exe
"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im hale.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS\PMS /f
2⤵
PID:984

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
2⤵
PID:968

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn \Microsoft\Windows\PMS /f
2⤵
PID:1572

C:\Windows\system32\hale.exe
"C:\Windows\system32\hale.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmd""
4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE
5⤵
PID:1712

C:\Windows\system32\find.exe
FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"
5⤵
PID:544

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f
5⤵
PID:564

C:\Windows\system32\tasklist.exe
TASKLIST /FI "IMAGENAME eq Chew7.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\find.exe
FIND "Chew7.exe"
5⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
5⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
6⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
5⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\system32\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
6⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
5⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\reg.exe
REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
6⤵
- Modifies registry key
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c TIME /T
5⤵
PID:1632

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\winsxs"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
5⤵
PID:1452

C:\Windows\system32\find.exe
FIND /I "IntervalMinutes"
5⤵
PID:1264

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes /t REG_DWORD /d 3 /f
5⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes
5⤵
PID:1164

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes
6⤵
PID:1832

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalMinutes /t REG_DWORD /d 3 /f
5⤵
PID:1888

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:804

C:\Windows\system32\fc.exe
FC /B "C:\Windows\System32\slmgr.vbs" wslmt.dll
5⤵
PID:960

C:\Windows\system32\fc.exe
FC /B "64\slmgr.vbs" "C:\Windows\System32\slmgr.vbs"
5⤵
PID:976

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slmgr.vbs"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1120

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\13660.lck" "C:\Windows\System32\slmgr.vbs"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:872

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516

C:\Windows\system32\fc.exe
FC /B "C:\Windows\SysWOW64\slmgr.vbs" wslmt.dll
5⤵
PID:564

C:\Windows\system32\fc.exe
FC /B "32\slmgr.vbs" "C:\Windows\SysWOW64\slmgr.vbs"
5⤵
PID:1344

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:900

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\29802.lck" "C:\Windows\SysWOW64\slmgr.vbs"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1688

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1616

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1912

C:\Windows\system32\fc.exe
FC /B "C:\Windows\System32\slwga.dll" 64\slwga.dll
5⤵
PID:1964

C:\Windows\system32\fc.exe
FC /B "64\slwga.dll" "C:\Windows\System32\slwga.dll"
5⤵
PID:952

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slwga.dll"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1340

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\14362.lck" "C:\Windows\System32\slwga.dll"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1772

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1188

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1832

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:904

C:\Windows\system32\fc.exe
FC /B "C:\Windows\SysWOW64\slwga.dll" 32\slwga.dll
5⤵
PID:1892

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:972

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:636

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:796

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1084

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:832

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1080

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1712

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1312

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1344

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1380

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1472

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1992

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1644

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1996

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1612

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2004

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:860

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1768

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1188

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:904

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:308

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x84:xFD -r:x85:xFD -o 64\systemcpl.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:804

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1016

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:976

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1920

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\system32\fc.exe
FC /B "C:\Windows\System32\slui.exe" wac64.dll
5⤵
PID:1120

C:\Windows\system32\fc.exe
FC /B "64\slui.exe" "C:\Windows\System32\slui.exe"
5⤵
PID:1624

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\slui.exe"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\17773.lck" "C:\Windows\System32\slui.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:568

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:556

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1044

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1692

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1092

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1704

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:964

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1736

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1996

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1944

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:520

C:\Windows\system32\fc.exe
FC /B "64\sppcommdlg.dll" "C:\Windows\System32\sppcommdlg.dll"
5⤵
PID:1424

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\17278.lck" "C:\Windows\System32\sppcommdlg.dll"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1772

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:992

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:284

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1452

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1832

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:904

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
bump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1784

C:\Windows\system32\find.exe
FIND "changed"
5⤵
PID:1892

C:\Windows\system32\fc.exe
FC /B "64\sppuinotify.dll" "C:\Windows\System32\sppuinotify.dll"
5⤵
PID:1900

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\sppuinotify.dll"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2012

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\2461.lck" "C:\Windows\System32\sppuinotify.dll"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:688

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920

C:\Windows\system32\fc.exe
FC /B "C:\Windows\System32\winlogon.exe" wla64.dll
5⤵
PID:2044

C:\Windows\system32\fc.exe
FC /B "64\winlogon.exe" "C:\Windows\System32\winlogon.exe"
5⤵
PID:1576

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\winlogon.exe"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:832

C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\7929.lck" "C:\Windows\System32\winlogon.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1040

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""
5⤵
PID:1712

C:\Windows\system32\find.exe
FIND "FAIL:"
5⤵
PID:1952

C:\Windows\system32\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d "ERROR" /f
5⤵
PID:564

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /TN \Microsoft\Windows\PMS\PMS /TR "'C:\Windows\System32\hale.exe' /nolog" /SC MINUTE /MO 3 /RU SYSTEM /F
5⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /TN \Microsoft\Windows\PMS\ResetDTL /TR "'C:\Windows\System32\cmd.exe' /C DEL /F /Q '"C:\Windows\System32\cwlog.dtl"'" /SC MINUTE /MO 15 /RU SYSTEM /F
5⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\reg.exe
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce
5⤵
- Modifies registry key
PID:304

C:\Windows\system32\find.exe
FIND "c728074"
5⤵
PID:900

C:\Windows\system32\reg.exe
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce
5⤵
- Modifies registry key
PID:1688

C:\Windows\system32\find.exe
FIND "c717271"
5⤵
PID:1472

C:\Windows\system32\reg.exe
REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce
5⤵
- Modifies registry key
PID:344

C:\Windows\system32\find.exe
FIND /I "/C START /MIN RD /S /Q"
5⤵
PID:932

C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce /v "c717271" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl
Filesize
296B

MD5
7a3b8ec21ac9956ed258f5b397d281ab

SHA1
63cc8f5ca73640fa5fae2d20e69ce393a07a873d

SHA256
bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683

SHA512
ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c

Download Submit
C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl
Filesize
296B

MD5
7a3b8ec21ac9956ed258f5b397d281ab

SHA1
63cc8f5ca73640fa5fae2d20e69ce393a07a873d

SHA256
bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683

SHA512
ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c

Download Submit
C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl
Filesize
294B

MD5
60c00613f4bec9c4b8cc48953ae00cc6

SHA1
eee39aec1b8bb85087aac67aae69b497bc23c0db

SHA256
33a7fc22454bbd879d3af44f74f98d8cb02b26a45060444aba1846e14421854d

SHA512
44556880516c4a5921ae45cda52bf496e9e8e34cba13f4d0d77de898e5036c407e4ad5313c4008c798cd6781b3ceb22094f91c6ba52ad5017a55711f529fd973

Download Submit
C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl
Filesize
296B

MD5
61975a8f1f2b5a9685c3aa2d921fbf8a

SHA1
5870879badbe315599676e138e06b7cccdcab03c

SHA256
113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80

SHA512
3820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236

Download Submit
C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\slmgr.vbs
Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\slwga.dll
Filesize
14KB

MD5
19f75d71e4256f5113d64ce2bb66b838

SHA1
d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79

SHA256
da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f

SHA512
a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\32\sppwmi.dll
Filesize
116KB

MD5
5f5bb7c391d0e98338bf64b19c81f1ff

SHA1
8c275b466c4076d3c6fd9f62cf9e4a9f1342987a

SHA256
d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a

SHA512
e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\SLWGA.DLL
Filesize
15KB

MD5
7edc3c01ffe76fbe4f88ed6cf7e93d2a

SHA1
28f447f52c3601f5771d1d6af8177acc5d18dfc4

SHA256
a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7

SHA512
003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slmgr.vbs
Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slui.exe
Filesize
341KB

MD5
4a70dc889e9b792b83c68348709d3edd

SHA1
826791f1b69bb85b5f6155982e03bccdb7c22eed

SHA256
3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f

SHA512
a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\slwga.dll
Filesize
15KB

MD5
b6d6886149573278cba6abd44c4317f5

SHA1
2b309f9046bd884b63ecb418fe3ae56c2c82dd6f

SHA256
273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3

SHA512
56352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\sppwmi.dll
Filesize
139KB

MD5
85eebb24b18781a3d4a8558d8c294a6e

SHA1
03a6659983cf14e9b2334df9fd32e49079998364

SHA256
85d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885

SHA512
4fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\sppwmi.dll
Filesize
139KB

MD5
d745f0b3bfa805ccf82a6a883dd3e441

SHA1
e6807f4e035f25dc649fc9222252546b9d5512ca

SHA256
2b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450

SHA512
e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\systemcpl.dll
Filesize
410KB

MD5
bb074f35b49eb2ea416962b596281e1e

SHA1
355fdb9e66ffad42144b1b6ec4d8eb357ed05d52

SHA256
e07208204b9616027e5144e2f3ef1ba81168365b7d2a761210b0fbc65b97871e

SHA512
82f2dc04aff17a31450d2e66cab47f4f9c00936a9f309647c841432862a02f9c6b915683aa49a53739646cddd4e0e4404da0aab96f228692a767892102708884

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\64\user32.dll
Filesize
984KB

MD5
fe70103391a64039a921dbfff9c7ab1b

SHA1
e0019d9442aeebd3bb42a24c38aa2fae4c6bd4f5

SHA256
f7d219d75037bc98f6c69143b00ab6000a31f8b5e211e0af514f4f4b681522a0

SHA512
c2158260ed6b797509830be17da926a3658b87d71f7f5e2a6ea603cdf69ab42a7cffb22d4343bc9dcddc6e2561ec8eaed55022c80894e7b8d81ca7bc17dffc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\WAC64.DLL
Filesize
341KB

MD5
4a70dc889e9b792b83c68348709d3edd

SHA1
826791f1b69bb85b5f6155982e03bccdb7c22eed

SHA256
3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f

SHA512
a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\WSLMT.DLL
Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\bump.exe
Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\flick.exe
Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\godo.cmd
Filesize
1KB

MD5
0a9d51896a1a3735884221794a7c65f1

SHA1
2247c4f4ca88237c28fcd0e799b2dcf39867fefd

SHA256
2341170d3fc76a5bbeb2a795c2974ecb42fe20bdf89c01bb0326651d1cfccc5d

SHA512
c8ff9c6030cda1b21aac3a9c0ba83bd89a4cf3f2465a53397f977f9a01d8e5ea01b173c0c38345f6c59dc1931a64805567dbf824b6aa3db2f1b12cc80225a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\hale.cmd
Filesize
337B

MD5
1f44d34de408d88c7c7c430d9c07f0fe

SHA1
512dde52164ff712ed452c565da781cc28d0bff8

SHA256
499a44e0a92ae348567408e3331bb636899b415657b02c4c94cf2ab41dd7ef07

SHA512
96dec03e66a909b5f9d6bda4646eafd5c3db8172195b01cd113690e95f292217245add88c1abe1dc67b26434d3b14449aae49ee5a949b9d1aa7e211d1ea57889

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\lhed.cmd
Filesize
718B

MD5
cfc84dfdddbf6e380817d0090007e645

SHA1
1d7fb4709867a4f41279f509b5c0ca861e1cf10b

SHA256
c37fb878856e2dbfdd3cdcfb54f5ee4bf876dc221214052ac273f98418edb841

SHA512
bf1a4b0f1a9547e507b79edb2c3c9a0370e96ac754f5288cff2f27004c1c6ac00660d7b374d087ffd0171b99bcd68a6276db9d2b399abd12253a5f8afd08adbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\mtmp.cmd
Filesize
106B

MD5
02d7ebad35b5624a751243d101a540ce

SHA1
4f9f0e0d47c78511ca88776fc86ece16055df66e

SHA256
7686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac

SHA512
04fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\ownc.cmd
Filesize
629B

MD5
35af56258eecc3bcd990024227382ed0

SHA1
0b3227e21ca01325913bd3cfa0c0016788e52edd

SHA256
d503dd598d6cb900878f9f66152e960212c0486d3a2f9a021724119b05835448

SHA512
e324a73be4585aee5727c08d608e92c5ba2cb4cc7d86809a7564f12937d2819c063a28146ebb71b3c41f032a470378c197f5e54d4c8a2906835e93a1e47255af

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\plat.cmd
Filesize
886B

MD5
fe8a397e3064f711ba04b6babd10558d

SHA1
78a95aa33d7f8ff38bfae516d90fdcfa51e14ba9

SHA256
ef709fe236dfefc40d2ab9c51a27e10914e5e3c316388cc8f937cf3cd09e622f

SHA512
161d955714be18f9c6c5ed1f319bab70efa74cd72d9e87bca826601c6ce1c696d69b95b9e224023c62a16c911384bf9990a72125dfc945dea44216e6b1b166dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\radd.cmd
Filesize
113B

MD5
0ca0566671854f45d316877cb3b9563b

SHA1
75ea44bb67f797281703030b2989e91c2723ddb6

SHA256
048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3

SHA512
12c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\setv.cmd
Filesize
1KB

MD5
d6c2c11867868f16c4bbd97ec106474e

SHA1
c5f01dfbb0916f5a606ac37b7068b3d212ad96f2

SHA256
809d5fb8d05569815ff67e9ad520ca64e7c8998e035993cf9ca7f5216e5572db

SHA512
6189a07365753cb421f5e754a8e3c27589f159dab58e113c794ad0b5006ce1644af7950155f1ee7d08e6dbc8679789d16d7ee9635e83f7630eb3d839a0e85625

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\tick.cmd
Filesize
9KB

MD5
574014049e0ed8ff74182fa96f2d1ab3

SHA1
454914e6db5d1b47ca50e323e5ab9985edd940c0

SHA256
c3148a2f9b901f67e63edd03f256bcb7a8ea071564ee31ec0d602de0f5219699

SHA512
51892899f08faae6f5ba861142933d9f5dc425f5fa4c9140b25e8e2e27cd3b87a75bb90d33434e68ec4b9199272f7d784fd9bc617a48d5b8ba86ba79b4dbf08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\town.cmd
Filesize
309B

MD5
574958530816e546394dbc025d8a08eb

SHA1
dbdfb40357f60bb6bc4575806f1f924a11302205

SHA256
81ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da

SHA512
088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B74F.tmp\tran.cmd
Filesize
1KB

MD5
08d050c91f916dd562a7e9ef9f0e9815

SHA1
4e2cf6eafe9c60519edd855b9113c0fafac71533

SHA256
196701833b1e0c5c7217a2cd92ed70722e7d91f7cff6877cff21e4be5b0af4c9

SHA512
de2399c11f846c75dade16e3fc76b60fea017c841950f3b5c92e026f8809c6b77cb416fc747d907255d3302252b7161cbc6029c1dea3eed24d5cb101b95c7ae5

Download Submit
C:\Windows\SysWOW64\slmgr.vbs
Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Windows\System32\hale.exe
Filesize
531KB

MD5
f8546857fa2d2e6c9d377d0a840bb1b2

SHA1
a2a61a7577c234e2e9dd59288b6671471a1e246d

SHA256
8df72ce39b0192fa76a5ffdcc9e82b7e58703116158613df5a12e7e2b8baba94

SHA512
7484312747d7782fbce5fd9077071969729dc4734e3116103dbc8805dfd05a9448354e1b6a5edfd4d3d0ba01fa319a20493b4271aba69643c0f300a8e0b75cfd

Download Submit
C:\Windows\System32\slmgr.vbs
Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Windows\System32\slui.exe
Filesize
341KB

MD5
4a70dc889e9b792b83c68348709d3edd

SHA1
826791f1b69bb85b5f6155982e03bccdb7c22eed

SHA256
3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f

SHA512
a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a

Download Submit
C:\Windows\System32\slwga.dll
Filesize
15KB

MD5
7edc3c01ffe76fbe4f88ed6cf7e93d2a

SHA1
28f447f52c3601f5771d1d6af8177acc5d18dfc4

SHA256
a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7

SHA512
003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8

Download Submit
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/340-79-0x0000000000000000-mapping.dmp

Download
memory/344-77-0x0000000000000000-mapping.dmp

Download
memory/540-59-0x0000000000000000-mapping.dmp

Download
memory/544-72-0x0000000000000000-mapping.dmp

Download
memory/564-74-0x0000000000000000-mapping.dmp

Download
memory/564-116-0x0000000000000000-mapping.dmp

Download
memory/608-135-0x0000000000000000-mapping.dmp

Download
memory/636-149-0x0000000000000000-mapping.dmp

Download
memory/688-151-0x0000000000000000-mapping.dmp

Download
memory/796-153-0x0000000000000000-mapping.dmp

Download
memory/804-99-0x0000000000000000-mapping.dmp

Download
memory/832-159-0x0000000000000000-mapping.dmp

Download
memory/860-88-0x0000000000000000-mapping.dmp

Download
memory/872-110-0x0000000000000000-mapping.dmp

Download
memory/896-66-0x0000000000000000-mapping.dmp

Download
memory/900-120-0x0000000000000000-mapping.dmp

Download
memory/904-145-0x0000000000000000-mapping.dmp

Download
memory/952-134-0x0000000000000000-mapping.dmp

Download
memory/960-101-0x0000000000000000-mapping.dmp

Download
memory/968-61-0x0000000000000000-mapping.dmp

Download
memory/972-148-0x0000000000000000-mapping.dmp

Download
memory/976-104-0x0000000000000000-mapping.dmp

Download
memory/984-60-0x0000000000000000-mapping.dmp

Download
memory/1048-112-0x0000000000000000-mapping.dmp

Download
memory/1084-157-0x0000000000000000-mapping.dmp

Download
memory/1120-107-0x0000000000000000-mapping.dmp

Download
memory/1164-93-0x0000000000000000-mapping.dmp

Download
memory/1188-142-0x0000000000000000-mapping.dmp

Download
memory/1188-92-0x0000000000000000-mapping.dmp

Download
memory/1264-91-0x0000000000000000-mapping.dmp

Download
memory/1340-136-0x0000000000000000-mapping.dmp

Download
memory/1344-117-0x0000000000000000-mapping.dmp

Download
memory/1452-139-0x0000000000000000-mapping.dmp

Download
memory/1452-90-0x0000000000000000-mapping.dmp

Download
memory/1504-76-0x0000000000000000-mapping.dmp

Download
memory/1516-115-0x0000000000000000-mapping.dmp

Download
memory/1560-58-0x0000000000000000-mapping.dmp

Download
memory/1572-62-0x0000000000000000-mapping.dmp

Download
memory/1576-155-0x0000000000000000-mapping.dmp

Download
memory/1616-128-0x0000000000000000-mapping.dmp

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1632-83-0x0000000000000000-mapping.dmp

Download
memory/1636-82-0x0000000000000000-mapping.dmp

Download
memory/1640-126-0x0000000000000000-mapping.dmp

Download
memory/1672-119-0x0000000000000000-mapping.dmp

Download
memory/1688-121-0x0000000000000000-mapping.dmp

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download
memory/1712-71-0x0000000000000000-mapping.dmp

Download
memory/1748-65-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1748-188-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1748-67-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1772-89-0x0000000000000000-mapping.dmp

Download
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/1812-69-0x0000000000000000-mapping.dmp

Download
memory/1832-94-0x0000000000000000-mapping.dmp

Download
memory/1832-143-0x0000000000000000-mapping.dmp

Download
memory/1888-95-0x0000000000000000-mapping.dmp

Download
memory/1892-147-0x0000000000000000-mapping.dmp

Download
memory/1912-130-0x0000000000000000-mapping.dmp

Download
memory/1920-106-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x000007FEF3440000-0x000007FEF3E63000-memory.dmp

Filesize
10.1MB

Download
memory/1948-57-0x0000000000BB6000-0x0000000000BD5000-memory.dmp

Filesize
124KB

Download
memory/1948-56-0x0000000000BB6000-0x0000000000BD5000-memory.dmp

Filesize
124KB

Download
memory/1948-55-0x000007FEF23A0000-0x000007FEF3436000-memory.dmp

Filesize
16.6MB

Download
memory/1948-189-0x0000000000BB6000-0x0000000000BD5000-memory.dmp

Filesize
124KB

Download
memory/1964-132-0x0000000000000000-mapping.dmp

Download
memory/1992-80-0x0000000000000000-mapping.dmp

Download
memory/1992-124-0x0000000000000000-mapping.dmp

Download
memory/2004-87-0x0000000000000000-mapping.dmp

Download
memory/2008-86-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads