077f6109a75b3a1599cdb43bc5b5ff519ff49cff1f9f0a1f6370ab1a8b2a44af

Analysis

max time kernel
88s
max time network
80s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 23:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Chew7.exe
Size

4.6MB
MD5

7b232997942b2a5c7e4dbe931bb4c67c
SHA1

06c6d3b5b66585f03bab25c774baadb575cb1515
SHA256

0a88faa27484c7c163bc90fbf806a9dab84226c2f60f3410695278ee76d065f5
SHA512

1959f3334af0061fac523e31fb030d77c13696977cc151453ca0546cc624d234b2198d141e61d597e0d3c2ff3068ad8f3d732dd477a5b535ccd56dd953588412
SSDEEP

98304:6BkL7VOQCsDdOmYglo4Y14pygKq7VOQCsDdOmYglo4Y14pygK:6OLPLDVYglq1pqPLDVYglq1p

Score

8^/10

discovery exploit persistence upx

Malware Config

Signatures

Possible privilege escalation attempt 54 IoCs

exploit

pid	Process
1828	icacls.exe
1348	icacls.exe
2912	takeown.exe
840	icacls.exe
2472	icacls.exe
2908	icacls.exe
1604	icacls.exe
1700	icacls.exe
1224	icacls.exe
2140	icacls.exe
2844	icacls.exe
2156	icacls.exe
760	icacls.exe
2012	icacls.exe
1404	icacls.exe
2012	icacls.exe
704	takeown.exe
1512	icacls.exe
1688	icacls.exe
492	takeown.exe
2416	takeown.exe
2520	icacls.exe
952	icacls.exe
2932	icacls.exe
2012	takeown.exe
996	takeown.exe
1484	icacls.exe
2084	takeown.exe
1368	icacls.exe
2160	takeown.exe
1488	takeown.exe
996	icacls.exe
2144	takeown.exe
2824	icacls.exe
1724	takeown.exe
584	icacls.exe
1972	icacls.exe
616	icacls.exe
2724	icacls.exe
304	icacls.exe
1652	icacls.exe
2192	icacls.exe
2516	icacls.exe
832	icacls.exe
2696	icacls.exe
888	icacls.exe
552	icacls.exe
1900	takeown.exe
1368	icacls.exe
2588	icacls.exe
2372	icacls.exe
3056	takeown.exe
1504	takeown.exe
1008	icacls.exe

Executes dropped EXE 64 IoCs

pid	Process
2432	hale.exe
768	crc32.exe
1740	crc32.exe
1744	flick.exe
824	crc32.exe
1572	crc32.exe
1880	flick.exe
2792	crc32.exe
1664	bump.exe
2152	crc32.exe
1192	flick.exe
2164	crc32.exe
2528	bump.exe
2772	crc32.exe
2816	flick.exe
1520	crc32.exe
2000	bump.exe
2852	bump.exe
2880	bump.exe
1104	crc32.exe
1152	crc32.exe
1992	bump.exe
2844	bump.exe
1076	bump.exe
1964	crc32.exe
2228	crc32.exe
1580	bump.exe
1184	bump.exe
3016	bump.exe
2184	bump.exe
2628	bump.exe
2008	bump.exe
2896	bump.exe
2744	bump.exe
2792	bump.exe
2960	bump.exe
2972	bump.exe
592	bump.exe
344	crc32.exe
1436	flick.exe
1896	crc32.exe
2188	bump.exe
2832	bump.exe
2196	bump.exe
628	crc32.exe
1592	flick.exe
2068	crc32.exe
1136	crc32.exe
1532	flick.exe
1276	crc32.exe
1940	bump.exe
2376	bump.exe
1736	bump.exe
2208	bump.exe
2320	bump.exe
2872	bump.exe
1724	bump.exe
2200	bump.exe
2584	bump.exe
2568	crc32.exe
3000	flick.exe
672	crc32.exe
1192	bump.exe
1124	bump.exe

Loads dropped DLL 64 IoCs

pid	Process
1436	flick.exe
2780	cmd.exe
1896	crc32.exe
2188	bump.exe
2824	find.exe
2832	bump.exe
2040	find.exe
2196	bump.exe
880	find.exe
1640	cmd.exe
628	crc32.exe
2084	takeown.exe
1592	flick.exe
2880	cmd.exe
2068	crc32.exe
636	cmd.exe
1136	crc32.exe
492	takeown.exe
1532	flick.exe
2408	cmd.exe
1276	crc32.exe
1940	bump.exe
1956	find.exe
2376	bump.exe
1656	find.exe
1736	bump.exe
2028	find.exe
2208	bump.exe
2516	find.exe
2320	bump.exe
2240	find.exe
2872	bump.exe
2184	find.exe
1724	bump.exe
2628	find.exe
2200	bump.exe
860	find.exe
2584	bump.exe
2648	find.exe
1668	cmd.exe
2568	crc32.exe
3056	takeown.exe
3000	flick.exe
592	cmd.exe
672	crc32.exe
1192	bump.exe
1488	find.exe
2812	find.exe
1124	bump.exe
2508	bump.exe
1200	find.exe
1772	bump.exe
1904	find.exe
1864	bump.exe
1952	find.exe
2676	cmd.exe
1692	crc32.exe
1504	takeown.exe
1776	flick.exe
2724	cmd.exe
308	crc32.exe
2852	cmd.exe
1212	crc32.exe
2912	takeown.exe

Modifies file permissions 1 TTPs 54 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2012	takeown.exe
1652	icacls.exe
2472	icacls.exe
2140	icacls.exe
952	icacls.exe
760	icacls.exe
2084	takeown.exe
2912	takeown.exe
2844	icacls.exe
1368	icacls.exe
552	icacls.exe
2588	icacls.exe
2372	icacls.exe
1404	icacls.exe
1972	icacls.exe
2192	icacls.exe
996	takeown.exe
1484	icacls.exe
1900	takeown.exe
888	icacls.exe
2724	icacls.exe
2416	takeown.exe
2824	icacls.exe
2908	icacls.exe
2144	takeown.exe
1008	icacls.exe
304	icacls.exe
1700	icacls.exe
2516	icacls.exe
1724	takeown.exe
492	takeown.exe
996	icacls.exe
2160	takeown.exe
2696	icacls.exe
1488	takeown.exe
2012	icacls.exe
1604	icacls.exe
3056	takeown.exe
1828	icacls.exe
2012	icacls.exe
704	takeown.exe
2156	icacls.exe
1688	icacls.exe
584	icacls.exe
2520	icacls.exe
1504	takeown.exe
1348	icacls.exe
832	icacls.exe
1512	icacls.exe
1224	icacls.exe
2932	icacls.exe
840	icacls.exe
1368	icacls.exe
616	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001227d-11.dat	upx
behavioral1/memory/2432-14-0x0000000000400000-0x0000000000BB0000-memory.dmp	upx
behavioral1/memory/2432-92-0x0000000000400000-0x0000000000BB0000-memory.dmp	upx
behavioral1/memory/2432-901-0x0000000000400000-0x0000000000BB0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chew7Hale = "\"C:\\Windows\\System32\\hale.exe\" /nolog"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c76004 = "\"C:\\Windows\\System32\\cmd.exe\" /C START /MIN RD /S /Q \"C:\\ProgramData\\Microsoft\\Windows\\Pending\"^&EXIT"	reg.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	flick.exe
File created	C:\Windows\SysWOW64\slwga.dll	cmd.exe
File created	C:\Windows\System32\sppcommdlg.dll	cmd.exe
File opened for modification	C:\Windows\System32\winver.exe	cmd.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	flick.exe
File created	C:\Windows\System32\slui.exe	cmd.exe
File opened for modification	C:\Windows\System32\slui.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	flick.exe
File created	C:\Windows\System32\cwlog.dtl	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	flick.exe
File opened for modification	C:\Windows\System32\user32.dll	cmd.exe
File opened for modification	C:\Windows\System32\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\system32\hale.exe	Chew7.exe
File opened for modification	C:\Windows\System32\cwlog.dtl	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slwga.dll	cmd.exe
File created	C:\Windows\System32\systemcpl.dll	cmd.exe
File created	C:\Windows\System32\slwga.dll	cmd.exe
File created	C:\Windows\System32\sppuinotify.dll	cmd.exe
File created	C:\Windows\System32\winver.exe	cmd.exe
File opened for modification	C:\Windows\System32\slwga.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	flick.exe
File opened for modification	C:\Windows\System32\sppcommdlg.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sppcommdlg.dll	flick.exe
File created	C:\Windows\System32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\system32\hale.exe	Chew7.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slwga.dll	flick.exe
File opened for modification	C:\Windows\SysWOW64\slwga.dll	flick.exe
File opened for modification	C:\Windows\System32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\System32\slmgr.vbs	cmd.exe
File created	C:\Windows\System32\user32.dll	cmd.exe
File opened for modification	C:\Windows\System32\sppuinotify.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	flick.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
528	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2676	tasklist.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2580	taskkill.exe
2740	taskkill.exe
1828	taskkill.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2964	reg.exe
1504	reg.exe
2200	reg.exe
2632	reg.exe
2492	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
768	crc32.exe
1740	crc32.exe
1744	flick.exe
824	crc32.exe
1880	flick.exe
2792	crc32.exe
1664	bump.exe
2152	crc32.exe
1192	flick.exe
2164	crc32.exe
2528	bump.exe
2772	crc32.exe
2816	flick.exe
1520	crc32.exe
2000	bump.exe
2852	bump.exe
2880	bump.exe
1104	crc32.exe
1152	crc32.exe
1992	bump.exe
2844	bump.exe
1076	bump.exe
1964	crc32.exe
2228	crc32.exe
1580	bump.exe
1184	bump.exe
3016	bump.exe
2184	bump.exe
2628	bump.exe
2008	bump.exe
2896	bump.exe
2744	bump.exe
2792	bump.exe
2960	bump.exe
2972	bump.exe
592	bump.exe
344	crc32.exe
1436	flick.exe
1896	crc32.exe
2188	bump.exe
2832	bump.exe
2196	bump.exe
628	crc32.exe
1592	flick.exe
2068	crc32.exe
1136	crc32.exe
1532	flick.exe
1276	crc32.exe
1940	bump.exe
2376	bump.exe
1736	bump.exe
2208	bump.exe
2320	bump.exe
2872	bump.exe
1724	bump.exe
2200	bump.exe
2584	bump.exe
2568	crc32.exe
3000	flick.exe
672	crc32.exe
1192	bump.exe
1124	bump.exe
2508	bump.exe
1772	bump.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2676	tasklist.exe
Token: SeTakeOwnershipPrivilege	2012	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	996	takeown.exe
Token: SeSecurityPrivilege	1484	icacls.exe
Token: SeTakeOwnershipPrivilege	1724	takeown.exe
Token: SeSecurityPrivilege	2588	icacls.exe
Token: SeTakeOwnershipPrivilege	2416	takeown.exe
Token: SeSecurityPrivilege	1008	icacls.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeSecurityPrivilege	304	icacls.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeSecurityPrivilege	2472	icacls.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeSecurityPrivilege	2908	icacls.exe
Token: SeTakeOwnershipPrivilege	492	takeown.exe
Token: SeSecurityPrivilege	2140	icacls.exe
Token: SeTakeOwnershipPrivilege	3056	takeown.exe
Token: SeSecurityPrivilege	1972	icacls.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeSecurityPrivilege	1348	icacls.exe
Token: SeTakeOwnershipPrivilege	2912	takeown.exe
Token: SeSecurityPrivilege	832	icacls.exe
Token: SeTakeOwnershipPrivilege	704	takeown.exe
Token: SeSecurityPrivilege	996	icacls.exe
Token: SeTakeOwnershipPrivilege	2144	takeown.exe
Token: SeSecurityPrivilege	1604	icacls.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeShutdownPrivilege	2452	shutdown.exe
Token: SeRemoteShutdownPrivilege	2452	shutdown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3032	Chew7.exe
3032	Chew7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2580	3032	Chew7.exe	28
PID 3032 wrote to memory of 2580	3032	Chew7.exe	28
PID 3032 wrote to memory of 2580	3032	Chew7.exe	28
PID 3032 wrote to memory of 2740	3032	Chew7.exe	31
PID 3032 wrote to memory of 2740	3032	Chew7.exe	31
PID 3032 wrote to memory of 2740	3032	Chew7.exe	31
PID 3032 wrote to memory of 2432	3032	Chew7.exe	33
PID 3032 wrote to memory of 2432	3032	Chew7.exe	33
PID 3032 wrote to memory of 2432	3032	Chew7.exe	33
PID 3032 wrote to memory of 2432	3032	Chew7.exe	33
PID 2432 wrote to memory of 1780	2432	hale.exe	35
PID 2432 wrote to memory of 1780	2432	hale.exe	35
PID 2432 wrote to memory of 1780	2432	hale.exe	35
PID 2432 wrote to memory of 1780	2432	hale.exe	35
PID 1780 wrote to memory of 2612	1780	cmd.exe	38
PID 1780 wrote to memory of 2612	1780	cmd.exe	38
PID 1780 wrote to memory of 2612	1780	cmd.exe	38
PID 1780 wrote to memory of 2612	1780	cmd.exe	38
PID 2612 wrote to memory of 2772	2612	cmd.exe	39
PID 2612 wrote to memory of 2772	2612	cmd.exe	39
PID 2612 wrote to memory of 2772	2612	cmd.exe	39
PID 2612 wrote to memory of 2532	2612	cmd.exe	40
PID 2612 wrote to memory of 2532	2612	cmd.exe	40
PID 2612 wrote to memory of 2532	2612	cmd.exe	40
PID 2612 wrote to memory of 1900	2612	cmd.exe	41
PID 2612 wrote to memory of 1900	2612	cmd.exe	41
PID 2612 wrote to memory of 1900	2612	cmd.exe	41
PID 2612 wrote to memory of 1660	2612	cmd.exe	42
PID 2612 wrote to memory of 1660	2612	cmd.exe	42
PID 2612 wrote to memory of 1660	2612	cmd.exe	42
PID 1660 wrote to memory of 660	1660	cmd.exe	43
PID 1660 wrote to memory of 660	1660	cmd.exe	43
PID 1660 wrote to memory of 660	1660	cmd.exe	43
PID 2612 wrote to memory of 2676	2612	cmd.exe	44
PID 2612 wrote to memory of 2676	2612	cmd.exe	44
PID 2612 wrote to memory of 2676	2612	cmd.exe	44
PID 2612 wrote to memory of 2692	2612	cmd.exe	45
PID 2612 wrote to memory of 2692	2612	cmd.exe	45
PID 2612 wrote to memory of 2692	2612	cmd.exe	45
PID 2612 wrote to memory of 2832	2612	cmd.exe	46
PID 2612 wrote to memory of 2832	2612	cmd.exe	46
PID 2612 wrote to memory of 2832	2612	cmd.exe	46
PID 2612 wrote to memory of 2788	2612	cmd.exe	47
PID 2612 wrote to memory of 2788	2612	cmd.exe	47
PID 2612 wrote to memory of 2788	2612	cmd.exe	47
PID 2788 wrote to memory of 2820	2788	cmd.exe	48
PID 2788 wrote to memory of 2820	2788	cmd.exe	48
PID 2788 wrote to memory of 2820	2788	cmd.exe	48
PID 2612 wrote to memory of 304	2612	cmd.exe	49
PID 2612 wrote to memory of 304	2612	cmd.exe	49
PID 2612 wrote to memory of 304	2612	cmd.exe	49
PID 304 wrote to memory of 1692	304	cmd.exe	50
PID 304 wrote to memory of 1692	304	cmd.exe	50
PID 304 wrote to memory of 1692	304	cmd.exe	50
PID 2612 wrote to memory of 2196	2612	cmd.exe	51
PID 2612 wrote to memory of 2196	2612	cmd.exe	51
PID 2612 wrote to memory of 2196	2612	cmd.exe	51
PID 2196 wrote to memory of 1504	2196	cmd.exe	52
PID 2196 wrote to memory of 1504	2196	cmd.exe	52
PID 2196 wrote to memory of 1504	2196	cmd.exe	52
PID 2612 wrote to memory of 1732	2612	cmd.exe	53
PID 2612 wrote to memory of 1732	2612	cmd.exe	53
PID 2612 wrote to memory of 1732	2612	cmd.exe	53
PID 2612 wrote to memory of 320	2612	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\Chew7.exe
"C:\Users\Admin\AppData\Local\Temp\Chew7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im hale.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\system32\hale.exe
  "C:\Windows\system32\hale.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\D25C.tmp\hale.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\D25C.tmp\hale.cmd""
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE
        5⤵
        
        PID:2772
    - - C:\Windows\system32\find.exe
        
        FIND /I "HKEY_LOCAL_MACHINE\SOFTWARE\Chew7"
        5⤵
        
        PID:2532
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /f
        5⤵
        
        PID:1900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled
        6⤵
        
        PID:660
    - - C:\Windows\system32\tasklist.exe
        
        TASKLIST /FI "IMAGENAME eq Chew7.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\system32\find.exe
        
        FIND "Chew7.exe"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v LastAttempt /t REG_SZ /d install /f
        5⤵
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\system32\reg.exe
        
        REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
        6⤵
        
        PID:2820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\system32\reg.exe
        
        REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx
        6⤵
        
        PID:1692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v TimeZoneKeyName
        6⤵
        Modifies registry key
        
        PID:1504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c TIME /T
        5⤵
        
        PID:1732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
        5⤵
        
        PID:320
    - - C:\Windows\system32\find.exe
        
        FIND "64"
        5⤵
        
        PID:392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO.Windows 7 Ultimate 7601.17727.amd64fre.win7sp1_gdr.111118-2330"
        5⤵
        
        PID:1680
    - - C:\Windows\system32\find.exe
        
        FIND "86"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
        5⤵
        
        PID:1776
    - - C:\Windows\system32\find.exe
        
        FIND "64"
        5⤵
        
        PID:1172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO.AMD64"
        5⤵
        
        PID:1520
    - - C:\Windows\system32\find.exe
        
        FIND "86"
        5⤵
        
        PID:2080
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\winsxs"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\winsxs" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1512
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\winsxs\Temp\PendingRenames"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\winsxs\Temp\PendingRenames" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2724
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7
        5⤵
        
        PID:1084
    - - C:\Windows\system32\find.exe
        
        FIND /I "IntervalSeconds"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 30 /f
        5⤵
        
        PID:2044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
        5⤵
        
        PID:2776
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds
        6⤵
        
        PID:2092
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v IntervalSeconds /t REG_DWORD /d 1e /f
        5⤵
        
        PID:2948
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
        5⤵
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slmgr.vbs
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slmgr.vbs
        5⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slmgr.vbs
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1740
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\slmgr.vbs"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slmgr.vbs" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:552
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\15013.lck" "C:\Windows\System32\slmgr.vbs"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1744
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
        5⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\slmgr.vbs
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\slmgr.vbs
        5⤵
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\slmgr.vbs
        6⤵
        Executes dropped EXE
        
        PID:1572
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\SysWOW64\slmgr.vbs"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\slmgr.vbs" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\14773.lck" "C:\Windows\SysWOW64\slmgr.vbs"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1880
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
        5⤵
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slwga.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x89:x06:x85:xDB:x79 -r:x2B:xC0:x89:x06:xEB -o 64\slwga.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1664
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:3000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slwga.dll
        5⤵
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slwga.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2152
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\slwga.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slwga.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:760
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\12218.lck" "C:\Windows\System32\slwga.dll"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1192
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\slwga.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
        5⤵
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\slwga.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x0C:x8B:x4D:x10 -r:x0C:x2B:xC9:x90 -o 32\slwga.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2528
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\slwga.dll
        5⤵
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\slwga.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2772
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\SysWOW64\slwga.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\slwga.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\29497.lck" "C:\Windows\SysWOW64\slwga.dll"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2816
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
        5⤵
        
        PID:1172
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppwmi.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xF4:xFF:xFF:x8B:xF8:x85:xC0 -r:xF4:xFF:xFF:x29:xFF:xFF:xC7 -o 64\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2000
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x41:x8B:x50:x10:x85:xD2 -r:x48:x31:xD2:x48:xFF:xC2 -o 64\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2852
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x8B:x79:x14 -r:x83:xE7:x00 -o 64\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2880
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppwmi.dll
        5⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppwmi.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1104
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\sppwmi.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppwmi.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
        5⤵
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\sppwmi.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x89:x45:x10:x85:xC0:x7C:x66 -r:xC7:x45:x10:x01:x00:x00:x00 -o 32\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1992
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x8B:x41:x10:x83:xE8:x00 -r:x2B:xC0:x40:x90:x90:x90 -o 32\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2844
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x7C:x29:x8B:x45:x0C:x8B:x78:x14 -r:x90:x90:x8B:x45:x0C:x2B:xFF:x90 -o 32\sppwmi.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1076
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\sppwmi.dll
        5⤵
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\sppwmi.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1964
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\user32.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
        5⤵
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\user32.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xCC -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1580
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE3 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1184
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xBA:xE4:x02 -r:xBA:xE9:x02 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3016
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:692
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE5 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2184
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE7 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2628
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE6 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2008
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE1 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2896
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xE8 -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2744
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x00:xBA:xCE -r:x00:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2792
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x20:xBA:xE2 -r:x20:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2960
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE9:xBA:xCB -r:xE9:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2972
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:616
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xBA:xCD -r:xBA:xE9 -o 64\user32.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:592
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        
        PID:672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\user32.dll
        5⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\user32.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:344
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\user32.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\user32.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\31363.lck" "C:\Windows\System32\user32.dll"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1436
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\user32.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\systemcpl.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
        5⤵
        Loads dropped DLL
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\systemcpl.dll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x0F:x84:xFD -r:x90:xE9:xFD -o 64\systemcpl.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2188
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x0F:x84:xAD:x00:x00:x00 -r:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2832
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x48:x8D:x0D:x93:xAE:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90 -o 64\systemcpl.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2196
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\systemcpl.dll
        5⤵
        Loads dropped DLL
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\systemcpl.dll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:628
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\systemcpl.dll"
        5⤵
        Possible privilege escalation attempt
        Loads dropped DLL
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\systemcpl.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\26627.lck" "C:\Windows\System32\systemcpl.dll"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1592
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\systemcpl.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slui.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
        5⤵
        Loads dropped DLL
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slui.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\slui.exe
        5⤵
        Loads dropped DLL
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\slui.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1136
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\slui.exe"
        5⤵
        Possible privilege escalation attempt
        Loads dropped DLL
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\slui.exe" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\27483.lck" "C:\Windows\System32\slui.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1532
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\slui.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\sppcommdlg.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
        5⤵
        Loads dropped DLL
        
        PID:2408
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppcommdlg.dll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xFE:x4E:x75 -r:xFE:x4E:xEB -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1940
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x4A:x7A -r:x4A:x65 -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2376
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x41:xB8:x2E -r:x41:xB8:x2C -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1736
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xE8:x1A:x7E -r:xE8:x46:x91 -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2208
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x8D:x4A:x7C -r:x8D:x4A:x65 -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2320
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xB8:x39 -r:xB8:x2C -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2872
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xC7:x7D -r:xF3:x90 -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1724
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x4C:x8B:x44:x24:x60:x4C:x8D:x4C:x24:x48:x8B:xD6:x48:x8B:xCB:xE8:x37:xFA:xFF:xFF -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2200
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:xBF:x00:x00:x75 -r:xBF:x00:x00:xEB -o 64\sppcommdlg.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2584
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppcommdlg.dll
        5⤵
        Loads dropped DLL
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppcommdlg.dll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2568
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\sppcommdlg.dll"
        5⤵
        Possible privilege escalation attempt
        Loads dropped DLL
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\sppcommdlg.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\15351.lck" "C:\Windows\System32\sppcommdlg.dll"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3000
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppcommdlg.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\sppuinotify.dll" /save "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
        5⤵
        Loads dropped DLL
        
        PID:592
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppuinotify.dll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:672
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x78:x65 -r:xEB:x65 -o 64\sppuinotify.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1192
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x83:xBC:x24:xB0:x00:x00:x00:x01:x0F:x95:xC0 -r:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1124
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x81:x7F:x1C:x35:xF0:x04:xC0 -r:x3B:xC4:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
        5⤵
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2508
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x78:x0B -r:x90:x90 -o 64\sppuinotify.dll
        5⤵
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1772
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe
        
        bump -s:x39:x7C:x24:x58:x0F:x94:xC0 -r:x40:x90:x90:x90:x90:x90:x90 -o 64\sppuinotify.dll
        5⤵
        Loads dropped DLL
        
        PID:1864
    - - C:\Windows\system32\find.exe
        
        FIND "changed"
        5⤵
        Loads dropped DLL
        
        PID:1952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\sppuinotify.dll
        5⤵
        Loads dropped DLL
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\sppuinotify.dll
        6⤵
        Loads dropped DLL
        
        PID:1692
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\sppuinotify.dll"
        5⤵
        Possible privilege escalation attempt
        Loads dropped DLL
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\sppuinotify.dll" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2192
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\16300.lck" "C:\Windows\System32\sppuinotify.dll"
        5⤵
        Loads dropped DLL
        
        PID:1776
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\sppuinotify.dll.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\winlogon.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
        5⤵
        Loads dropped DLL
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\winlogon.exe
        6⤵
        Loads dropped DLL
        
        PID:308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\winlogon.exe
        5⤵
        Loads dropped DLL
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\winlogon.exe
        6⤵
        Loads dropped DLL
        
        PID:1212
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\winlogon.exe"
        5⤵
        Possible privilege escalation attempt
        Loads dropped DLL
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\winlogon.exe" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\931.lck" "C:\Windows\System32\winlogon.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winlogon.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
        5⤵
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\winver.exe
        6⤵
        
        PID:1552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 64\winver.exe
        5⤵
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 64\winver.exe
        6⤵
        
        PID:272
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\System32\winver.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32\winver.exe" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\31592.lck" "C:\Windows\System32\winver.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1612
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\System32" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\winver.exe" /save "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
        5⤵
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\winver.exe
        6⤵
        
        PID:1484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c crc32.exe 32\winver.exe
        5⤵
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe
        
        crc32.exe 32\winver.exe
        6⤵
        
        PID:1812
    - - C:\Windows\system32\takeown.exe
        
        TAKEOWN /F "C:\Windows\SysWOW64\winver.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64\winver.exe" /GRANT *S-1-1-0:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:888
    - - C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe
        
        flick.exe /h /q /c /m /r "C:\ProgramData\Microsoft\Windows\Pending\30285.lck" "C:\Windows\SysWOW64\winver.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2240
    - - C:\Windows\system32\icacls.exe
        
        ICACLS "C:\Windows\SysWOW64" /restore "C:\ProgramData\Microsoft\Windows\Pending\winver.exe.acl"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\system32\sfc.exe
        
        SFC /scanfile="C:\Windows\System32\wlms\wlms.exe"
        5⤵
        
        PID:2872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" TYPE "C:\Users\Admin\AppData\Local\Temp\chewlog.txt""
        5⤵
        
        PID:1912
    - - C:\Windows\system32\find.exe
        
        FIND "FAIL:"
        5⤵
        
        PID:2340
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Chew7 /v CWInstalled /t REG_SZ /d TRUE /f
        5⤵
        
        PID:872
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /d "\"C:\Windows\System32\hale.exe\" /nolog" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2200
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
        5⤵
        Modifies registry key
        
        PID:2632
    - - C:\Windows\system32\find.exe
        
        FIND "c76004"
        5⤵
        
        PID:2996
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
        5⤵
        Modifies registry key
        
        PID:2492
    - - C:\Windows\system32\find.exe
        
        FIND /I "/C START /MIN RD /S /Q"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v "c76004" /d "\"C:\Windows\System32\cmd.exe\" /C START /MIN RD /S /Q \"C:\ProgramData\Microsoft\Windows\Pending\"^&EXIT" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2964
    - - C:\Windows\system32\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 1e /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:528
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 0 /d p:2:18
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Pending\slmgr.vbs.acl

Filesize
296B

MD5
7a3b8ec21ac9956ed258f5b397d281ab

SHA1
63cc8f5ca73640fa5fae2d20e69ce393a07a873d

SHA256
bc1f553ca66a548e98f53caf25cebe0fb08f29704549b45095f61893f0113683

SHA512
ae19429864fe8c2473857538c8d52c95801ecdb269e11aed8ba700f43c3d6c6363cd8678178db67ffeb31f4ac47f37335643c392914226079da4b998e9edb40c

Download Submit
C:\ProgramData\Microsoft\Windows\Pending\slwga.dll.acl

Filesize
296B

MD5
61975a8f1f2b5a9685c3aa2d921fbf8a

SHA1
5870879badbe315599676e138e06b7cccdcab03c

SHA256
113fe46916078dab361a7b96660179ef62694440bbed56436b63a43de6d29d80

SHA512
3820004d05a25d6094543d1b323dcbda0cb633c2f6873f8e12c455315a5d5567882a3ca6d3226dfbbcd3ee584ad9346228e32b1ef7ac3bed97c29f73e551f236

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\32\gsr_0000.tmp

Filesize
14KB

MD5
788a402d0fcc43662ba8b73c85c63c7f

SHA1
d5cec0d57a7516db6cdecbdc3d335db24444037b

SHA256
79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

SHA512
8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\32\gsr_0000.tmp

Filesize
116KB

MD5
0f97e6414569172cf3762b1b49427609

SHA1
32d1b503ac8b1d85e3097a3a80ea6e6204cfabc2

SHA256
46ee9e7a4cc656f5907031439ce11b5f189b8cfde60102b5a9f1786eba10558c

SHA512
288007562c9ce851826a036880f4007e37f51c4975113123ad4e08296808c22bf08cff30b53efaa3c0be5ca66e043cb85ce34a75d09021ea80dbd06633362f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\32\slwga.dll

Filesize
14KB

MD5
19f75d71e4256f5113d64ce2bb66b838

SHA1
d3b46cf10ccb0aaff8153c20c6aa2dc2627dee79

SHA256
da54cd8811bc71fafdd0d0b12b901747da752f49507edcc740cbbcc2ac3a340f

SHA512
a48e0759911f3b0e59736b2654e13c685aa1f2c058ddc2307f050ea6f891bb9382f2aae2cc7611e8a11b2b4c2635a53c52fd19597f932455ca2608998d9bc75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\32\sppwmi.dll

Filesize
116KB

MD5
5f5bb7c391d0e98338bf64b19c81f1ff

SHA1
8c275b466c4076d3c6fd9f62cf9e4a9f1342987a

SHA256
d8db4892ca7d736b1f51d96d1656ecce2361ee72308e7c2d0c2f9fe8725e464a

SHA512
e475a04f6379126f8289ee3360babe53ba62ae0345e51a22239cf8351abeb9b834c4912a69df57c5816a8ff9000bc41eba55121222c654d10b0386bbcac22aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\gsr_0000.tmp

Filesize
139KB

MD5
d745f0b3bfa805ccf82a6a883dd3e441

SHA1
e6807f4e035f25dc649fc9222252546b9d5512ca

SHA256
2b5de3ee2b03580f5f09cae530a9f92e6063727405e9906278badec0b6644450

SHA512
e6af029017a4ee84ceb724b00009fa18336c581941b4609b8ad011a46286394f22c9e410a08c876add1170b462db6d6504674d35243874cd0df427527c099259

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\gsr_0001.tmp

Filesize
410KB

MD5
3201181b38256a815b911314c3871a9c

SHA1
1adfb13690a8c43f78fa300e2672e62d13febd9d

SHA256
c043d077818b2862f959c4c20888e6ef920d9509542f5140de0bc7d5d7beea1f

SHA512
882374a99ad570768ddb2426070804bb7765376c126fa9a6c29249f01a24a1b70315fb405a456a09fbaf46de1a630e3984c5d67338f6b5c61fde5a51dc71c8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\gsr_0001.tmp

Filesize
373KB

MD5
b798f38be4180a30248c9892ea9957e4

SHA1
2f31351a29d36dd87cb7463f869d6075588c0142

SHA256
c2ac36912654e2e6845c5308693611b754b0440cfb8ea5fc1ac03346fb4d08af

SHA512
5e61823127062861f9caa495ec4c4d11e3bf7687d3d2df5450c68faff2e311d369497e2d687e2e78994856b532856c03c84f9d20003ff2186223e2bd4d335796

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\gsr_0001.tmp

Filesize
64KB

MD5
3540689ec7512dbb54e0a516e3b13467

SHA1
6593eb5196196c42dbe77403cafd3ac9559d58fa

SHA256
556184133b2d6e2fd37d86e63bfac35932cb95c21ebcb03770977a445ddc0668

SHA512
77b04d09889f11c0e94d7412405f5cc24e87d2128c50a73ac1134f589097280b7588b095a141f82a88a6f03e78133a1d89484b53ecfd7cde6f627b1a1a53a4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\slmgr.vbs

Filesize
110KB

MD5
38482a5013d8ab40df0fb15eae022c57

SHA1
5a4a7f261307721656c11b5cc097cde1cf791073

SHA256
ac5c46b97345465a96e9ae1edaff44b191a39bf3d03dc1128090b8ffa92a16f8

SHA512
29c1348014ac448fb9c1a72bfd0ab16cdd62b628dc64827b02965b96ba851e9265c4426007181d2aa08f8fb7853142cc01fc6e4d89bec8fc25f3d340d3857331

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\slwga.dll

Filesize
15KB

MD5
b6d6886149573278cba6abd44c4317f5

SHA1
2b309f9046bd884b63ecb418fe3ae56c2c82dd6f

SHA256
273c05c8504ca050fe6c50b50d15f32064ec6672ae85cde038976027ca4b14d3

SHA512
56352f53e5c88d9c22188480a5cf4d744857774f56e08b53898cda00a235a6be9b3134dc5b58ae2531b06664f6f09c3ec242e227b3dd2235299290805428ff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\slwga.dll

Filesize
15KB

MD5
7edc3c01ffe76fbe4f88ed6cf7e93d2a

SHA1
28f447f52c3601f5771d1d6af8177acc5d18dfc4

SHA256
a55cf293afe484a4831bf1921bf8a8a60f27cb83f7b5660859f48cb5fe64dbb7

SHA512
003a1531aa00623db7bc17a4b5aeff66255c427b1b7f2577ac6893336395807e8c06dc61fafb5bab187999f71d807ab5beacd1ebdd4690a1a32b54e15c84dfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\sppwmi.dll

Filesize
139KB

MD5
85eebb24b18781a3d4a8558d8c294a6e

SHA1
03a6659983cf14e9b2334df9fd32e49079998364

SHA256
85d17a0a081907c2c5c0eb856a8639704af47bb7bba508101b3a1c23f742a885

SHA512
4fc93cd158891b356eca4b2e719fb825e0aa0b55d705bfddbcad256727a3099c8cc79e4292656b57364f2495b0937241715946b815c4bf61bfd00f6df65b956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\64\sppwmi.dll

Filesize
139KB

MD5
c720d5c793bf86f5b6d1f38269fa8ddc

SHA1
94c0aefdb0e1e429a35dade154ffa751c20f870a

SHA256
f5721d9be5fc6a7a9a9babf1ef25cf657eaf7ce4dea20f5d7261b09930c47f36

SHA512
df9a41587c6ffd7a1294b0e467c29b94c9067df67adf1577c5adcdd2a4abe7db72378e3eb79dab2570235521c806f97d9bb3247a51e3e7e44f93ef8435b56abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\arch.cmd

Filesize
558B

MD5
379f17168f80eb977a0ae103dac9de98

SHA1
5cd7f4ec26366e2777fc5d5059009f7872fbb8de

SHA256
7257349f727d176425f3854bbb7624ec3ec4422e872fbdd025420e9791f99897

SHA512
543b8fa7aa3fc95a01568348f3c0ce22cf804cf4451af38858e0b5e3691f7d9a1ea1bcd51a9e3edd1e9a187224861c9cb49fd23c0e9737ad5a78b2dcf4c89c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\bump.exe

Filesize
19KB

MD5
2d9a30606a718bfdb4e5e9b6c2939881

SHA1
298b80c781aa4e2cb6fc6f4efac9a565b9b13c82

SHA256
1f57f10a0b2c52bb6f89504e047854502e42ebf9f6153a1a4549a55099f98b51

SHA512
c14e38f2275dcf32d0e3e9ed2f77c4d9ecfa78f03674db06a90420f4802ed2061444074a594e8b9e82272453202be65437cbea959f615d3f743a7aafee0b3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\crc32.exe

Filesize
3KB

MD5
682ac7bb084c88e73d628cdf57dff336

SHA1
652fb5d2fd9467f1ebf5bb3ba7a5daee87b62e0f

SHA256
d9c72a8ceccb6d73dad98ef44495738286286e85102e033fe7f09069bc02fba2

SHA512
2c599a1b11f476bb0e1c9bc2b4b30125ebe1e819fbd41c30c10c6770177f2d6ddc4dd91d1ee813a9223e6879accd4fa99dd5a46c8f1723acb7e63b2831e2ae9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\flick.exe

Filesize
38KB

MD5
2e2827ba66bfe75bc2fe2d0a02eecc73

SHA1
97e85467a9a24a89ab9d2969d5cb7275083c04f2

SHA256
4cfa00888b15201bc0ebc133431d55845c807c5e38e85cf910c481ec9f5a66eb

SHA512
006500778b6fd25af74cebf47707982b375625f35ea329db9216344943ba8d8bce989130fdda2ac011407e827be0d7fab69fe87dee793cc719e410963bcbf734

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\godo.cmd

Filesize
1KB

MD5
92ce8cbf009cea52544956d2cc6a810f

SHA1
1ab78049064fd7b6c4b775c2edf70ec58486c563

SHA256
89f1e56537b38e367a79c33d75d3a2913ff249d7623363dc48f373eb1b8b14ad

SHA512
4de7c8a79fc7c89dce59ec5071ef214af84d5c9e9a3a82956e13c5e2df0a2759a1413970d47cc156d98134992ff6ce43d4d862840190629fa24eed42f4f6dbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\hale.cmd

Filesize
423B

MD5
6ce66570bfab35a20d280d9833049e97

SHA1
fc9e4248551156ba80e515e78d3496429754aae2

SHA256
c755237b5c58134ff21520f7d2d401e5c9ad40d05dc76fe317ffd238ecafecf2

SHA512
1870e653f7132e23b9a1c078b6a6931e6bff6682e8da7325eed20ffef800dbc21e71ff28e5447fc871715c07cc4e8986196a637d855550515feac168c72984b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\hash.cmd

Filesize
96B

MD5
467b51f35949c5a3f722ba736ce920e4

SHA1
525638ae64c3d2e3518c7b1debc661a251b8d285

SHA256
6c28fa6bf656b77085b464485fd085d4d6eeb7e3a0ff2dff690dc813b492580c

SHA512
93d6c5a3eaaecd4d461654c09d4771217570139d39d0dbd06b1593965c7f4196e94594f8156b50ce58830e0694abf5e0e30d6c2ed63e5f482c5c797f22bc4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\intv.cmd

Filesize
402B

MD5
3ab983628da0fd9f8afd497d07f33d76

SHA1
1d85342e56d1e5d90a10aeb9bde0232250187169

SHA256
97754ba105cd61128ebef8aab5272f669a72b64f44b6d861c8d507c088410a27

SHA512
65da3d80645d943d4717e8b340bb9ce3e26f07e63b9db7c1d27f68ddf9f3696ba9e0475301e13e93f841558834e4b8fee5452ef220503fe41d70057c5f55da8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\lhed.cmd

Filesize
659B

MD5
34670db25d9afd4f3912f77f2e5c7d08

SHA1
a59646f18b9a365067f9163f2319e219883334d2

SHA256
a4761b5a5f5e6542867ba1caa87676410b7aedccd762826359046167771659ff

SHA512
069204ff649adec9a4b5029bf8b99c3cb324da3306f9bd9bb350883576efbda65fea445b5d7a1cb3bdcffa66b11be22415d5def1ecca25af19839a22360d5a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\mtmp.cmd

Filesize
106B

MD5
02d7ebad35b5624a751243d101a540ce

SHA1
4f9f0e0d47c78511ca88776fc86ece16055df66e

SHA256
7686c1b97d3f80d042aac35d82b5e5b558a494ae3e0e35de81a47c413d9020ac

SHA512
04fc1f935dd996ed1528c9bdf33e783a14a327e4f4477caa1fd5b9312cd3c37792c99b7364e7142284a161fc8c1ff146ca338aea2f1981b27aacf5b95d9e1387

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\ownc.cmd

Filesize
568B

MD5
f16f9a87e6a9f18921a30ac379b81995

SHA1
3e02237a1b2640138a14d47e2781b8bf8051ad08

SHA256
9177bac8288a592264dd90d2c956433a8818f1a34a5d864bd626df3fde0e0cfa

SHA512
e60013c4bd894d7426680653653599e335fcfe70a3f5da8b54b443134250853a9755acd3a49aa46ec4b017fe3db403e5c7ddbb4bcfa320825c2067a77fc6760f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\plat.cmd

Filesize
450B

MD5
18e656cb3dd56af78ac3c58c7018145a

SHA1
8d6ce19ea492834e65949a7299ebc8e87ff4e484

SHA256
a18f490dfe451f8c14eaf07951292cc45318073ddbac65b18831668f48d811b2

SHA512
2292eaa0ac027c5b8bb1a5c838d40ace1b723f2962284b26087c52817b2b7db3ef05cbecfe1899d9a2f226292f3bb4409633c9d007facfef8673135b8ae4c148

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\plog.cmd

Filesize
145B

MD5
d638644c3bb80f1e98ae06fa85680eb1

SHA1
96d95338be3be4a24d999b82d1e00ccfd797614b

SHA256
e8a990623424631496704087d29f05300bc5efabb47c94ffe7f6bd46d803b587

SHA512
1349049890363c7ff3a5213e063a1dbc898cf8c85933066c34b0d88b33b6b1964751e9b470af504a62898c870f4dfeee9858aadc336c1f33485e81e89ef1de1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\radd.cmd

Filesize
113B

MD5
0ca0566671854f45d316877cb3b9563b

SHA1
75ea44bb67f797281703030b2989e91c2723ddb6

SHA256
048e766ffd49a6ea2fe280dc3f949c1173b439b0367137972fb6f8196c6ad8f3

SHA512
12c6e3b76dbf2ea7c631a86010f77467e173cd497af0ce2e8f8fe95986ad4558c950928d4a3fe7fe28d82ca4d29f1c79aeddd0096b1792b6b015264b1a70a51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\setv.cmd

Filesize
2KB

MD5
adbb4c4121d770efc7154f06fe476a42

SHA1
2ca33c200eb09e8619936997211d8894dadc3694

SHA256
6a8233f58dcdffd51292b753688848198982c5de11945651f165d1174e570372

SHA512
380c291625ee88a1a7dca67b6a27d393cdf1fc4a60349f413071f584f86372c420bc46467251147ef766c92349751db1cea594a69b6dd6fc0fb67e0d13630697

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\tick.cmd

Filesize
8KB

MD5
d32c42e48ddee14fddd78bae6866cfc2

SHA1
350a4c21e021c6fd3393793f22158e5c73deb2c1

SHA256
7ba5af7f29496e9c5eb780cd484623ecaf0443299ea9693261516dfb60401266

SHA512
615c7f837e1588b709f19570a5a6f43554133df67de950367152230626f303da5cdd0359b888eb3febb80ac1321a91256e1c61d5eb2aabfc3c5ab3c1cfa94996

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\town.cmd

Filesize
309B

MD5
574958530816e546394dbc025d8a08eb

SHA1
dbdfb40357f60bb6bc4575806f1f924a11302205

SHA256
81ebb38c6e13f2b695cc1cf42ff6f6a1a836270325c2b14a76d4ed5d7ee718da

SHA512
088c2bb7b8de936bcc9118ce993bda38344556d8bbd2c0737321042751cf3d0edb730c2fb9fe0bb745694205c68fefcc303907bde02a8b58ae15de23f7dc09c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\tran.cmd

Filesize
1KB

MD5
8ff2a0df0d5a63f3a7061ec919ba6344

SHA1
f70cabc248d4ec9849657d39dda784717e355c70

SHA256
c0cd5f9fc6d23442bc1b81e9e6efb3e2abbeb744863bbb2106e2dd679bf039d7

SHA512
96cb5a166da63e1d8b92f5a205c0c0ef616288d242f7c173f20015dde1d56e6a60e948ad32e5f3242e2fe6ae2e0659cf9e6e999748d7afd3003abd66abe15913

Download Submit
C:\Users\Admin\AppData\Local\Temp\D25C.tmp\wslmt.dll

Filesize
105KB

MD5
2ba3a706f9e5b8a30dd84f53b022a8ee

SHA1
3aa34c784f16a4f8a5f2b58265f926660b3317f4

SHA256
fb4027289553615d5a47f7cb387ed4f5fcc6c4cd5b176a287d00659587550c55

SHA512
ff1c0f880cb9dbf0da6f0a479c0638499baea76daf5d97f363470770ec0cc6b6be309203fcbf02c3fc563a3c65ed30d78990266e1e9199d83dc1d0ee1b438eb8

Download Submit
C:\Windows\SysWOW64\winver.exe

Filesize
1KB

MD5
517a63ea2af1a35de43b9677e197d3e2

SHA1
75cce1d13e9f008fd18046d49cc4997b65092cde

SHA256
7f034a0a09d38bf561cd22b8064b18e0b70970a471c0b3a5517324916802407d

SHA512
6f29840690bb456192581e001dcaaf10f3f9b6ca986c3936994ddde1d623129c6dbeecae3a2e26720c20ef8f6ce1662debc04fc06fa17139f8ceb9e34c6b3dea

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
28B

MD5
38c983879e5d98fef44e8e0538fc7c21

SHA1
1117731974d46d5a8cc25364e0b05f7e2a3ec11c

SHA256
4c447aafb91fce5872a5e2cd1cc86e7557f1765314fa2ed1a7aa0cb98054c81b

SHA512
d1a38ca9bad5f24d590e351c0fd59703d8c5508eeca127dca4a1ccc852e4be92ce4add9fa31ca140cd2701498e9f5635f5465958059efe53d90ce80c09c95431

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
72B

MD5
50468bbd4cf09c56f3be5864b09a84ff

SHA1
9d21028f3194e707a3c9c8dc1ef00483506590bb

SHA256
b2dd6ce53b9f6cbdfbfa2c04a9eaac21602cfac6b2c75c6bd6086e327980e24c

SHA512
6acbc3da203eea19eb94c314b09e8e02a3d79a56cb8da274701d6af52382a59a75a0604d24354f6115b1465dff5c7988fa96a1ada91c8d8f841de503912d5915

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
138B

MD5
ce336e98e932b6f71c51cd33251825c1

SHA1
93489b9763d0313c8457aefc0888782c254f96f8

SHA256
d3c9b2ba4e70b906c165109ff81f443fbf851f8a2d9019abf06592d434cfbdf1

SHA512
f74bb918250629aa6a66f39244f8e65a4daf4a599b86f77b6ad10d9762fd5f85184b4361ca44d25d41fc65de9ee443f3119587e68961fa9fb4d4a6d87fcf0a5d

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
2KB

MD5
36e4b570c1d45988957291a43d70a618

SHA1
910e8b9f73ac67d2bb643953567772e9089bd671

SHA256
3c30f51ec4aeec49f589ed092eef2c5b5c913a6fbbb56cd632e6ece2c6065663

SHA512
152e03c2aa6d1c9a5cfe6e6d7a4692d619b2f8c04a969cf7a09e5e7fb8a38fa37032dcfba9ba62de9673c787d58338fd908ba6db5579f219ef7c1c246a533a43

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
2KB

MD5
76cffb28beb2fda410aa65d68d67a08f

SHA1
60f7ee2a7fcdf5d867a0539b388f8b02eb9cda18

SHA256
4cac9bf906e8a06be39ad82a581afde289027c4925f7a6f52b32ab9d330aca62

SHA512
8d181fdcb7774c8d6ca4214adda9192be690f0ef4eed9c1760471edd2f6fa34a2f727bdca344153888bda2104304d77b18106570b472c5abc58aed30f0bba573

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
2KB

MD5
da21335263023ee6545c5d884795ccf8

SHA1
c953c8abf2dc9c0740f0c9e8c10475ed46a52eb2

SHA256
3b93ced09dedb46433078ca733dc5dad09dd11939a38d5416a2de3ab2dff74e2

SHA512
57798091f722cf33f83f78b947f887aa0d0ba4915f35ad0d21abb6ff9944ef2249567bfdcaed5f6625c0f6fa6dd7b613c497cb5f264b73b53293b25f58c7490d

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
3KB

MD5
8ebdc06d3ac07219ef28e60435a35074

SHA1
dc5ac5cef4b29c4c2c86895bc0e88bd54879dfda

SHA256
dc0ecbe0ac99daadf48d6ced0e4332ddf16c9fb7c4933aac336330dd7e58c2ce

SHA512
564b2015bed87bc33b2f4d9cf9f240f773df634ea671691bb04a1552c0486ce8767f6ab03d7176975ebef0c1dc13189c03c9c6eba3bebe00fd33e2e0fc17d76a

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
3KB

MD5
109738fc211ed2fa221718b321152ea7

SHA1
ef9cce4f892894e8ccf5b7c0e27369bd16985736

SHA256
c5ec2b278bdd9317cb309d37133b20f302bf2dab2293efab4a29aa4d4411f1f8

SHA512
3b1cf6f834893a59452eb3198be3492d8f7e36d93a6e9f0a02919d8e5761fca55863cb85820fdba96196a4f7048147b611b07f334dc14789d8d6b6593541d63f

Download Submit
C:\Windows\System32\cwlog.dtl

Filesize
4KB

MD5
b10426b598a3975c66a0dfac655a5433

SHA1
cc91fdc682ac95b6508ac5fe319a3ce0c9ad073a

SHA256
d564aa8cded8fb183f92d7416b6493860c6cedd97377a3bb3de5d857e269d5db

SHA512
d74a586502d22e17c2271fb6891e5b1883bb6757da2257cdf8bd742ac7d46d694483b48ab886f0a8ec3b699815d5eb48f7ccc49d3a7bb13a01ff5e5ff014594e

Download Submit
C:\Windows\System32\hale.exe

Filesize
2.1MB

MD5
2469decec0e28cb3c83e7fc47cb4ad12

SHA1
6409fce7b0f64b3297346a5c82a632ce61d7fe8a

SHA256
e4d7bb65281a62e905eb2e7aef466525a24403079d4579029847d75142b48282

SHA512
2a00232f62b13e6678068cbd9ba2621a4157c0a0baa70dc19349623c21fab770b897db003811ef83a27c45fd988d04637baad54c63d22b1c4bcbc08fb208d1eb

Download Submit
C:\Windows\System32\slui.exe

Filesize
341KB

MD5
4a70dc889e9b792b83c68348709d3edd

SHA1
826791f1b69bb85b5f6155982e03bccdb7c22eed

SHA256
3c18353976d941de594adacf7f868f38f54acf4d93df70c6eb40268c0064a63f

SHA512
a9470fe89f63489d224cada645e78a89d9602a0ae794dc5dfbc5d601ccc283976d761dfcb8d137d71960be36b2cab55e44f4566b44035f487b763bc312edae4a

Download Submit
C:\Windows\System32\user32.dll

Filesize
984KB

MD5
d186babdfae7c0d93c9f6ae63957ee96

SHA1
3bae058e194bab58eb0da58ac4189f8594294388

SHA256
74e5f9e83d89c0bd78dbd2873455ef1c9fdd6110d274c82ed82259fd51acb893

SHA512
26c7c2305183079dcd12074f4c405ba37ca60fe507db7d363b11c70b7fe9337bee4dff6a3cb5f58f5d8f025a360627e1285a20e75937527ebd131234b6e04c75

Download Submit
C:\Windows\System32\winlogon.exe

Filesize
380KB

MD5
87a00ed70fec36d0dd968e5058c29aa1

SHA1
9d9e8c4f35b0b5d6077d71eb279bb3195c71979b

SHA256
c64c7af3688e9557e7b115375c3c3a41fd2e469ff9ac39eb549b3fe9bcba3315

SHA512
f5e5c7fe4a4f40e747aeacd12290a9b841486560566a0a70821b39cb60501e88c7acf8427128a02c088a43ccbec609ba09fa84e2b8ac3bb15be4ceae69e7a4a8

Download Submit
C:\Windows\System32\winver.exe

Filesize
2KB

MD5
b6d47606cc11ba2c58f12fe01983f77c

SHA1
a7046870240beb9555991020981d398af7ac56e8

SHA256
e6746e6f90d311bb769394ea1247f04f669184a08ecb2a8b237aa5185414dc1b

SHA512
729962ac9d8cc2bdfc8f1d2f66e9aeddaef819d9d6b6e4aa235196045558c0ff0ffa0925e7e0a1ebf608ee886d58e1dea91fda82456da25ee1fde65547fbee11

Download Submit
memory/492-564-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/592-693-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/592-477-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/636-562-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/860-656-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/880-528-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1076-379-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1124-708-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1184-407-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1192-700-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1200-717-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1488-701-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1580-400-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1640-529-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1656-608-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1664-237-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1668-665-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1724-647-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1736-615-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1940-599-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1956-600-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/1992-364-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2000-319-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-435-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-616-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2040-520-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2084-531-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2184-421-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2184-640-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2188-511-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2196-527-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2200-655-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2208-623-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2240-632-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2320-631-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2376-607-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2408-590-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2432-92-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2432-14-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2432-901-0x0000000000400000-0x0000000000BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2508-716-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2516-624-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2528-278-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2532-907-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2584-663-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2612-596-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2628-428-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2628-648-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2648-664-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2744-449-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2780-504-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2792-456-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2800-904-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2812-709-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2824-512-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2832-519-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2844-374-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2852-328-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2872-639-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2880-338-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2880-557-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download
memory/2896-442-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2960-463-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2972-470-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3016-414-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3032-12-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-0-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-4-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/3032-3-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/3032-2-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-1-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/3032-13-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/3032-15-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/3032-906-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-667-0x0000000077320000-0x000000007741A000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads