630aaa3b00578b65441960203fc0fcdf08abf80648bd22f4d55f751708ca518d

Resubmissions

18/08/2024, 01:28

240818-bvpq5sxgle 1

17/08/2024, 23:40

240817-3nzrbatemf 1

Analysis

max time kernel
81s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/08/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pcnukerv1.0.2beta-testing.bat
Size

1KB
MD5

5ca698053083f44764ab0492073335f8
SHA1

595f7128c39767f095b23941c9cc347be22e6f84
SHA256

630aaa3b00578b65441960203fc0fcdf08abf80648bd22f4d55f751708ca518d
SHA512

d7a94d0aca9f7de523419cbabcea7f4b8b231e8563831173d32a9910803dea444926d4f4d70625b7c5b3d7d319286accd6fa2168c629ccd9b0b83179d168687a

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: 36	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: 36	1968	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6600	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4640	1112	cmd.exe	81
PID 1112 wrote to memory of 4640	1112	cmd.exe	81
PID 1112 wrote to memory of 1968	1112	cmd.exe	83
PID 1112 wrote to memory of 1968	1112	cmd.exe	83
PID 1112 wrote to memory of 4384	1112	cmd.exe	84
PID 1112 wrote to memory of 4384	1112	cmd.exe	84
PID 1112 wrote to memory of 1952	1112	cmd.exe	86
PID 1112 wrote to memory of 1952	1112	cmd.exe	86
PID 1112 wrote to memory of 4120	1112	cmd.exe	88
PID 1112 wrote to memory of 4120	1112	cmd.exe	88
PID 1112 wrote to memory of 3872	1112	cmd.exe	90
PID 1112 wrote to memory of 3872	1112	cmd.exe	90
PID 1112 wrote to memory of 892	1112	cmd.exe	92
PID 1112 wrote to memory of 892	1112	cmd.exe	92
PID 1112 wrote to memory of 3500	1112	cmd.exe	93
PID 1112 wrote to memory of 3500	1112	cmd.exe	93
PID 1112 wrote to memory of 1836	1112	cmd.exe	96
PID 1112 wrote to memory of 1836	1112	cmd.exe	96
PID 1112 wrote to memory of 2388	1112	cmd.exe	98
PID 1112 wrote to memory of 2388	1112	cmd.exe	98
PID 1112 wrote to memory of 2200	1112	cmd.exe	100
PID 1112 wrote to memory of 2200	1112	cmd.exe	100
PID 1112 wrote to memory of 3736	1112	cmd.exe	101
PID 1112 wrote to memory of 3736	1112	cmd.exe	101
PID 1112 wrote to memory of 236	1112	cmd.exe	104
PID 1112 wrote to memory of 236	1112	cmd.exe	104
PID 1112 wrote to memory of 3468	1112	cmd.exe	106
PID 1112 wrote to memory of 3468	1112	cmd.exe	106
PID 1112 wrote to memory of 780	1112	cmd.exe	107
PID 1112 wrote to memory of 780	1112	cmd.exe	107
PID 1112 wrote to memory of 4848	1112	cmd.exe	109
PID 1112 wrote to memory of 4848	1112	cmd.exe	109
PID 1112 wrote to memory of 1064	1112	cmd.exe	110
PID 1112 wrote to memory of 1064	1112	cmd.exe	110
PID 1112 wrote to memory of 5108	1112	cmd.exe	111
PID 1112 wrote to memory of 5108	1112	cmd.exe	111
PID 1112 wrote to memory of 3896	1112	cmd.exe	112
PID 1112 wrote to memory of 3896	1112	cmd.exe	112
PID 1112 wrote to memory of 4456	1112	cmd.exe	113
PID 1112 wrote to memory of 4456	1112	cmd.exe	113
PID 1112 wrote to memory of 2560	1112	cmd.exe	114
PID 1112 wrote to memory of 2560	1112	cmd.exe	114
PID 1112 wrote to memory of 4380	1112	cmd.exe	115
PID 1112 wrote to memory of 4380	1112	cmd.exe	115
PID 1112 wrote to memory of 1728	1112	cmd.exe	116
PID 1112 wrote to memory of 1728	1112	cmd.exe	116
PID 1112 wrote to memory of 5064	1112	cmd.exe	117
PID 1112 wrote to memory of 5064	1112	cmd.exe	117
PID 1112 wrote to memory of 2492	1112	cmd.exe	118
PID 1112 wrote to memory of 2492	1112	cmd.exe	118
PID 1112 wrote to memory of 4208	1112	cmd.exe	130
PID 1112 wrote to memory of 4208	1112	cmd.exe	130
PID 1112 wrote to memory of 2692	1112	cmd.exe	132
PID 1112 wrote to memory of 2692	1112	cmd.exe	132
PID 1112 wrote to memory of 420	1112	cmd.exe	134
PID 1112 wrote to memory of 420	1112	cmd.exe	134
PID 1112 wrote to memory of 3100	1112	cmd.exe	135
PID 1112 wrote to memory of 3100	1112	cmd.exe	135
PID 1112 wrote to memory of 4348	1112	cmd.exe	136
PID 1112 wrote to memory of 4348	1112	cmd.exe	136
PID 1112 wrote to memory of 1192	1112	cmd.exe	137
PID 1112 wrote to memory of 1192	1112	cmd.exe	137
PID 1112 wrote to memory of 1336	1112	cmd.exe	138
PID 1112 wrote to memory of 1336	1112	cmd.exe	138

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pcnukerv1.0.2beta-testing.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\warning.vbs"
  2⤵
  PID:4640
- C:\Windows\System32\Wbem\WMIC.exe
  wmic computersystem get model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\system32\findstr.exe
  findstr /i "Virtual"
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:9680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\warning.vbs

Filesize
473B

MD5
7dde9c040bfde5924a7e1c891a2e8371

SHA1
ecd5bf2607de8c7a2b6965a1d87dbb3b425fa5ac

SHA256
39477d6040fd0ad45c1bbf919527f5a1c1943eb9dee37a5223fde0ce7f2d9127

SHA512
f8e92cd063d7f094f700913a9aeeeb33d12ff5c1b1968f1aeaf305c2bc292750185c875b4957a42085781c17f68e4ec92c14cccd2d0d6e5532acc11d5505c042

Download Submit