7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Size

1.8MB
MD5

f459a1531f07ce212119cf022161b60b
SHA1

60c19230829b1fc4b6dee0fc90172417b3fb864a
SHA256

7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332
SHA512

b6ebb2ab4f6cc2ba14bd71c0b5e4508fc93cc951520d40655128e43684637a72dc7a77637b7929a6d59043c18e027ae7da73f2285ef8e8e588cd9956491edc98
SSDEEP

24576:4hvO86HNJck3aKoH5xFBl006Wq59hT6/qinUVEXa+YqxRbw4mMNtJl5E+29wjqqT:EUmPWNF5f6OXoxWINthjmq

Score

10^/10

discovery execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Medal\\wininit.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Medal\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	60	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	60	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	60	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	60	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	60	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	60	schtasks.exe	83

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
4212	powershell.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\wininit.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\wininit.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC56804A33F99F499FA4EF16D24DB262C4.TMP	csc.exe
File created	\??\c:\Windows\System32\lcv0ji.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1236	PING.EXE
3984	PING.EXE
2748	PING.EXE
4744	PING.EXE
4440	PING.EXE
1624	PING.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2748	PING.EXE
4744	PING.EXE
4440	PING.EXE
1624	PING.EXE
1236	PING.EXE
3984	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2900	schtasks.exe
2156	schtasks.exe
224	schtasks.exe
3592	schtasks.exe
840	schtasks.exe
2932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
1676	powershell.exe
4212	powershell.exe
1676	powershell.exe
4212	powershell.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	960	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1436	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1644	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	4456	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	4980	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	212	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	3892	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	3304	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2676	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2544	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2396	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	3340	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	424	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	4396	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1660	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	4480	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2732	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1652	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4292	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	87
PID 3624 wrote to memory of 4292	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	87
PID 4292 wrote to memory of 444	4292	csc.exe	89
PID 4292 wrote to memory of 444	4292	csc.exe	89
PID 3624 wrote to memory of 4212	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	93
PID 3624 wrote to memory of 4212	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	93
PID 3624 wrote to memory of 1676	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	94
PID 3624 wrote to memory of 1676	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	94
PID 3624 wrote to memory of 1872	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	97
PID 3624 wrote to memory of 1872	3624	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	97
PID 1872 wrote to memory of 4708	1872	cmd.exe	99
PID 1872 wrote to memory of 4708	1872	cmd.exe	99
PID 1872 wrote to memory of 2520	1872	cmd.exe	100
PID 1872 wrote to memory of 2520	1872	cmd.exe	100
PID 1872 wrote to memory of 3192	1872	cmd.exe	104
PID 1872 wrote to memory of 3192	1872	cmd.exe	104
PID 3192 wrote to memory of 2688	3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	105
PID 3192 wrote to memory of 2688	3192	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	105
PID 2688 wrote to memory of 3748	2688	cmd.exe	107
PID 2688 wrote to memory of 3748	2688	cmd.exe	107
PID 2688 wrote to memory of 1624	2688	cmd.exe	108
PID 2688 wrote to memory of 1624	2688	cmd.exe	108
PID 2688 wrote to memory of 960	2688	cmd.exe	112
PID 2688 wrote to memory of 960	2688	cmd.exe	112
PID 960 wrote to memory of 3552	960	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	113
PID 960 wrote to memory of 3552	960	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	113
PID 3552 wrote to memory of 2108	3552	cmd.exe	115
PID 3552 wrote to memory of 2108	3552	cmd.exe	115
PID 3552 wrote to memory of 1236	3552	cmd.exe	116
PID 3552 wrote to memory of 1236	3552	cmd.exe	116
PID 3552 wrote to memory of 1436	3552	cmd.exe	117
PID 3552 wrote to memory of 1436	3552	cmd.exe	117
PID 1436 wrote to memory of 4284	1436	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	118
PID 1436 wrote to memory of 4284	1436	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	118
PID 4284 wrote to memory of 544	4284	cmd.exe	120
PID 4284 wrote to memory of 544	4284	cmd.exe	120
PID 4284 wrote to memory of 1200	4284	cmd.exe	121
PID 4284 wrote to memory of 1200	4284	cmd.exe	121
PID 4284 wrote to memory of 1644	4284	cmd.exe	124
PID 4284 wrote to memory of 1644	4284	cmd.exe	124
PID 1644 wrote to memory of 1444	1644	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	125
PID 1644 wrote to memory of 1444	1644	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	125
PID 1444 wrote to memory of 2716	1444	cmd.exe	127
PID 1444 wrote to memory of 2716	1444	cmd.exe	127
PID 1444 wrote to memory of 2696	1444	cmd.exe	128
PID 1444 wrote to memory of 2696	1444	cmd.exe	128
PID 1444 wrote to memory of 4456	1444	cmd.exe	129
PID 1444 wrote to memory of 4456	1444	cmd.exe	129
PID 4456 wrote to memory of 4884	4456	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	130
PID 4456 wrote to memory of 4884	4456	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	130
PID 4884 wrote to memory of 2392	4884	cmd.exe	132
PID 4884 wrote to memory of 2392	4884	cmd.exe	132
PID 4884 wrote to memory of 2244	4884	cmd.exe	133
PID 4884 wrote to memory of 2244	4884	cmd.exe	133
PID 4884 wrote to memory of 4980	4884	cmd.exe	134
PID 4884 wrote to memory of 4980	4884	cmd.exe	134
PID 4980 wrote to memory of 4688	4980	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	135
PID 4980 wrote to memory of 4688	4980	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	135
PID 4688 wrote to memory of 868	4688	cmd.exe	137
PID 4688 wrote to memory of 868	4688	cmd.exe	137
PID 4688 wrote to memory of 2196	4688	cmd.exe	138
PID 4688 wrote to memory of 2196	4688	cmd.exe	138
PID 4688 wrote to memory of 212	4688	cmd.exe	139
PID 4688 wrote to memory of 212	4688	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
"C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mj2mm1gq\mj2mm1gq.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99BF.tmp" "c:\Windows\System32\CSC56804A33F99F499FA4EF16D24DB262C4.TMP"
    3⤵
    PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Medal\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QCsOkUWQO6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
    "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3748
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6KfhU02lmW.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        13⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ShSWMkBVB.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        15⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat"
        16⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EP1yTPiaGq.bat"
        18⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat"
        20⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat"
        22⤵
        
        PID:4360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        23⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ShSWMkBVB.bat"
        24⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        25⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat"
        26⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"
        28⤵
        
        PID:4956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        29⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6KfhU02lmW.bat"
        30⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
        32⤵
        
        PID:4320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat"
        34⤵
        
        PID:3824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        35⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat"
        36⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:3652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        37⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\icKtIWeAP2.bat"
        38⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        40⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Medal\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Medal\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Medal\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d43787783327" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d43787783327" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6KfhU02lmW.bat

Filesize
278B

MD5
47bc1662ef563b4f569db7ca1886d06d

SHA1
47405119f66971cf16a404f00ca04cd6fb25927f

SHA256
89b2ebb1d9ec1a86653d8f00fa79583f5336b5108108abdd682371ac02ec3927

SHA512
d566b4fd86c90cbb58d34da8f07fa2d49eacc8f223facffa84235b7728eec4df382477a2104a1e750a87f7bcad32915e32dba9f02a02b4021459b2518d2f32c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat

Filesize
278B

MD5
97f52f90927da8f8f3163377566ee7ac

SHA1
51a65bd584b23f787f53739e7ef334a36e6a567b

SHA256
4e2d96800296d63224e4a8a4168526e6ec2e8fbf7a6dd26935faef3ec4a13cc3

SHA512
1e14a422678c2249be94d275fbbfdfcf5870898242dba2b058b57220c43a230ed74a7cdf1e58ad677028206e70acf98bc8b33a2a6384f59a7d778dcba60642e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ShSWMkBVB.bat

Filesize
278B

MD5
6064ed755950149096d32ad189df6c0a

SHA1
e80f43e3e86ebec27105055226bad173ed166bea

SHA256
f78281d8199845d2a9fabc648bbd81a445a025ae3c909488f4a4ba4dc5dc70ba

SHA512
7923bb1f145b02c9ea5e8b99d3eff67e53266f8d39ebadded28efc268c466c009e7eb673c141f2a96c00f67e3ce2572ca570a200bc98504490b541fcba0e2dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat

Filesize
278B

MD5
ced85c313ca23e51319a43586cf277e9

SHA1
033fb8755240c6d5656c0b77b24fc4aeffc4e88f

SHA256
7027796b60c0fabae8c58bb92893722bd0f9869e47e6e5f3d4d036a448222f9c

SHA512
d7f438effc88b910e74f8bcb9a9d799820f15e5d819ec3769ced64caa84a855f51b61efb91ee95ae6c71a7d5862b6b876846fc27931195f4c6a942be8fd849f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EP1yTPiaGq.bat

Filesize
278B

MD5
7ccc61909a55909be4296bbdbec1d3d4

SHA1
409f83721253755491ad9cf153fb6ef73555b040

SHA256
20ce59cfb190b3e6a0cb216bba51fd0119775cd9ce5e97e7fc2169599d918d1e

SHA512
5e78182922ecd9a4ebb548bdbe83114744f5bb490977b7c8e8391276246f38b7f2c82a331660eb811b4100a61bcc1fa6d1109f9ffd4dd92d23a5707ec12362d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat

Filesize
278B

MD5
1da03e8cb44ea84fcb5f6f900d2b44b3

SHA1
042c26a0fdd17fd7e198cb5e1554abbf9e798df2

SHA256
090f8adbfc1a2f4bf429954bff68a90484896581cfc7c2c7c7537a1c9c479700

SHA512
289453c8946287df51a84225a0028c8009ca9a78b25883f994b06da52c0f43d55e6486e4abfaeb95f32b6ed03142d9c1825cc3449fd1e8cccc2ed6ac19031c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\QCsOkUWQO6.bat

Filesize
278B

MD5
1a0f50497bdb6db81c2bb6ef723ce2f9

SHA1
f28ae85a01736d1883bf35c6eb26fdfc5ad759a7

SHA256
314470813eaf567812d720f282b840e67c18d59a8d8b64e82848a7e4b43bd427

SHA512
fe759b6f117416f3d071e8914102565d62a450ece898786646f2138f75b66973a4e9d4db631b8948fdd5895710e2a5ae1d5391912436100a2210402219eeacd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99BF.tmp

Filesize
1KB

MD5
565bbc21312e2d3ebeb279c5e2843493

SHA1
117f00c46acdc411f2f6ace7fd3cd6de73f39936

SHA256
b9bd844c1548bc1a2f0d375e5ff73da99765022fe852ae499b5c70833bfc1649

SHA512
d724d6517d655bcd4bb222246437e312da7757dc7bcd4f4195bfe7e788c34fe9b1b2c4755d1db7953e6fec9b05c9716b1db25b4ad649a4925ff72bb82ece129a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat

Filesize
278B

MD5
0cf7d2cf797f02201ae519eb6795d1e6

SHA1
ff54e2fbebf937c526e5bbb5ed92497247960f01

SHA256
baa07bf7a8a2aac98b4058d5dc42b18fd78b7a1613bdcdde35efc1c9c145fc86

SHA512
77dac28646f68c1f402ed88ae050c1fcd511dd29c2ef99c72afa3d5c046051647c77092f6148b582df54bdce8d5899f5245690328b336c0a4c74cce91f730223

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat

Filesize
278B

MD5
3f405f87473aa06fd55f5526b0517f34

SHA1
d823062c51b5d720224a6a597d515011de9c484c

SHA256
71634e023733d7a9b5c466f5fd7451e966262ec70ede5dfe0d5f0d5d23f58e2f

SHA512
83bc3043713bbcbfb4156fa8f60d37cc7c7e2ac637c3818fbe9931843cfa13a954db0bc5930e9b8d9f839b9a07ba2fc5836f8e0533f44e9cc3827ec1e38c7a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpmuo2qu.bhk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bCL7Nxg3GW.bat

Filesize
230B

MD5
bdcd1cbfe18cec8e3b4092521fd0abe4

SHA1
630a6bbf7933c294a240445c8ea84af4bcc049a8

SHA256
cadd58c9f500802f3cc4de3930710b17ff87ef018c8a40dd36e10aafca268976

SHA512
46eca5c8db454c4dc25eefa3750c0da2dd0fb659f6fcfd24d90c451c65abe7a633f1ea25d9d5ebd3c89fcf8559f0e9ddb3715dbb2ec56bc1ad950c8637f25902

Download Submit
C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat

Filesize
230B

MD5
d5fcb5bcd04b1c98ad72e8e6c415f6a7

SHA1
ffad9cf3712de9e4834251f175907112b2b11b3d

SHA256
5abae00656da0adbb18987d07b83e840efc5a4751fe63dcfb5ab55c247d447a6

SHA512
f4ef215f526a25c66c073ffb49ee2196c0c29ff3c160746c91a0bbe26d9b0740339eac64143db5ed6e2292c321281f0ef879893a618e201b2788afecc386133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\euqVpFfbpH.bat

Filesize
278B

MD5
6d7fac76bb4e247a80e45f5f13e701ab

SHA1
b9189fef8aec4999ab183ab39bbbedbc2d69b5e0

SHA256
9d0925310fcf7133c26de14650c1451897bb3839d8677823fc6ed8956a7cf932

SHA512
a79614223baf9af9a79ad22c4b8f652f75263cc3388612b0b8785da624b31e365b53ba55daf9338b7c5977d5237a525e070e668b8547ba0bdd36e3ff6b1f9185

Download Submit
C:\Users\Admin\AppData\Local\Temp\hNUloleJD7.bat

Filesize
230B

MD5
3ede71d082a341967594ab7e659b33ec

SHA1
f3dd3abbaa899d2b0a967a97929b86340ed45c0d

SHA256
f8eef3d306631a21e491973c50eb691c900e6002aa1744f4bd1247701c65c8d6

SHA512
1f28e735a23b302041ff4d14bb8388d0a0af9203a1ca0ed74cb955b5ca21199b8e06efa51639c8ef5e9a7284e815b05e960c387023a1624c55522dd7f7cb4b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\icKtIWeAP2.bat

Filesize
230B

MD5
eaca72bafa48772f77c82a56dabf210c

SHA1
ba42974ad25eddcdd84b39634f0ac6b7bc48ab6b

SHA256
15efc02dd81bf179ac861447b37d100bb0e2908e9613c2a72ca196e13fed2841

SHA512
0452e2fce503b1268f9b1549701e1e3b219baf017f1c64ac2075acd016d2902de12af86ff5b8bd90197da3c2fe328cf14b0c6c84ccb78c96f20ec400f51d7e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat

Filesize
230B

MD5
1b1486e9151d1cc04849afbca159df2e

SHA1
8564331d7bea5b06850d9b432f26134f5778d3f5

SHA256
d344fc571bf511dd45065b713a86809c99b1f9c375ae9ee15f79dbb2f57c3cd6

SHA512
f0775409161f19ccdde7d331f1df672f1ac5c20230d69108446a9fea9a81cbeb5eb88587fca97bd280ad9dcc5b68cb6591469e6791ad3de58149598c41342556

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat

Filesize
278B

MD5
bffbebd66dbcaa940f697c9dc96d5a6c

SHA1
90e2e288dc711e703731e00800f0c460a110861a

SHA256
baa5ce4167e68f4e1e8388ce93677aa914c8c8490061457239b9a7da946a8057

SHA512
30fc4b4bf6c370b37e272fb5771867ee53a6a5b0d99b726b87c49d0633484c1f8efaf4a8a7885211934e254dbd7c6c8251e1482dd394eaa2249e94e9f2d01263

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj2mm1gq\mj2mm1gq.0.cs

Filesize
378B

MD5
f78ed4e319b47b0b9ef3526dc361e225

SHA1
2e1fc727116792fecc0d82bd90cfdd4b3227e49a

SHA256
0c8ba169227d7a62534a28b6c14dba9f4caba709e2f9a7a04a58b308d2b22bef

SHA512
bf477d6c3613790eee3ed35690f5915cf38f73b7c62f71d75f86e0d11893633a3d832d9945f2370a70cdf579f39c8f45885cd76a281ec2aea09d3e828f3bacd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mj2mm1gq\mj2mm1gq.cmdline

Filesize
235B

MD5
92e1c8bfb4892ceb3f81d943d6a63f92

SHA1
831264b1555810a18f341da77291ee10ae7b0462

SHA256
698a3878e67efe1de812d35d5680c8b4271145e15c36724f7b1f2ac36a53f0b2

SHA512
a883e93b9433442cb5b472089547ecd2c06c89c2b38c1dfa70b4f799f8824bdba400d74e7a3a4f7cca8d65ab96d25e584476c83eeab68d2f0149fba491f5b687

Download Submit
\??\c:\Windows\System32\CSC56804A33F99F499FA4EF16D24DB262C4.TMP

Filesize
1KB

MD5
26edbf31c0871483b6179cb006139748

SHA1
e869f7c876415b6de9860173e122b8fc22a0e22a

SHA256
2e6494765b42c52e7188af55f1eb0f23add6bf284e1d67f08b000330d4d71e1f

SHA512
9a22376c9c6eeacfb42a96570ed09ce8aa315112bdc6e3098956df90b2ef80ffef2a8671472d807ac17b611f71126c73eeb2bd680f9ff55be47bef3d281eac47

Download Submit
memory/1676-58-0x000002DBF1050000-0x000002DBF1072000-memory.dmp

Filesize
136KB

Download
memory/3624-15-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-14-0x00000000032A0000-0x00000000032AC000-memory.dmp

Filesize
48KB

Download
memory/3624-22-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-21-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-20-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-19-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-9-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-59-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-0-0x00007FF8A23E3000-0x00007FF8A23E5000-memory.dmp

Filesize
8KB

Download
memory/3624-12-0x00000000032E0000-0x00000000032F8000-memory.dmp

Filesize
96KB

Download
memory/3624-10-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/3624-8-0x00000000032C0000-0x00000000032DC000-memory.dmp

Filesize
112KB

Download
memory/3624-6-0x0000000003290000-0x000000000329E000-memory.dmp

Filesize
56KB

Download
memory/3624-4-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-3-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-2-0x00007FF8A23E0000-0x00007FF8A2EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-1-0x0000000000D80000-0x0000000000F5C000-memory.dmp

Filesize
1.9MB

Download