a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Size

1.9MB
MD5

60209ecdf6f883b16c0389e75e45f472
SHA1

ba05313040467c1d64f9dc323cbc899fed88b505
SHA256

be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c
SHA512

fb8342e9418e4b77a061491d58088c4a5176e76c6708c65731371d769a68ae579872c57eb92818852b88cd2194d0ef160f3a2f1842a58f911a593d899cbf0f34
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3008	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3008	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
2804	powershell.exe
2812	powershell.exe
1112	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Executes dropped EXE 11 IoCs

pid	Process
1856	spoolsv.exe
1648	spoolsv.exe
2348	spoolsv.exe
664	spoolsv.exe
2952	spoolsv.exe
1700	spoolsv.exe
1064	spoolsv.exe
756	spoolsv.exe
480	spoolsv.exe
1980	spoolsv.exe
2120	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\spoolsv.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File created	C:\Program Files\Windows Journal\f3b6ecef712a24	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files\Windows Journal\RCXBAEA.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files\Windows Journal\RCXBAEB.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files\Windows Journal\spoolsv.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
1652	schtasks.exe
3020	schtasks.exe
2552	schtasks.exe
2612	schtasks.exe
2760	schtasks.exe
2728	schtasks.exe
2852	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
2832	powershell.exe
2812	powershell.exe
1112	powershell.exe
2804	powershell.exe
1856	spoolsv.exe
1648	spoolsv.exe
2348	spoolsv.exe
664	spoolsv.exe
2952	spoolsv.exe
1700	spoolsv.exe
1064	spoolsv.exe
756	spoolsv.exe
480	spoolsv.exe
1980	spoolsv.exe
2120	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1856	spoolsv.exe
Token: SeDebugPrivilege	1648	spoolsv.exe
Token: SeDebugPrivilege	2348	spoolsv.exe
Token: SeDebugPrivilege	664	spoolsv.exe
Token: SeDebugPrivilege	2952	spoolsv.exe
Token: SeDebugPrivilege	1700	spoolsv.exe
Token: SeDebugPrivilege	1064	spoolsv.exe
Token: SeDebugPrivilege	756	spoolsv.exe
Token: SeDebugPrivilege	480	spoolsv.exe
Token: SeDebugPrivilege	1980	spoolsv.exe
Token: SeDebugPrivilege	2120	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1112	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	40
PID 2668 wrote to memory of 1112	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	40
PID 2668 wrote to memory of 1112	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	40
PID 2668 wrote to memory of 2832	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	41
PID 2668 wrote to memory of 2832	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	41
PID 2668 wrote to memory of 2832	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	41
PID 2668 wrote to memory of 2812	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	42
PID 2668 wrote to memory of 2812	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	42
PID 2668 wrote to memory of 2812	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	42
PID 2668 wrote to memory of 2804	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	43
PID 2668 wrote to memory of 2804	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	43
PID 2668 wrote to memory of 2804	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	43
PID 2668 wrote to memory of 1632	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	48
PID 2668 wrote to memory of 1632	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	48
PID 2668 wrote to memory of 1632	2668	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	48
PID 1632 wrote to memory of 2152	1632	cmd.exe	50
PID 1632 wrote to memory of 2152	1632	cmd.exe	50
PID 1632 wrote to memory of 2152	1632	cmd.exe	50
PID 1632 wrote to memory of 1856	1632	cmd.exe	52
PID 1632 wrote to memory of 1856	1632	cmd.exe	52
PID 1632 wrote to memory of 1856	1632	cmd.exe	52
PID 1856 wrote to memory of 2828	1856	spoolsv.exe	53
PID 1856 wrote to memory of 2828	1856	spoolsv.exe	53
PID 1856 wrote to memory of 2828	1856	spoolsv.exe	53
PID 1856 wrote to memory of 1576	1856	spoolsv.exe	54
PID 1856 wrote to memory of 1576	1856	spoolsv.exe	54
PID 1856 wrote to memory of 1576	1856	spoolsv.exe	54
PID 2828 wrote to memory of 1648	2828	WScript.exe	55
PID 2828 wrote to memory of 1648	2828	WScript.exe	55
PID 2828 wrote to memory of 1648	2828	WScript.exe	55
PID 1648 wrote to memory of 1592	1648	spoolsv.exe	56
PID 1648 wrote to memory of 1592	1648	spoolsv.exe	56
PID 1648 wrote to memory of 1592	1648	spoolsv.exe	56
PID 1648 wrote to memory of 2372	1648	spoolsv.exe	57
PID 1648 wrote to memory of 2372	1648	spoolsv.exe	57
PID 1648 wrote to memory of 2372	1648	spoolsv.exe	57
PID 1592 wrote to memory of 2348	1592	WScript.exe	58
PID 1592 wrote to memory of 2348	1592	WScript.exe	58
PID 1592 wrote to memory of 2348	1592	WScript.exe	58
PID 2348 wrote to memory of 2604	2348	spoolsv.exe	59
PID 2348 wrote to memory of 2604	2348	spoolsv.exe	59
PID 2348 wrote to memory of 2604	2348	spoolsv.exe	59
PID 2348 wrote to memory of 2216	2348	spoolsv.exe	60
PID 2348 wrote to memory of 2216	2348	spoolsv.exe	60
PID 2348 wrote to memory of 2216	2348	spoolsv.exe	60
PID 2604 wrote to memory of 664	2604	WScript.exe	61
PID 2604 wrote to memory of 664	2604	WScript.exe	61
PID 2604 wrote to memory of 664	2604	WScript.exe	61
PID 664 wrote to memory of 2944	664	spoolsv.exe	62
PID 664 wrote to memory of 2944	664	spoolsv.exe	62
PID 664 wrote to memory of 2944	664	spoolsv.exe	62
PID 664 wrote to memory of 2656	664	spoolsv.exe	63
PID 664 wrote to memory of 2656	664	spoolsv.exe	63
PID 664 wrote to memory of 2656	664	spoolsv.exe	63
PID 2944 wrote to memory of 2952	2944	WScript.exe	64
PID 2944 wrote to memory of 2952	2944	WScript.exe	64
PID 2944 wrote to memory of 2952	2944	WScript.exe	64
PID 2952 wrote to memory of 2252	2952	spoolsv.exe	65
PID 2952 wrote to memory of 2252	2952	spoolsv.exe	65
PID 2952 wrote to memory of 2252	2952	spoolsv.exe	65
PID 2952 wrote to memory of 2296	2952	spoolsv.exe	66
PID 2952 wrote to memory of 2296	2952	spoolsv.exe	66
PID 2952 wrote to memory of 2296	2952	spoolsv.exe	66
PID 2252 wrote to memory of 1700	2252	WScript.exe	67

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
"C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rt5iKPoEbU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2152
- - C:\Program Files\Windows Journal\spoolsv.exe
    "C:\Program Files\Windows Journal\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9db3959d-fc5e-457d-89c9-8269a902235a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36620ce5-3f23-4de0-ba85-39b11d43b3e7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47550f2e-98da-4e26-b430-1a85723cb390.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982e1598-b602-4634-ac08-07e0c1b7d66e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22f48f61-d23b-4a31-a638-4e009f8704c5.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b24a786a-9505-4621-9a73-c0b60ccd21bd.vbs"
        14⤵
        
        PID:2540
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2a5d767-a539-41eb-acb2-fb3cb4dfbd6e.vbs"
        16⤵
        
        PID:2396
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcc75499-a9cf-4120-b896-31054a482967.vbs"
        18⤵
        
        PID:2956
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af753c23-47f1-488c-b4f3-075bbd637987.vbs"
        20⤵
        
        PID:2004
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9104a9-be94-4891-a948-5a1b19b795fa.vbs"
        22⤵
        
        PID:2280
        
        C:\Program Files\Windows Journal\spoolsv.exe
        
        "C:\Program Files\Windows Journal\spoolsv.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a27425a8-1771-426c-82fa-1a5ef9a4aae8.vbs"
        24⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccc34cd7-4c50-4249-bd80-b48573549a5b.vbs"
        24⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d727b8ef-c5af-4e56-b8e0-7b036478c166.vbs"
        22⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1cc4380-0713-45f8-8213-98dea78fe6d4.vbs"
        20⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b5309b-89e3-49af-94fa-7fa5db5fd675.vbs"
        18⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16fd4cc8-d5a9-4796-83bd-da2dae671f9a.vbs"
        16⤵
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ef08d24-ad67-42ec-9cfa-4d54f3b2f877.vbs"
        14⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37b6b995-9375-4af5-ad67-32808a1d0058.vbs"
        12⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cac3cf9-77fe-4b45-8c51-70fe45486b72.vbs"
        10⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3792aa3a-555f-42fe-b37f-e033c1349abf.vbs"
        8⤵
        
        PID:2216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e118f90-93c9-4a2b-8faa-994a5dd55ba5.vbs"
        6⤵
        
        PID:2372
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\025f6436-ef25-4915-a4f3-5af49394ea19.vbs"
      4⤵
      PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21cb" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21cb" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Filesize
1.9MB

MD5
71ea3dac304f14e67c1a79f16ee4041c

SHA1
281c262459f9a4d72179b56a0593663b95918492

SHA256
c373d10fc9aec04ceeda6e2dac17723cdd6ff08d24e29c365e6e10282f76ca24

SHA512
2755da1b424bf0498bf50bd49d040728eed04de6c8a394207d7bec2d93d5206dad1f5c089a6b5f33d5cb47547eb5236b76f839066c783ae8a6d0a3e021aa0687

Download Submit
C:\Users\Admin\AppData\Local\Temp\025f6436-ef25-4915-a4f3-5af49394ea19.vbs

Filesize
496B

MD5
59c8800e055988c71d02120150ebf2b2

SHA1
33c00e136475388c1d0343da3286345b8f2741c5

SHA256
c9c9b6faad706881dae1c27a63f34af8f0a7ff89cd114abf399297250a23faba

SHA512
ba518c77c44f1744c5da465e6be0bd19535446432ab0a6eb25e3eb664e1a2dccb2a1821b73a1d44e69e0f2fc5e1767575d24c7cbb127fd30e1de6a934f6ffde4

Download Submit
C:\Users\Admin\AppData\Local\Temp\22f48f61-d23b-4a31-a638-4e009f8704c5.vbs

Filesize
720B

MD5
4d95690dd205c47acb9e565a636e4ac7

SHA1
76a01ad1b9b95d5d95c88280287104ec50b44b08

SHA256
f97d1ec031321466dbde13a698b0e819efe93073dc5398960008331c21a48dfd

SHA512
736fc58fdcd028f61f4be1e19c5c6a1273a3d3d7acd477b1f0b67efd1e3c99defd4f55b13130910fffe651bdb760524db6ebdf0f58790e587813756b790af66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36620ce5-3f23-4de0-ba85-39b11d43b3e7.vbs

Filesize
720B

MD5
774b3c46c15ff03efd89190eb1cd9bf6

SHA1
d00da1cc44af4431f8f3aebc74a28b80186e56e1

SHA256
9ba23cdb680fef7a7ceb515f4b0f0fa536963b4bb2f2cf717959926be4956d03

SHA512
ce6a20b372e52c695217b6e756bb8e299209476eb2797eaa6239a7ad6ad218040e6087bb460e96e9a0bfa32633de98f942591c0ceae065fc759511642b92bb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\47550f2e-98da-4e26-b430-1a85723cb390.vbs

Filesize
720B

MD5
a1535667828dbb45bda21a4a71d0deba

SHA1
68d8bf3c086e01cadeabd84e3cc33b81d3969ffb

SHA256
b067a60882a247a6b929bf72eec05307937b4d31acb48986c7c5c60275dc2966

SHA512
e7cb2e8bb43aba6234a3e3ca5e95e615f90805aa09dd5f36f94c898e194f4b10f02efee0b9c80236ab58a0ab8358a1662b9c12c2d949912cb53dcd593f3ec447

Download Submit
C:\Users\Admin\AppData\Local\Temp\982e1598-b602-4634-ac08-07e0c1b7d66e.vbs

Filesize
719B

MD5
e0beb60e4461fae26cf5734d43db7eb7

SHA1
d9f7e1ee49170b318196c65a39c60a08cecabac9

SHA256
462af11403f3bb4cfcd1010f5527b91af6fa575bc185430391a3cffb66b4a571

SHA512
fd38c39ba1637e19561eedd6f5b387508009f294e58750a1ed225f875fed62de51cb324f08012a47c00b64961b32da7f2cb23fc4718fc9f302a2abc9f7ad5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\9db3959d-fc5e-457d-89c9-8269a902235a.vbs

Filesize
720B

MD5
b277a0e1252ab2c4442a4fcd63508819

SHA1
22124690eab9c8a79b40bb6d2d875d4945348827

SHA256
225cc417118edbe0244c357b2eeeb3b278a0e2f3279c8bfc35ce0fb5805553e8

SHA512
0c8aae86563d84d60ebcfa82adbea38fb7fb7c106577786672b184ee733bebc3d260f8a312dc3440ac1eac0ce3cdafbe8e4b638c80850f0da05a6df92dde55eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXB665.tmp

Filesize
1.9MB

MD5
60209ecdf6f883b16c0389e75e45f472

SHA1
ba05313040467c1d64f9dc323cbc899fed88b505

SHA256
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c

SHA512
fb8342e9418e4b77a061491d58088c4a5176e76c6708c65731371d769a68ae579872c57eb92818852b88cd2194d0ef160f3a2f1842a58f911a593d899cbf0f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\a27425a8-1771-426c-82fa-1a5ef9a4aae8.vbs

Filesize
720B

MD5
9132aad825c523ca5ad3aea47151c82b

SHA1
d555f7f3f7594361e3be51f5625b9f0c61b3468c

SHA256
91a7b194848037d44d6c4434ee2a25951866b60a253cd236920d3f68eea41d55

SHA512
6b063a6bea6bffe10cc35e13c38e9336c83b481d3b25eafc254169a38d3a7fc2091223a0cc05e0471e1efff35fb9849526f5056fc452e7c07e4a6aa51e3a3a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\af753c23-47f1-488c-b4f3-075bbd637987.vbs

Filesize
719B

MD5
8f8c0453abb59a903c455031d3564d63

SHA1
66531e161e78a0721c1804738113caeef064ce30

SHA256
43794ff1b657653a7f4cb5bbf9cd8a3cdcf4a96dc4dc2ecfac5f8ea37d6ac15c

SHA512
8fd19b37dc876a36e31f626d52497d60bf3e0a014c91691627b9a519d8421305bbb47d165264f11d3664317ac3d8393ffac92f04756bd10ed365b9aaad1d3d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b24a786a-9505-4621-9a73-c0b60ccd21bd.vbs

Filesize
720B

MD5
124e2d3638f38e34d6dfb429ff7e9b07

SHA1
050790f8c3991a465230711d29d8882d1de645ab

SHA256
151060b29924ff997f8ed1e0df5025fb46bf1bf97310b000a4b06b693c62fd49

SHA512
a454dc482285621d8a4c4be0dd5b47be24afadfb3f1d568e41e2d289b2865a83057ed6a0311550e9d00b3b9a3a778c2301dc951250a0849b581a4b7117485d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcc75499-a9cf-4120-b896-31054a482967.vbs

Filesize
719B

MD5
215ab100ff1b32e6adf7688a65e9cdf5

SHA1
1050ac58756fe658bb53adf30325736f066ef977

SHA256
65e4823d518d4c278df003d07096b756b98d53c7a92255d747bbc00de0a0a159

SHA512
c877ea3abb203ace3dfeebc16795374edca5249736f54fb216bb69c7000fad0a6d85135e20754b684f8e66d6e594afe8ae1b76cb0e067c027e17cc044892ca24

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2a5d767-a539-41eb-acb2-fb3cb4dfbd6e.vbs

Filesize
720B

MD5
d7560c3fef3a0d2e234dc47068610941

SHA1
bbb54ec33cd3e95a39466d553ca46c6bedbc3e94

SHA256
f695dc027bf5898f5c2ee9f045bfae51be745a757d66f07dbbdfd3af14453a4a

SHA512
778a65abdbfac1928836caa725a12316cfd951d95aef225bac811e987c3fb972bf1d6091546b85976a7b0616848c51bd49dd7c4bdb7155e747a87e041b2769dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9104a9-be94-4891-a948-5a1b19b795fa.vbs

Filesize
720B

MD5
1c199be95fae231eb09bfcaad32b4cdb

SHA1
c35384d34ad7e9b3c1045a02c22b82f35c55b492

SHA256
3a0fbd6bdd40e2b91edc84c651a1c941968077f9d18458b7bf4a1f7144d5f88f

SHA512
fc025d60314e0e7960e958bfdf0ff034150a0d608046d2498d2b40355538b062012247ea04428c29b2c43185db3bda4b9791740c19b9c5b1a18d8508bfe55183

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt5iKPoEbU.bat

Filesize
209B

MD5
6342b6a233bb4ae45ed566d2bbdff727

SHA1
f7f9adb09112e85430c379680921f42291d980da

SHA256
375cc3b73f45f622cc65f0a569063e7db67400be3cdd3e15fcd0faf38895ad57

SHA512
884e19e11370295535051f8af6a06e95fd01254e95fd83e8a886c137f337e1d3f86f05ec7be42d6a978ecac38ed249d1d5e1e1eb544de58bda52f46aa03b75f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
501e8697937b6a010552ff1f87cf8746

SHA1
a3b2ac9dfb24411c025f9a6ff6dd710341830a8c

SHA256
c37f0aea74537f0236985e945599e15c5e5c09a704ff172c1fda90a74252c006

SHA512
5c6c041432c942a1e5aac1f290818fc6ea460204fb2a1d8b27096a63850bc1743b614b66badf2d791d3c6c1981d2a01f6ca0a6b98521b1d9c43491a5dba49574

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\taskhost.exe

Filesize
1.9MB

MD5
93117022341808ed0252194fcfeccaa5

SHA1
f92c2649568d033ebdb8626b0e6f85f370e9b819

SHA256
c946e6f016296c31cdde6bb6c057dc642d03bbec397972af15a0eb4263e5650b

SHA512
ad59775c9552b29a2e79cb2ed156ce1221dd8f86d8f512ef2e6d030c5ac93e89b32a374669873fe56a38709366403c883ca6495b9d63a62bfa5b55f43146df31

Download Submit
memory/480-190-0x00000000009D0000-0x0000000000BBA000-memory.dmp

Filesize
1.9MB

Download
memory/664-128-0x0000000000330000-0x000000000051A000-memory.dmp

Filesize
1.9MB

Download
memory/756-176-0x00000000003C0000-0x00000000005AA000-memory.dmp

Filesize
1.9MB

Download
memory/756-177-0x0000000000620000-0x0000000000676000-memory.dmp

Filesize
344KB

Download
memory/756-178-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1064-164-0x00000000008F0000-0x0000000000ADA000-memory.dmp

Filesize
1.9MB

Download
memory/1648-105-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1700-152-0x00000000002A0000-0x000000000048A000-memory.dmp

Filesize
1.9MB

Download
memory/1856-94-0x0000000001250000-0x000000000143A000-memory.dmp

Filesize
1.9MB

Download
memory/2120-213-0x0000000000EE0000-0x00000000010CA000-memory.dmp

Filesize
1.9MB

Download
memory/2120-214-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download
memory/2668-13-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2668-6-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/2668-1-0x0000000000FA0000-0x000000000118A000-memory.dmp

Filesize
1.9MB

Download
memory/2668-78-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-18-0x000000001AD20000-0x000000001AD2C000-memory.dmp

Filesize
48KB

Download
memory/2668-17-0x000000001AD10000-0x000000001AD1C000-memory.dmp

Filesize
48KB

Download
memory/2668-2-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-16-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/2668-15-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/2668-14-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/2668-0-0x000007FEF6113000-0x000007FEF6114000-memory.dmp

Filesize
4KB

Download
memory/2668-12-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2668-10-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2668-9-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2668-8-0x000000001ACC0000-0x000000001AD16000-memory.dmp

Filesize
344KB

Download
memory/2668-7-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2668-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2668-5-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/2668-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2832-90-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2832-79-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2952-140-0x0000000000D50000-0x0000000000F3A000-memory.dmp

Filesize
1.9MB

Download