a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
133s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Size

1.9MB
MD5

60209ecdf6f883b16c0389e75e45f472
SHA1

ba05313040467c1d64f9dc323cbc899fed88b505
SHA256

be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c
SHA512

fb8342e9418e4b77a061491d58088c4a5176e76c6708c65731371d769a68ae579872c57eb92818852b88cd2194d0ef160f3a2f1842a58f911a593d899cbf0f34
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4760	schtasks.exe	87

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6060	powershell.exe
5864	powershell.exe
1604	powershell.exe
2452	powershell.exe
3372	powershell.exe
3196	powershell.exe
3388	powershell.exe
1972	powershell.exe
2068	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 9 IoCs

pid	Process
2136	System.exe
5268	System.exe
1528	System.exe
4048	System.exe
3196	System.exe
5420	System.exe
5312	System.exe
976	System.exe
4936	System.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB63D.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File created	C:\Program Files (x86)\Google\Update\smss.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXA8B6.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCXB63C.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\smss.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File created	C:\Program Files (x86)\Google\Update\69ddcba757bf72	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\69ddcba757bf72	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXA838.tmp	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\EventLog\Data\System.exe	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4664	schtasks.exe
4640	schtasks.exe
5708	schtasks.exe
2516	schtasks.exe
2912	schtasks.exe
2136	schtasks.exe
4916	schtasks.exe
4880	schtasks.exe
4952	schtasks.exe
2020	schtasks.exe
4900	schtasks.exe
4896	schtasks.exe
4748	schtasks.exe
4600	schtasks.exe
4772	schtasks.exe
4856	schtasks.exe
4800	schtasks.exe
4692	schtasks.exe
3432	schtasks.exe
5700	schtasks.exe
4520	schtasks.exe
4728	schtasks.exe
3576	schtasks.exe
5488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
2452	powershell.exe
2452	powershell.exe
5864	powershell.exe
5864	powershell.exe
6060	powershell.exe
6060	powershell.exe
1972	powershell.exe
1972	powershell.exe
1604	powershell.exe
1604	powershell.exe
3372	powershell.exe
3372	powershell.exe
3388	powershell.exe
3388	powershell.exe
2068	powershell.exe
2068	powershell.exe
3196	powershell.exe
3196	powershell.exe
2452	powershell.exe
2068	powershell.exe
6060	powershell.exe
1972	powershell.exe
5864	powershell.exe
3372	powershell.exe
1604	powershell.exe
3388	powershell.exe
3196	powershell.exe
2136	System.exe
5268	System.exe
1528	System.exe
1528	System.exe
4048	System.exe
3196	System.exe
5420	System.exe
5312	System.exe
976	System.exe
4936	System.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	6060	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2136	System.exe
Token: SeDebugPrivilege	5268	System.exe
Token: SeDebugPrivilege	1528	System.exe
Token: SeDebugPrivilege	4048	System.exe
Token: SeDebugPrivilege	3196	System.exe
Token: SeDebugPrivilege	5420	System.exe
Token: SeDebugPrivilege	5312	System.exe
Token: SeDebugPrivilege	976	System.exe
Token: SeDebugPrivilege	4936	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5788 wrote to memory of 5864	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	116
PID 5788 wrote to memory of 5864	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	116
PID 5788 wrote to memory of 1604	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	117
PID 5788 wrote to memory of 1604	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	117
PID 5788 wrote to memory of 2452	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	118
PID 5788 wrote to memory of 2452	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	118
PID 5788 wrote to memory of 2068	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	119
PID 5788 wrote to memory of 2068	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	119
PID 5788 wrote to memory of 1972	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	120
PID 5788 wrote to memory of 1972	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	120
PID 5788 wrote to memory of 3388	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	121
PID 5788 wrote to memory of 3388	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	121
PID 5788 wrote to memory of 6060	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	123
PID 5788 wrote to memory of 6060	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	123
PID 5788 wrote to memory of 3196	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	124
PID 5788 wrote to memory of 3196	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	124
PID 5788 wrote to memory of 3372	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	126
PID 5788 wrote to memory of 3372	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	126
PID 5788 wrote to memory of 3124	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	134
PID 5788 wrote to memory of 3124	5788	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe	134
PID 3124 wrote to memory of 5780	3124	cmd.exe	136
PID 3124 wrote to memory of 5780	3124	cmd.exe	136
PID 3124 wrote to memory of 2136	3124	cmd.exe	139
PID 3124 wrote to memory of 2136	3124	cmd.exe	139
PID 2136 wrote to memory of 1492	2136	System.exe	140
PID 2136 wrote to memory of 1492	2136	System.exe	140
PID 2136 wrote to memory of 1008	2136	System.exe	141
PID 2136 wrote to memory of 1008	2136	System.exe	141
PID 1492 wrote to memory of 5268	1492	WScript.exe	142
PID 1492 wrote to memory of 5268	1492	WScript.exe	142
PID 5268 wrote to memory of 5236	5268	System.exe	143
PID 5268 wrote to memory of 5236	5268	System.exe	143
PID 5268 wrote to memory of 4552	5268	System.exe	144
PID 5268 wrote to memory of 4552	5268	System.exe	144
PID 5236 wrote to memory of 1528	5236	WScript.exe	152
PID 5236 wrote to memory of 1528	5236	WScript.exe	152
PID 1528 wrote to memory of 5464	1528	System.exe	153
PID 1528 wrote to memory of 5464	1528	System.exe	153
PID 1528 wrote to memory of 5576	1528	System.exe	155
PID 1528 wrote to memory of 5576	1528	System.exe	155
PID 5464 wrote to memory of 4048	5464	WScript.exe	156
PID 5464 wrote to memory of 4048	5464	WScript.exe	156
PID 4048 wrote to memory of 5864	4048	System.exe	157
PID 4048 wrote to memory of 5864	4048	System.exe	157
PID 4048 wrote to memory of 4408	4048	System.exe	158
PID 4048 wrote to memory of 4408	4048	System.exe	158
PID 5864 wrote to memory of 3196	5864	WScript.exe	159
PID 5864 wrote to memory of 3196	5864	WScript.exe	159
PID 3196 wrote to memory of 5244	3196	System.exe	160
PID 3196 wrote to memory of 5244	3196	System.exe	160
PID 3196 wrote to memory of 3984	3196	System.exe	161
PID 3196 wrote to memory of 3984	3196	System.exe	161
PID 5244 wrote to memory of 5420	5244	WScript.exe	163
PID 5244 wrote to memory of 5420	5244	WScript.exe	163
PID 5420 wrote to memory of 6140	5420	System.exe	164
PID 5420 wrote to memory of 6140	5420	System.exe	164
PID 5420 wrote to memory of 4524	5420	System.exe	165
PID 5420 wrote to memory of 4524	5420	System.exe	165
PID 6140 wrote to memory of 5312	6140	WScript.exe	166
PID 6140 wrote to memory of 5312	6140	WScript.exe	166
PID 5312 wrote to memory of 5024	5312	System.exe	167
PID 5312 wrote to memory of 5024	5312	System.exe	167
PID 5312 wrote to memory of 2184	5312	System.exe	168
PID 5312 wrote to memory of 2184	5312	System.exe	168

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe
"C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LE6azoiwXE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5780
- - C:\Users\Default\Documents\My Videos\System.exe
    "C:\Users\Default\Documents\My Videos\System.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2136
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd202f08-8eca-4a11-826f-d1eb175f9ea2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba51adb-3080-4b25-a9ae-0a08ecc70e53.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5236
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2eb9392-ecd8-4548-b8a5-a5c019794120.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5464
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fbc087-cc17-4807-885a-f82c763e57c8.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5864
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\700acb5b-cf6b-44a2-8112-46a7d5214738.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5244
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\365429fa-b53f-4d4d-9f55-59b55485dfb5.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:6140
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a64b57e9-5972-4518-b07b-434db30b8d97.vbs"
        16⤵
        
        PID:5024
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5757272-7993-4fb4-940b-03396d268844.vbs"
        18⤵
        
        PID:3144
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\173eee22-1605-4c86-ac93-4b957b835364.vbs"
        20⤵
        
        PID:5700
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        21⤵
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afee6430-48da-4e7b-8ae5-474af00b1305.vbs"
        22⤵
        
        PID:4632
        
        C:\Users\Default\Documents\My Videos\System.exe
        
        "C:\Users\Default\Documents\My Videos\System.exe"
        23⤵
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ad2470b-11e2-48c8-bba1-36f6bd038654.vbs"
        24⤵
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5445cd6-519b-4f1b-859f-037daced02c7.vbs"
        24⤵
        
        PID:3628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef209a96-e39c-476a-8957-14e68d3e4f20.vbs"
        22⤵
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c1d9798-e524-4a62-a16f-6cd3d050fd43.vbs"
        20⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75608935-417b-4d9c-a6c6-9eb8720fb234.vbs"
        18⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1800ae6c-4a1a-400f-a556-b59cdb46b4f7.vbs"
        16⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be1bd81-56c6-4e6c-b091-41ec12b34e2c.vbs"
        14⤵
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33ab466e-e999-4144-bef7-8318d8a8a061.vbs"
        12⤵
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b59f9f6-ae4d-4049-981c-fa3cb1b7cef7.vbs"
        10⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14723ed2-ce7a-4bae-8080-db45e426996b.vbs"
        8⤵
        
        PID:5576
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75315bb8-ab4a-480a-b328-e36cc47d861f.vbs"
        6⤵
        
        PID:4552
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b9bf10d-59a0-414d-8994-562d0a8277ae.vbs"
      4⤵
      PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\smss.exe

Filesize
1.9MB

MD5
65272a946f6182cad3b70be91c9bb4af

SHA1
41f5ab8bf38ec5b0c39bbc0a284e9207dddedfc5

SHA256
9435da45d95ebbf1e65866608fc42da708e5f2e331801df5b7bafa8b3c92fbcc

SHA512
228633d504cde609fac159aa3cc150274904be73b2dc5f129a0aec66636f8b990cd945cbbd523c3ee8d51b8f43cf0a4317a5402bff82faad2f81a26296248de8

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Registry.exe

Filesize
1.9MB

MD5
60209ecdf6f883b16c0389e75e45f472

SHA1
ba05313040467c1d64f9dc323cbc899fed88b505

SHA256
be01d2552c64422f1b97721af2e07451309244c21e464bbe47b603043d95b21c

SHA512
fb8342e9418e4b77a061491d58088c4a5176e76c6708c65731371d769a68ae579872c57eb92818852b88cd2194d0ef160f3a2f1842a58f911a593d899cbf0f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44ae12563d9f97ac1136baee629673df

SHA1
38790549497302c43bd3ff6c5225e8c7054829e2

SHA256
b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

SHA512
07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ff4a967012d041f24f777799e626cce4

SHA1
cd1d31edfe04a9b39f8b2732376ba466c8a66346

SHA256
2bb6758e5d9612b5d554149ea754704ae992db5f1848a060f50e08ffbfc85d4e

SHA512
45a214acf08c71fbc4946a624d1ff4d95f08c508bd157990447addd9556c75dbba2dfd41c42cd22c14f0dd92b2685775bb04b8c561d34d793564e07edc922421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb796de20c8360e1e53623d78696e8a

SHA1
52e20d1bb718b5e04290816c3c740d8f89265bcb

SHA256
cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

SHA512
2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\173eee22-1605-4c86-ac93-4b957b835364.vbs

Filesize
723B

MD5
754a524af23c0f2ed4c64d7543d03967

SHA1
7c67b58934cf94f5567035a771a6dcfac36aef93

SHA256
b7ebdfcbf5c756d30a949d56492c67518813994221362d67e39e9f7d09259c7e

SHA512
c7bca40a4fa29f4973448883b5dd7bfdf98b35c811a7136e9e4fccde7acb0ac1311d9177ed2abfdefa09651c92a8ed83bd4f345c4a92f6646b1c35b48a261dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\365429fa-b53f-4d4d-9f55-59b55485dfb5.vbs

Filesize
723B

MD5
3a19d5b4e471ec5768cdd069049ba040

SHA1
b782888dc7357972e4f2bc8e67c3489e639359de

SHA256
92abbabe5b23c6204ca59ba3057fde01564404195046b292db626cf7cd6b2a82

SHA512
ed70528f5bd9c67a362f769fc291257e09bf7dcc1a26363c83a7ebbac4258a830bad574efd66b4973ebcef7a14713ad3996fedda6af532a0741c03d7625306ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ad2470b-11e2-48c8-bba1-36f6bd038654.vbs

Filesize
722B

MD5
6ef945afa9cc6332a9f931b2b5a2539f

SHA1
4a30b351f123eefe678ce7757288363d5e0bb793

SHA256
674a1a74cd1a0a8f0b2ead2af211b29351d18a72d4b462a91fed33cc1385b18c

SHA512
4ac09b116eff41d5d55c75bd007e7a866c93db4a509592f6f39b84346c7e8d8738ff13ed2df27dd65ee2b61d5f6241e10930e9156c89c3e14e8e0c5acfdaffe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b9bf10d-59a0-414d-8994-562d0a8277ae.vbs

Filesize
499B

MD5
2b23a542df47e74b37ff5b23e4e2394a

SHA1
c4a3baf2d070f04fedcf77405a344407261b58bf

SHA256
68be58e021d1ee034250b5111a23b30dc030d10df40d3079e2b3eaea1c0ab847

SHA512
97cd8036d1f7b342ee52f41916a29e097ce2305da3b9a485f7ba69b40d90a2698e46b59b740e37e447c05b7dbb5c77716d8a22557a920ab89cd4b7e99478dd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\700acb5b-cf6b-44a2-8112-46a7d5214738.vbs

Filesize
723B

MD5
74b939464eb48a41ddaf7613e1ea9fd3

SHA1
cc5c5b5a21c8d62f4ee8fd261dd6d947e188ac03

SHA256
66e389fd95358734d0cb11478655dc118bb00ff3de306f030c01e1513d260223

SHA512
ed731543433c25e2250db3c2fc985a8ee3028a7ea661005ee6fb24adcd250ebbdb30915223ae8694b8e7d031c6b7a4be1d7f6293c3cf536f121eba7f51b36cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8499234c4caf13bb1dea353e8c8040441e0baf33.exe

Filesize
528KB

MD5
89cb85db07176d6677fee3f3217cb4d5

SHA1
9ad3fb6315348cfa8b596549d75441f8120d5a1f

SHA256
da2db35db385f625234b380851617b1ef58e7cf0616fb458a4258abd62920951

SHA512
0b1b77d7f60745f06aa1d3033ddb574906f8aa8b572292da2b89783b2c93a3b360117d36ce652466ff70694825f56f48c854c5b8be876699b7216d3ef0e80a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ba51adb-3080-4b25-a9ae-0a08ecc70e53.vbs

Filesize
723B

MD5
a3d184cb8bef3f8b16276f791d57f850

SHA1
21b9e924cf34cbfc0710a954cf135bdd0d5718c2

SHA256
7f831bfd757f800fdc6b27e579f115d541ab02e48f64b75dd702f3316f8f8e96

SHA512
69bfed0a8f0d84723d84c1f0e53717321992c0e3f8033fdde2357898337ba806db54bba6ab8c834460885f6cf4872c2996e788e8d2a3fd9e610c56c4b3c2d6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LE6azoiwXE.bat

Filesize
212B

MD5
ff92376e2d327d50d3ef6c289f393f0a

SHA1
c88697a63224ad2ad683f68703f3c2f8ebf063af

SHA256
505d7ff5fe1ec8b9573253a06b5009c9110b75f99b8fa638f95f1f512cf4096f

SHA512
389f8f3fcb81a3ccb7408675ea75b671c4ed796fd9726aa32cf7db27d43a7f27487f24e97163ca9b4ee05b59062e9a65208a1c66c649885c38ba9348a18024f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5rccvu3.2tv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5757272-7993-4fb4-940b-03396d268844.vbs

Filesize
722B

MD5
7acf0a73598e0f988ccabc3c908181bd

SHA1
5c990772ee60865fb81a0caa5ac2742aba5acf18

SHA256
9a71427e73825529b9a1c519b42e8df9cd656edf977737e9d40322185903a64d

SHA512
0cc93af26bdd0426d7d6edca18e89bc3627e002967219d7b7732e5d8e71e35ff51fdf4cbed53a4661c41a35fb8379da9136e71ece2cbb2aa72de66efd3efd201

Download Submit
C:\Users\Admin\AppData\Local\Temp\a64b57e9-5972-4518-b07b-434db30b8d97.vbs

Filesize
723B

MD5
b1762fad4ded14f9b50aa27adc5b87a1

SHA1
0ec8a509e8627bccec7c4961a9b059ad6e529054

SHA256
d96eb833e54c65ea2c8ef156f9569f09de0f8654ac60fd0f0408ae68989e91bd

SHA512
cd791f8601041f39aa225bbcffe5578c87ab4c3a9bc415a63e01eb771d7f3f57a99f34149f6652fe6be180a56928ac953160a664ceb47c8adde0eac96bb2a282

Download Submit
C:\Users\Admin\AppData\Local\Temp\afee6430-48da-4e7b-8ae5-474af00b1305.vbs

Filesize
723B

MD5
61da6741ed4d59c8847c6a9d3d0358ec

SHA1
9d02a6567bccd72a959e09b2b7f34ddd4a511581

SHA256
dc72d5be46f16bbb342636f896c1d8f96866d847d94df628580e07e1cdd0aa34

SHA512
3905590a64770e8e8d9983ff25a392f6977e724f3c8962dc29acbf5f84f1f789c3f54e19c71b7ffa3faaa9fc83402b74025e4a273286aeaff9876587a157eaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9fbc087-cc17-4807-885a-f82c763e57c8.vbs

Filesize
723B

MD5
3b1c74a857fc66718f7076c400baf7bc

SHA1
f04b81474e4d2d3b6952b5add1f00304166670a3

SHA256
97f4f3f098cbcb7d10d91b541303e6eac35febfeb2655d5656dd863960cfb013

SHA512
62a84ed68987b7a89f1b9a8228e66e7a962bb462ac932713cbe3a6985ee1a1ea0a11508eb7991c140610b0d4b46341f3e5d0e41973d6b990dbecd3d19ce49a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2eb9392-ecd8-4548-b8a5-a5c019794120.vbs

Filesize
723B

MD5
a908746a534d448ce59ad21adc97a088

SHA1
1fe0b39092888bca8d0f97076e82dd9fd4c79588

SHA256
10ef8bd3c4a5e2fedbf35070715f02e91f191f8556330c1272a69a0f3d28f8ea

SHA512
44c360e63c24209bb2fc09fc39ecfa019ddcd7e5c5c495e99ede3a18ff95230ae0d794c9e59287041e94927eb564528a6b72b2166277108026afbe4df154762b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd202f08-8eca-4a11-826f-d1eb175f9ea2.vbs

Filesize
723B

MD5
0cf9d0b62c13f1cfddd923b1fb4b031c

SHA1
077f846eb3bf3eae8aca9a2642b394b9b058524e

SHA256
5a49f7f0d570918f7d6a9f9a5138dbde52332ffedd4599699768afd45ba40659

SHA512
b16f53f62966c91e9e42b97f341c25f4f84f72a10ff0b72b76a6603d6fb1b3997805243fdfb4dd8b45887b22c5b3a45be369560faa2aec4106fd13f58987a0ce

Download Submit
C:\Users\Default\Videos\System.exe

Filesize
852KB

MD5
1bc7383947c16032dddc30084dc192d4

SHA1
d9e370fcd362821556a14952fab2a2835aaf0881

SHA256
ad036f409a644ae11328a41d0de768feaee4e684c154bd7de7a27f922b09557a

SHA512
bc2c549104f4a450259a0f91bb1a71ccf44c7d84762371b67d01f1c46417d1257c588d55e1e1464a9b4d6492d55489b1ce576e11fbc8ee88311585642287d777

Download Submit
memory/404-357-0x000000001B210000-0x000000001B222000-memory.dmp

Filesize
72KB

Download
memory/976-322-0x0000000003180000-0x0000000003192000-memory.dmp

Filesize
72KB

Download
memory/4936-334-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

Filesize
72KB

Download
memory/5268-255-0x000000001B520000-0x000000001B576000-memory.dmp

Filesize
344KB

Download
memory/5788-10-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

Filesize
48KB

Download
memory/5788-11-0x000000001B880000-0x000000001B888000-memory.dmp

Filesize
32KB

Download
memory/5788-1-0x0000000000470000-0x000000000065A000-memory.dmp

Filesize
1.9MB

Download
memory/5788-20-0x000000001BAC0000-0x000000001BACC000-memory.dmp

Filesize
48KB

Download
memory/5788-16-0x000000001BA80000-0x000000001BA8A000-memory.dmp

Filesize
40KB

Download
memory/5788-17-0x000000001BA90000-0x000000001BA9E000-memory.dmp

Filesize
56KB

Download
memory/5788-18-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/5788-19-0x000000001BAB0000-0x000000001BABC000-memory.dmp

Filesize
48KB

Download
memory/5788-15-0x000000001B8C0000-0x000000001B8CC000-memory.dmp

Filesize
48KB

Download
memory/5788-14-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

Filesize
5.2MB

Download
memory/5788-0-0x00007FFF3AB43000-0x00007FFF3AB45000-memory.dmp

Filesize
8KB

Download
memory/5788-212-0x00007FFF3AB40000-0x00007FFF3B601000-memory.dmp

Filesize
10.8MB

Download
memory/5788-13-0x000000001B890000-0x000000001B8A2000-memory.dmp

Filesize
72KB

Download
memory/5788-9-0x000000001B830000-0x000000001B886000-memory.dmp

Filesize
344KB

Download
memory/5788-3-0x00000000026C0000-0x00000000026DC000-memory.dmp

Filesize
112KB

Download
memory/5788-4-0x000000001B7E0000-0x000000001B830000-memory.dmp

Filesize
320KB

Download
memory/5788-8-0x000000001B7C0000-0x000000001B7CA000-memory.dmp

Filesize
40KB

Download
memory/5788-5-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/5788-6-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/5788-7-0x000000001B7A0000-0x000000001B7B6000-memory.dmp

Filesize
88KB

Download
memory/5788-2-0x00007FFF3AB40000-0x00007FFF3B601000-memory.dmp

Filesize
10.8MB

Download
memory/6060-153-0x000001CA27100000-0x000001CA27122000-memory.dmp

Filesize
136KB

Download