1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09df096633080be658753777a8e7feea.exe
Size

1.9MB
MD5

09df096633080be658753777a8e7feea
SHA1

4b1b789ff3db59b07c1013c527273c350e78bf08
SHA256

63671cdfb5eddd70bfa3e97395c34e860c217a0838c853029ca85a40a5520298
SHA512

7216e17df59456ad6d0139be6ddd65c02c6f58519acc0f57aaacc7f7728d362abdd1470ebb5be67a1c446ae8ba1c596cf4d19ba8b8dbc65bbe5b241fb5a7b32a
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2520	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2520	schtasks.exe	28

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2556	powershell.exe
2608	powershell.exe
2584	powershell.exe
2932	powershell.exe
680	powershell.exe
2136	powershell.exe
1680	powershell.exe
2480	powershell.exe
2468	powershell.exe
2868	powershell.exe
2148	powershell.exe
2308	powershell.exe
2296	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	09df096633080be658753777a8e7feea.exe

Executes dropped EXE 10 IoCs

pid	Process
2912	System.exe
2620	System.exe
2804	System.exe
856	System.exe
1660	System.exe
2776	System.exe
904	System.exe
1128	System.exe
2136	System.exe
2448	System.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09df096633080be658753777a8e7feea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	09df096633080be658753777a8e7feea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\spoolsv.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Program Files\Internet Explorer\f3b6ecef712a24	09df096633080be658753777a8e7feea.exe
File created	C:\Program Files (x86)\MSBuild\System.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXA475.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files\Internet Explorer\spoolsv.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB330.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files (x86)\MSBuild\System.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Program Files (x86)\MSBuild\27d1bcfc3c54e0	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXA474.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB2C2.tmp	09df096633080be658753777a8e7feea.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Setup\State\RCXA6E6.tmp	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\SchCache\explorer.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\Setup\State\27d1bcfc3c54e0	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\twain_32\wininit.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\Resources\Ease of Access Themes\dwm.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\SchCache\RCX9B19.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\SchCache\explorer.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\Setup\State\RCXA754.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\Setup\State\System.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\dwm.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\SchCache\7a0fd90576e088	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\Resources\Ease of Access Themes\6cb0b6c459d5d3	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\SchCache\RCX9B1A.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\twain_32\RCXB534.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\twain_32\RCXB5A2.tmp	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXB7D5.tmp	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\Setup\State\System.exe	09df096633080be658753777a8e7feea.exe
File created	C:\Windows\twain_32\56085415360792	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\twain_32\wininit.exe	09df096633080be658753777a8e7feea.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXB7D6.tmp	09df096633080be658753777a8e7feea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe
2336	schtasks.exe
2692	schtasks.exe
2488	schtasks.exe
2296	schtasks.exe
2600	schtasks.exe
2884	schtasks.exe
852	schtasks.exe
1992	schtasks.exe
2932	schtasks.exe
2024	schtasks.exe
2540	schtasks.exe
2568	schtasks.exe
2696	schtasks.exe
2700	schtasks.exe
1652	schtasks.exe
1608	schtasks.exe
812	schtasks.exe
2652	schtasks.exe
2452	schtasks.exe
1192	schtasks.exe
1516	schtasks.exe
1112	schtasks.exe
2248	schtasks.exe
2724	schtasks.exe
2756	schtasks.exe
1680	schtasks.exe
1856	schtasks.exe
2688	schtasks.exe
2464	schtasks.exe
796	schtasks.exe
2760	schtasks.exe
2204	schtasks.exe
2532	schtasks.exe
1588	schtasks.exe
2168	schtasks.exe
2820	schtasks.exe
2632	schtasks.exe
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1872	09df096633080be658753777a8e7feea.exe
1872	09df096633080be658753777a8e7feea.exe
1872	09df096633080be658753777a8e7feea.exe
2148	powershell.exe
2440	powershell.exe
2296	powershell.exe
2868	powershell.exe
2480	powershell.exe
2556	powershell.exe
2608	powershell.exe
1680	powershell.exe
2308	powershell.exe
2468	powershell.exe
680	powershell.exe
2136	powershell.exe
2584	powershell.exe
2932	powershell.exe
2912	System.exe
2620	System.exe
2804	System.exe
856	System.exe
1660	System.exe
2776	System.exe
904	System.exe
1128	System.exe
2136	System.exe
2448	System.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	09df096633080be658753777a8e7feea.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2912	System.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2620	System.exe
Token: SeDebugPrivilege	2804	System.exe
Token: SeDebugPrivilege	856	System.exe
Token: SeDebugPrivilege	1660	System.exe
Token: SeDebugPrivilege	2776	System.exe
Token: SeDebugPrivilege	904	System.exe
Token: SeDebugPrivilege	1128	System.exe
Token: SeDebugPrivilege	2136	System.exe
Token: SeDebugPrivilege	2448	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2136	1872	09df096633080be658753777a8e7feea.exe	68
PID 1872 wrote to memory of 2136	1872	09df096633080be658753777a8e7feea.exe	68
PID 1872 wrote to memory of 2136	1872	09df096633080be658753777a8e7feea.exe	68
PID 1872 wrote to memory of 1680	1872	09df096633080be658753777a8e7feea.exe	69
PID 1872 wrote to memory of 1680	1872	09df096633080be658753777a8e7feea.exe	69
PID 1872 wrote to memory of 1680	1872	09df096633080be658753777a8e7feea.exe	69
PID 1872 wrote to memory of 2480	1872	09df096633080be658753777a8e7feea.exe	70
PID 1872 wrote to memory of 2480	1872	09df096633080be658753777a8e7feea.exe	70
PID 1872 wrote to memory of 2480	1872	09df096633080be658753777a8e7feea.exe	70
PID 1872 wrote to memory of 2440	1872	09df096633080be658753777a8e7feea.exe	71
PID 1872 wrote to memory of 2440	1872	09df096633080be658753777a8e7feea.exe	71
PID 1872 wrote to memory of 2440	1872	09df096633080be658753777a8e7feea.exe	71
PID 1872 wrote to memory of 2468	1872	09df096633080be658753777a8e7feea.exe	72
PID 1872 wrote to memory of 2468	1872	09df096633080be658753777a8e7feea.exe	72
PID 1872 wrote to memory of 2468	1872	09df096633080be658753777a8e7feea.exe	72
PID 1872 wrote to memory of 2868	1872	09df096633080be658753777a8e7feea.exe	73
PID 1872 wrote to memory of 2868	1872	09df096633080be658753777a8e7feea.exe	73
PID 1872 wrote to memory of 2868	1872	09df096633080be658753777a8e7feea.exe	73
PID 1872 wrote to memory of 2556	1872	09df096633080be658753777a8e7feea.exe	74
PID 1872 wrote to memory of 2556	1872	09df096633080be658753777a8e7feea.exe	74
PID 1872 wrote to memory of 2556	1872	09df096633080be658753777a8e7feea.exe	74
PID 1872 wrote to memory of 2148	1872	09df096633080be658753777a8e7feea.exe	75
PID 1872 wrote to memory of 2148	1872	09df096633080be658753777a8e7feea.exe	75
PID 1872 wrote to memory of 2148	1872	09df096633080be658753777a8e7feea.exe	75
PID 1872 wrote to memory of 2308	1872	09df096633080be658753777a8e7feea.exe	76
PID 1872 wrote to memory of 2308	1872	09df096633080be658753777a8e7feea.exe	76
PID 1872 wrote to memory of 2308	1872	09df096633080be658753777a8e7feea.exe	76
PID 1872 wrote to memory of 2296	1872	09df096633080be658753777a8e7feea.exe	77
PID 1872 wrote to memory of 2296	1872	09df096633080be658753777a8e7feea.exe	77
PID 1872 wrote to memory of 2296	1872	09df096633080be658753777a8e7feea.exe	77
PID 1872 wrote to memory of 2608	1872	09df096633080be658753777a8e7feea.exe	78
PID 1872 wrote to memory of 2608	1872	09df096633080be658753777a8e7feea.exe	78
PID 1872 wrote to memory of 2608	1872	09df096633080be658753777a8e7feea.exe	78
PID 1872 wrote to memory of 2584	1872	09df096633080be658753777a8e7feea.exe	79
PID 1872 wrote to memory of 2584	1872	09df096633080be658753777a8e7feea.exe	79
PID 1872 wrote to memory of 2584	1872	09df096633080be658753777a8e7feea.exe	79
PID 1872 wrote to memory of 2932	1872	09df096633080be658753777a8e7feea.exe	80
PID 1872 wrote to memory of 2932	1872	09df096633080be658753777a8e7feea.exe	80
PID 1872 wrote to memory of 2932	1872	09df096633080be658753777a8e7feea.exe	80
PID 1872 wrote to memory of 680	1872	09df096633080be658753777a8e7feea.exe	81
PID 1872 wrote to memory of 680	1872	09df096633080be658753777a8e7feea.exe	81
PID 1872 wrote to memory of 680	1872	09df096633080be658753777a8e7feea.exe	81
PID 1872 wrote to memory of 2912	1872	09df096633080be658753777a8e7feea.exe	96
PID 1872 wrote to memory of 2912	1872	09df096633080be658753777a8e7feea.exe	96
PID 1872 wrote to memory of 2912	1872	09df096633080be658753777a8e7feea.exe	96
PID 2912 wrote to memory of 2524	2912	System.exe	97
PID 2912 wrote to memory of 2524	2912	System.exe	97
PID 2912 wrote to memory of 2524	2912	System.exe	97
PID 2912 wrote to memory of 2632	2912	System.exe	98
PID 2912 wrote to memory of 2632	2912	System.exe	98
PID 2912 wrote to memory of 2632	2912	System.exe	98
PID 2524 wrote to memory of 2620	2524	WScript.exe	101
PID 2524 wrote to memory of 2620	2524	WScript.exe	101
PID 2524 wrote to memory of 2620	2524	WScript.exe	101
PID 2620 wrote to memory of 920	2620	System.exe	102
PID 2620 wrote to memory of 920	2620	System.exe	102
PID 2620 wrote to memory of 920	2620	System.exe	102
PID 2620 wrote to memory of 844	2620	System.exe	103
PID 2620 wrote to memory of 844	2620	System.exe	103
PID 2620 wrote to memory of 844	2620	System.exe	103
PID 920 wrote to memory of 2804	920	WScript.exe	104
PID 920 wrote to memory of 2804	920	WScript.exe	104
PID 920 wrote to memory of 2804	920	WScript.exe	104
PID 2804 wrote to memory of 2548	2804	System.exe	105

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	09df096633080be658753777a8e7feea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe
"C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\09df096633080be658753777a8e7feea.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\MSOCache\All Users\System.exe
  "C:\MSOCache\All Users\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46b7dee-547a-4312-ae04-e2c5c1026df0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\MSOCache\All Users\System.exe
      "C:\MSOCache\All Users\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9f56b9-4776-4399-9b2c-feca5ab7977f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83adff99-f820-487b-a780-cac7e098622f.vbs"
        7⤵
        
        PID:2548
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61723f49-1a2d-4111-9534-176500ff214d.vbs"
        9⤵
        
        PID:340
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2057ff7d-7724-467b-b796-446a67f3d4ca.vbs"
        11⤵
        
        PID:1492
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a320699-0ea4-4b08-97a7-d46b29e7ec1f.vbs"
        13⤵
        
        PID:1524
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e07e39-1a48-4393-ad4b-bf4b84eb4ca9.vbs"
        15⤵
        
        PID:2712
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8630e61a-bccd-4b3b-aaf8-45e7be5059e9.vbs"
        17⤵
        
        PID:1632
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1329e131-687e-46dd-addd-f07f37ed4080.vbs"
        19⤵
        
        PID:2752
        
        C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdc81f80-4d16-4a3b-b883-b4389d21cf89.vbs"
        21⤵
        
        PID:652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\411cf8be-05a9-4e87-8e24-abd2e777d8ed.vbs"
        21⤵
        
        PID:1440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aff2ea31-09cb-4dd5-b66f-c305649e09fc.vbs"
        19⤵
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e37b65b-ea20-4589-bf1e-4e5369c8527a.vbs"
        17⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a522a2d-9a6c-49cc-953c-395366d17155.vbs"
        15⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e450d5e2-64bf-425c-a390-3fe10dc6947b.vbs"
        13⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\677a6572-e606-4a5d-aa2d-35504959c60c.vbs"
        11⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4884bf8-89aa-4468-b5b2-cb488a99b475.vbs"
        9⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a81a75-ed4a-4753-83a0-91ee98747b3d.vbs"
        7⤵
        
        PID:2248
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd54efd1-8a61-4cff-8588-64e8c2b8932a.vbs"
        5⤵
        
        PID:844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddc37a9c-8016-4619-93d7-073f17d34181.vbs"
    3⤵
    PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
1.9MB

MD5
121df7825ea2b1e1ef25d6366e27f1c9

SHA1
69cc6458aaea9d129af042a444309c2805eb18fa

SHA256
3232ca7c254d105637d877394fddaefed380ea105d31f5cd95f70d4be3ba6759

SHA512
9f213f072fe78235449a0ab7c9dfe15a96d12e8ad8a118bd060b639e7e77fe1c9bc085e739710c95994e7722c762689546f0bb5ca1a67e58d179b79b66e68118

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
1.9MB

MD5
3505bb6f162b34c925a85099785ae30b

SHA1
8fc6284e9fdee392c685bfad626238e818508e58

SHA256
e206421bb5a7f4565ea3ab2feb3e4d4b200b4ac5d27ea5d3e303b638ba48c574

SHA512
a3bb0bf63f62a0be3183f8deb75f8437ee4be2392385ea159c87590a970e18c5f4167bc7e5d3c7fdedbc464e36e8b9b31d826cbbd8d02a3f5716664b103db130

Download Submit
C:\Program Files\Internet Explorer\spoolsv.exe

Filesize
1.9MB

MD5
09df096633080be658753777a8e7feea

SHA1
4b1b789ff3db59b07c1013c527273c350e78bf08

SHA256
63671cdfb5eddd70bfa3e97395c34e860c217a0838c853029ca85a40a5520298

SHA512
7216e17df59456ad6d0139be6ddd65c02c6f58519acc0f57aaacc7f7728d362abdd1470ebb5be67a1c446ae8ba1c596cf4d19ba8b8dbc65bbe5b241fb5a7b32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a320699-0ea4-4b08-97a7-d46b29e7ec1f.vbs

Filesize
708B

MD5
5d11cb7895b97548ce1b634bc6ee89c3

SHA1
66de2693eaf19a401aff6f5dc05a67b375316ed9

SHA256
e530ff68ee432bb1cd6b4485330be89a7c49611c04d8dcc1d09b6029cbbcc01a

SHA512
b8a87849b3c4fc34b7aeb3d5d28eef95cd21a5539e5382b2cf4829e8b900e47eedf2c1548d11d53bd01f7ca4b7b84b9569446995d1da0064663a016b01f7711c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1329e131-687e-46dd-addd-f07f37ed4080.vbs

Filesize
708B

MD5
ba08e88d934330e9561d40de61eba628

SHA1
88462e248c75c3a0330bf8f78e38541a58d49698

SHA256
c6f74e1b214260eed3444899b23168f170ea0a3dcee1731efa8563ad8d0dbf2e

SHA512
f498802e1b63f7ac1878f961a34b144753cbeaa871cad6d6854dff683ba4d54b7f4e7726be2b0485dd8be550b7b0752e15110a7e0f875acb965f0a0faa488665

Download Submit
C:\Users\Admin\AppData\Local\Temp\2057ff7d-7724-467b-b796-446a67f3d4ca.vbs

Filesize
708B

MD5
d37fb0d99d2ca5b5465d3f9968b55483

SHA1
3b1e2dc415fc85d6348b1e720a69e47a3f5cc2fb

SHA256
46068797a2021080bc1966deefe8c14520e9de600fc0ab7c9b36fb5d8111804a

SHA512
c5d34744753ee64328979b610cdc6ff7ac4301f3ab6aaeb8f9052de6e81089471d8cd117e8c3700dca7b5e35846c2647636b56dca6d4fcdba023771f6f71f4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\61723f49-1a2d-4111-9534-176500ff214d.vbs

Filesize
707B

MD5
b162015f4797dfc4eb50559d0a6c9c65

SHA1
b043f1fd8d1ed85d43f30f8599a458f00be00e34

SHA256
17555d06bce96b8adfca8e9e2262ebc33e3b788b08b635c1b5892e0e11d706eb

SHA512
9afbfdefd71e6b8f94edc617cdf9ed4d4d49603377ca317b29dd22eaab6b5f97c0b204de92aca6a326ade4ad9585a5fbea0eb30ae51aec16547e1ecd09e2acff

Download Submit
C:\Users\Admin\AppData\Local\Temp\83adff99-f820-487b-a780-cac7e098622f.vbs

Filesize
708B

MD5
2918321881c1c4e4e8f8287f90aeda05

SHA1
c0f51a6bd1a918bec40e0a31b0b54c9f78ebf3b3

SHA256
085867f4fdcc8fab3dd59c8750a20e4524e8ebbcd366a99084fd0239ad936cfa

SHA512
008f832c2393ed016377f8898249d608925c9e87242febaa10dbe2a201aab543ac983b1b19f15f645be666a9c4ed8ea26b68a00c0e931ba5c27ec110eaaba48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8630e61a-bccd-4b3b-aaf8-45e7be5059e9.vbs

Filesize
708B

MD5
6d09ee7571c5a10e84fee6135a4f681f

SHA1
d16428766da8c5e1a9f4f4277571658889e346fe

SHA256
b5923a23c4d286110ddb2cb8ca5eaf012e86aacc979916bb8471ae8a1d484b68

SHA512
8d5fe108eb459499773b7769ca847da7b2026e6a92f0e4ea84313dd8a15892f787febd4f1928722fc1a823b205f3496c3f29ac3d043452b3cede12a2ce513520

Download Submit
C:\Users\Admin\AppData\Local\Temp\89e07e39-1a48-4393-ad4b-bf4b84eb4ca9.vbs

Filesize
707B

MD5
fac8989a806c5fd62c0ac1a0226ba14d

SHA1
69bc204662cde6748351532b269fe06697f835f0

SHA256
ed2e7c2e4cecb15717c27a75a25c9b9420060e4524594d9bd3da45a57295e381

SHA512
70cf14327dca17fd088a8842204941c1e1754b531d81aef885fa4a98002d5d6ec81193212daeb61c9c6a173b79a3d6640aff79f652bd1c1bed4ec40fd8c72389

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdc81f80-4d16-4a3b-b883-b4389d21cf89.vbs

Filesize
708B

MD5
ccd1827d6de574a0620a819dd91d2888

SHA1
df8be5f67e55f19c9a1b97cf7f1ff5e8d783f290

SHA256
42d6dd58f69997e901972ce6c4291973c054832e5235126fcfd3797f84d0c096

SHA512
ae579361f7c051728eba9354fdc18502378499322badcaab040665238551dfcdd724d0b216c8804ef6d853752ba49f95e1d281dbefaedf2f4d2fc3d8fce0a40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddc37a9c-8016-4619-93d7-073f17d34181.vbs

Filesize
484B

MD5
1f73dbf30630f9bd6c4538948b2edd7b

SHA1
89b202cebd54c687eddc5499dcf86ccbcb628744

SHA256
3e19d2b2d54ccc366aa2841b249cd4779b3469e3b29e2d06f28b806dd9fd66b2

SHA512
0cb3c48c9838b5f25ad2593a5bc22019fbd92f5561bcaf202d5616d8521046836c1dd1e60a13c5644dae99b379ea1db269e2469f7b51e854e50f861ec2477c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\e46b7dee-547a-4312-ae04-e2c5c1026df0.vbs

Filesize
708B

MD5
712372e6ba8c8c82a2a482ed961a7e9d

SHA1
5b849b219de8121fbdf53e64e050be83fdd4cfa0

SHA256
e09edbebfd3e5d8f68c5066a3d7d5e2c3f1ba31a76e94888f3fde3d09612778e

SHA512
43634319225cf5c129f4a09128900a8076317c7d3efeb9e0a35cb43d97f575f7b5c04a3a8bb1586d75f147283c0ca5fe22b3ec06bc0184a9732c147651231370

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed9f56b9-4776-4399-9b2c-feca5ab7977f.vbs

Filesize
708B

MD5
629a6dc36a1f01bd3ce6dddd31789dbc

SHA1
24ec6e8f8bfd752bb80fc56e826e9aec6e18c709

SHA256
a3f7e2db90d583673e73730eb27d460d42158e231b24efa046b9be9939ddca31

SHA512
1ccc92e3b1c98692e63439d9a7d362608a50b25c3159fca3393e2dcd4829b4b07d2fad7fba1993b28a613d8617ef8ea20f1d0e24b3bb800391fd41113f7486e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3NVMCNCHBRPL8O4GGTAP.temp

Filesize
7KB

MD5
d899a8404b7f3214cde1598885382e82

SHA1
fbd4e796c83c1497bb395bec07627086fb56e6a7

SHA256
1ecb7a8f07c90d7a893f266cbe6e7739c07075a3835b476006f07dbbcff5e0c2

SHA512
72a3cec1ce085e85d73df34ce2db0118d591130fcc738f79baf479319324bdeb9adc2b5d84939afc9857b700f8aa8090ec47115df8e9af0eb6cabdbf20f58c1c

Download Submit
C:\Users\Default\explorer.exe

Filesize
1.9MB

MD5
c957e567aeba0913c13dd8e7a140da86

SHA1
e9b63a3f69df03f5cbfb6557aeab73dc0f9ee6ca

SHA256
fd2856a0915da1b496185a710ecabfdb39ad4c252b8799c4f10438613f4eb8c6

SHA512
3aa758880dd1a94597439370155d13590edab6f2550ec43036136b24b04414d1952d2d319c8acca6cd971fe1a8cd1c8b5556dd3fef58fb03088737768e819e8a

Download Submit
C:\Users\Public\Pictures\Sample Pictures\dwm.exe

Filesize
1.9MB

MD5
d682f1bfa23dd71b8fb18adf921cd503

SHA1
ff1af609a5dbc0c3df51302edab32309f6358e8b

SHA256
80ee589311a6a5522c8b605565406f3f78a883bf90527d00483d120781e8e8c7

SHA512
ece24d2390a2b9fb87c63027a84e6ce083466695b339aa6c0ddb38f93c09d549119278eeed85d1f3ef3e950fc02e54d3a4771b89bdc6a12ee10f8d1670c3f241

Download Submit
C:\Windows\Setup\State\System.exe

Filesize
1.9MB

MD5
38d16294ed6667c982fd3114d2ae679b

SHA1
b30fb06d249904af5a496f3a884e3e985efdf026

SHA256
b9449de1d89fdaab9a92985e3f6d604a38dd253f97172dcfc26f2a592e4e288e

SHA512
f17ce2659bc3b3048c7edd9f9b8e945c154c69a3906588d2947efd60357f7af8b72efdef168c8de982e1eeb18982e1a2552464502d1799d317f6768971d23ac7

Download Submit
C:\Windows\twain_32\wininit.exe

Filesize
1.9MB

MD5
9af02a5e95430a2c8a10aa62c5d9abe8

SHA1
3b96c706410a4fd0705bcd58928a9be193780644

SHA256
0d90e6d729fbc820845855cef38475b7d8a2c2b8cc054a7619f8b63b6d30b83c

SHA512
ff4252dadb37e669ef8230f6d378633df9c3ad80b30c9e74a73f84490b510796b9dcecfb836758f03933a599e53fb023b527bee6537df1ea37c7c3c1e704f16b

Download Submit
memory/856-314-0x0000000000030000-0x000000000021A000-memory.dmp

Filesize
1.9MB

Download
memory/1660-326-0x0000000000CF0000-0x0000000000EDA000-memory.dmp

Filesize
1.9MB

Download
memory/1660-327-0x0000000002360000-0x0000000002372000-memory.dmp

Filesize
72KB

Download
memory/1872-14-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1872-13-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/1872-17-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/1872-185-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x0000000000CA0000-0x0000000000E8A000-memory.dmp

Filesize
1.9MB

Download
memory/1872-16-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/1872-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/1872-227-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1872-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1872-15-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/1872-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1872-6-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/1872-7-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1872-18-0x000000001A8F0000-0x000000001A8FC000-memory.dmp

Filesize
48KB

Download
memory/1872-12-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1872-10-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/1872-9-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1872-8-0x0000000002390000-0x00000000023E6000-memory.dmp

Filesize
344KB

Download
memory/2136-373-0x00000000003A0000-0x000000000058A000-memory.dmp

Filesize
1.9MB

Download
memory/2148-215-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2296-222-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2448-385-0x0000000001310000-0x00000000014FA000-memory.dmp

Filesize
1.9MB

Download
memory/2620-291-0x0000000001060000-0x00000000010B6000-memory.dmp

Filesize
344KB

Download
memory/2620-290-0x0000000001120000-0x000000000130A000-memory.dmp

Filesize
1.9MB

Download
memory/2776-339-0x0000000001330000-0x000000000151A000-memory.dmp

Filesize
1.9MB

Download
memory/2912-279-0x000000001A7E0000-0x000000001A7F2000-memory.dmp

Filesize
72KB

Download
memory/2912-278-0x000000001ABE0000-0x000000001AC36000-memory.dmp

Filesize
344KB

Download
memory/2912-214-0x0000000000E00000-0x0000000000FEA000-memory.dmp

Filesize
1.9MB

Download