5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82aff6a3f0ad4533029392f48502a7e2.exe
Size

1.9MB
MD5

82aff6a3f0ad4533029392f48502a7e2
SHA1

f895f75e4ca2fa64ea2f7fc8026f7d45d6fb7a63
SHA256

40ea09eeb440e55f9020c374046c518009e516ee3efba244fa94fcf753325d61
SHA512

8f12d8f615b260cd390139a82bc8b8ec70bd383f7c0fc17df86c8edc6d1b2a902bb9c4f40209f7d096ff1ed8c1aac12806972ab14e4fe59248d152b7992134e7
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1468	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1468	schtasks.exe	88

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
2148	powershell.exe
4808	powershell.exe
4252	powershell.exe
3936	powershell.exe
3928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	82aff6a3f0ad4533029392f48502a7e2.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	82aff6a3f0ad4533029392f48502a7e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 7 IoCs

pid	Process
2228	smss.exe
2028	smss.exe
2964	smss.exe
2492	smss.exe
872	smss.exe
2408	smss.exe
432	smss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82aff6a3f0ad4533029392f48502a7e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX8940.tmp	82aff6a3f0ad4533029392f48502a7e2.exe
File created	C:\Windows\Setup\State\StartMenuExperienceHost.exe	82aff6a3f0ad4533029392f48502a7e2.exe
File created	C:\Windows\Setup\State\55b276f4edf653	82aff6a3f0ad4533029392f48502a7e2.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe	82aff6a3f0ad4533029392f48502a7e2.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe	82aff6a3f0ad4533029392f48502a7e2.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\9e8d7a4ca61bd9	82aff6a3f0ad4533029392f48502a7e2.exe
File opened for modification	C:\Windows\Setup\State\RCX8205.tmp	82aff6a3f0ad4533029392f48502a7e2.exe
File opened for modification	C:\Windows\Setup\State\RCX8206.tmp	82aff6a3f0ad4533029392f48502a7e2.exe
File opened for modification	C:\Windows\Setup\State\StartMenuExperienceHost.exe	82aff6a3f0ad4533029392f48502a7e2.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX88C2.tmp	82aff6a3f0ad4533029392f48502a7e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	82aff6a3f0ad4533029392f48502a7e2.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3788	schtasks.exe
4572	schtasks.exe
4692	schtasks.exe
3360	schtasks.exe
3164	schtasks.exe
340	schtasks.exe
1180	schtasks.exe
4280	schtasks.exe
4780	schtasks.exe
1284	schtasks.exe
4640	schtasks.exe
5004	schtasks.exe
1804	schtasks.exe
3668	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
60	82aff6a3f0ad4533029392f48502a7e2.exe
3928	powershell.exe
3928	powershell.exe
2844	powershell.exe
2844	powershell.exe
4252	powershell.exe
4252	powershell.exe
3936	powershell.exe
3936	powershell.exe
4808	powershell.exe
4808	powershell.exe
2148	powershell.exe
2148	powershell.exe
2844	powershell.exe
3936	powershell.exe
3928	powershell.exe
4252	powershell.exe
4808	powershell.exe
2148	powershell.exe
2228	smss.exe
2028	smss.exe
2964	smss.exe
2492	smss.exe
872	smss.exe
2408	smss.exe
432	smss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	82aff6a3f0ad4533029392f48502a7e2.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2228	smss.exe
Token: SeDebugPrivilege	2028	smss.exe
Token: SeDebugPrivilege	2964	smss.exe
Token: SeDebugPrivilege	2492	smss.exe
Token: SeDebugPrivilege	872	smss.exe
Token: SeDebugPrivilege	2408	smss.exe
Token: SeDebugPrivilege	432	smss.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 2844	60	82aff6a3f0ad4533029392f48502a7e2.exe	104
PID 60 wrote to memory of 2844	60	82aff6a3f0ad4533029392f48502a7e2.exe	104
PID 60 wrote to memory of 2148	60	82aff6a3f0ad4533029392f48502a7e2.exe	105
PID 60 wrote to memory of 2148	60	82aff6a3f0ad4533029392f48502a7e2.exe	105
PID 60 wrote to memory of 4808	60	82aff6a3f0ad4533029392f48502a7e2.exe	106
PID 60 wrote to memory of 4808	60	82aff6a3f0ad4533029392f48502a7e2.exe	106
PID 60 wrote to memory of 4252	60	82aff6a3f0ad4533029392f48502a7e2.exe	107
PID 60 wrote to memory of 4252	60	82aff6a3f0ad4533029392f48502a7e2.exe	107
PID 60 wrote to memory of 3936	60	82aff6a3f0ad4533029392f48502a7e2.exe	108
PID 60 wrote to memory of 3936	60	82aff6a3f0ad4533029392f48502a7e2.exe	108
PID 60 wrote to memory of 3928	60	82aff6a3f0ad4533029392f48502a7e2.exe	109
PID 60 wrote to memory of 3928	60	82aff6a3f0ad4533029392f48502a7e2.exe	109
PID 60 wrote to memory of 2228	60	82aff6a3f0ad4533029392f48502a7e2.exe	116
PID 60 wrote to memory of 2228	60	82aff6a3f0ad4533029392f48502a7e2.exe	116
PID 2228 wrote to memory of 220	2228	smss.exe	117
PID 2228 wrote to memory of 220	2228	smss.exe	117
PID 2228 wrote to memory of 3304	2228	smss.exe	118
PID 2228 wrote to memory of 3304	2228	smss.exe	118
PID 220 wrote to memory of 2028	220	WScript.exe	123
PID 220 wrote to memory of 2028	220	WScript.exe	123
PID 2028 wrote to memory of 3336	2028	smss.exe	125
PID 2028 wrote to memory of 3336	2028	smss.exe	125
PID 2028 wrote to memory of 1704	2028	smss.exe	126
PID 2028 wrote to memory of 1704	2028	smss.exe	126
PID 3336 wrote to memory of 2964	3336	WScript.exe	130
PID 3336 wrote to memory of 2964	3336	WScript.exe	130
PID 2964 wrote to memory of 4792	2964	smss.exe	133
PID 2964 wrote to memory of 4792	2964	smss.exe	133
PID 2964 wrote to memory of 4036	2964	smss.exe	134
PID 2964 wrote to memory of 4036	2964	smss.exe	134
PID 4792 wrote to memory of 2492	4792	WScript.exe	140
PID 4792 wrote to memory of 2492	4792	WScript.exe	140
PID 2492 wrote to memory of 5092	2492	smss.exe	141
PID 2492 wrote to memory of 5092	2492	smss.exe	141
PID 2492 wrote to memory of 4556	2492	smss.exe	142
PID 2492 wrote to memory of 4556	2492	smss.exe	142
PID 5092 wrote to memory of 872	5092	WScript.exe	143
PID 5092 wrote to memory of 872	5092	WScript.exe	143
PID 872 wrote to memory of 2576	872	smss.exe	144
PID 872 wrote to memory of 2576	872	smss.exe	144
PID 872 wrote to memory of 1304	872	smss.exe	145
PID 872 wrote to memory of 1304	872	smss.exe	145
PID 2576 wrote to memory of 2408	2576	WScript.exe	147
PID 2576 wrote to memory of 2408	2576	WScript.exe	147
PID 2408 wrote to memory of 3148	2408	smss.exe	148
PID 2408 wrote to memory of 3148	2408	smss.exe	148
PID 2408 wrote to memory of 4360	2408	smss.exe	149
PID 2408 wrote to memory of 4360	2408	smss.exe	149
PID 3148 wrote to memory of 432	3148	WScript.exe	150
PID 3148 wrote to memory of 432	3148	WScript.exe	150
PID 432 wrote to memory of 4104	432	smss.exe	151
PID 432 wrote to memory of 4104	432	smss.exe	151
PID 432 wrote to memory of 3600	432	smss.exe	152
PID 432 wrote to memory of 3600	432	smss.exe	152

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82aff6a3f0ad4533029392f48502a7e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82aff6a3f0ad4533029392f48502a7e2.exe
"C:\Users\Admin\AppData\Local\Temp\82aff6a3f0ad4533029392f48502a7e2.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\82aff6a3f0ad4533029392f48502a7e2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Recovery\WindowsRE\smss.exe
  "C:\Recovery\WindowsRE\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2228
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbc6ec6d-38c4-4cd1-8a82-edb7b4044ce9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Recovery\WindowsRE\smss.exe
      C:\Recovery\WindowsRE\smss.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41878a1-1d98-40a4-ac9f-97af9f7eddc1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
      - C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\698ca40a-53f2-40a2-9693-22153a4be1a7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3337201-8c3d-4365-b15f-ae3f73195841.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e77f985-c7b2-464f-9645-e88c4fdf1580.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f25e85df-0b61-4c1d-a2fe-d61478b0ef26.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Recovery\WindowsRE\smss.exe
        
        C:\Recovery\WindowsRE\smss.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8071b6b-e2aa-48f4-9a7e-e91468e492ea.vbs"
        15⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e45730-fe3c-4567-8485-0429b3f19e41.vbs"
        15⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66cec292-7b14-4d4c-bc59-a64f76f44ae4.vbs"
        13⤵
        
        PID:4360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bce8fb-a489-4333-bc95-ed2c968dbb1a.vbs"
        11⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1136b49-3a93-4988-9d30-eb23f9a333bd.vbs"
        9⤵
        
        PID:4556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d62496c-3638-46c8-b5ed-f41673db79f0.vbs"
        7⤵
        
        PID:4036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a64337-e535-4893-9172-6f0b2c8b8627.vbs"
        5⤵
        
        PID:1704
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c304c67-e28e-4ab5-a013-51d34eeba053.vbs"
    3⤵
    PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe

Filesize
1.9MB

MD5
8b6440836b6d1611f70030e06a568d4c

SHA1
a93d99b2ac8e8f85afd5e0dbd87d9dfe64a75143

SHA256
3ee5c36502e12a6c71acee6231f7272e1a0d41d71e660dc613825ef6bf02ffb2

SHA512
a05194762d639fa8571437339b2430844448e013f602efe85446de36820bee56500cf3edef55b0abe46357402c70905cebfae4cd82a69c23027a33a843fa1898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ff4a967012d041f24f777799e626cce4

SHA1
cd1d31edfe04a9b39f8b2732376ba466c8a66346

SHA256
2bb6758e5d9612b5d554149ea754704ae992db5f1848a060f50e08ffbfc85d4e

SHA512
45a214acf08c71fbc4946a624d1ff4d95f08c508bd157990447addd9556c75dbba2dfd41c42cd22c14f0dd92b2685775bb04b8c561d34d793564e07edc922421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a933acb47347f3acfbe61dc611837f1

SHA1
0f971f7257c034fa64d9b6bcea2ea6962c48dfb7

SHA256
98f9484f576da87f1a99c6c495e2cd222e139d6867e8409cadde65ccbdb991dd

SHA512
74094c94c5864fbc99cb293d43ecd147686160c32c323ee0e3577e6d1b28b6a68c921cf3711c73c510eea5b6ce0b24268753dfc38b4f67f9a6a238bb4e8bef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e77f985-c7b2-464f-9645-e88c4fdf1580.vbs

Filesize
705B

MD5
90f490a8af448b4e17fa87a8bf4bf01e

SHA1
c9a5e3c4e4d30e530fc02606b44a3f353749311a

SHA256
44c8a2f55984621810f4d34676839a82fcf9a6118c62f11d1bbcc276c6af046c

SHA512
45f6d5548543cb80d773f1bd51302c6012b3a7d5c31049e75881db76ba436caedae6b9e3e4fe4b36e6874901600a86bf7a9c4c7b24d8a4d3750f4af9e5fae4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\698ca40a-53f2-40a2-9693-22153a4be1a7.vbs

Filesize
706B

MD5
c3e0b7dada30bb7f0edb7f50fa700560

SHA1
0e156137a8aaf3c99d7b0f82cbd0f4cfbb85c59d

SHA256
6c9d45c189fda4016eef82a52968424aa776b153136b51a91cb5c3e06689ed34

SHA512
5e8e4ce33c417a016eac54d545e6535bb2c5cfad1c78f8a112a8b2dfb97799eceb9474aa0625397a1e87a31e4cd3be511716443c26dd6c1583840b6882f9d1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c304c67-e28e-4ab5-a013-51d34eeba053.vbs

Filesize
482B

MD5
35d74cec7642839b60625462fffbff74

SHA1
55e03153c66f756880861390f04f4067dcf647fc

SHA256
9454bca218ed5ab4af4ba53a10fe4d89ed369694885141e3c1ff8bbf7365b90d

SHA512
bded3c9edabb76a417c2c287ff83f4f657aa18dda2c86643354ba4bff18886728f057d12a1dc27c0c6c5facd860b79129112c6827c627472f595fb9dee378072

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yrr3yan.ayy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a41878a1-1d98-40a4-ac9f-97af9f7eddc1.vbs

Filesize
706B

MD5
9f7f750074c65ef54d928086b11889bc

SHA1
11e226519848ee0b61f23d2c85ca3476021e4f0e

SHA256
991efa46d243e5f2b7a1cd4562f1370af7a1060095ecb6f485a727f39e4ed1c8

SHA512
90f9d95b5a105e7a48b97d0c37cbfc35651ab9c12a7b616337e1346fa492821c63b0ede4458ae739a770aadeec1f6491e83834b68cc9a81ae79dbe1dd4d7b357

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8071b6b-e2aa-48f4-9a7e-e91468e492ea.vbs

Filesize
705B

MD5
4ec61f64b1033f34491aaeacb71fd418

SHA1
831222ea8973143e7d551709d6b4ab253f29abbb

SHA256
ab044b7eeba9ff74f9daa866b7b8974f2ede6f3a6b1db2632593c599cb379d1c

SHA512
78681391c296b419dd644c91176132eb3cb2e513b9f7ed0640fae9d30e5d04112c84a3c36d24d3cb3cac1335863e4a349b70b209e48ed9ab4e8ebd6017cef5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3337201-8c3d-4365-b15f-ae3f73195841.vbs

Filesize
706B

MD5
a02f6c22443352c649c7171a39842e0f

SHA1
c5efea137ae6065cd07e1c2ec3d2f9cb66fd7a02

SHA256
4b79874fb32d65a5eff568244d6608e2480b7036c41672422e8f769c642b34ad

SHA512
8171b4788d935a58b4effbdbe3edbdb41805e614daafde3ecb90f632a5f6295692feb446fa6b58f73a280497948c6d0e9c466b5d134faccf3cdfc2f5f13f3593

Download Submit
C:\Users\Admin\AppData\Local\Temp\f25e85df-0b61-4c1d-a2fe-d61478b0ef26.vbs

Filesize
706B

MD5
71f6618aa2a66bf29ddb801dca05f57d

SHA1
280a80cf6527468b7bdba61bb88a10702ff57d65

SHA256
89a8b615cc333f7a337ee4c1dbcaaf17cf80eee75e71ee5ca2c88edf0488b929

SHA512
d507d9d21b233cc4f19a5f57f0973648dc76ebecc368e78f41f5d0cc3885dedeaf9e7efde2c6506a1c69a785d62ff420c7b2aa503140180e964d9fa39e4fe1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc6ec6d-38c4-4cd1-8a82-edb7b4044ce9.vbs

Filesize
706B

MD5
260e45ee5288300535ca29fbc0dfe564

SHA1
6876def0ed4324b495bf8b82ca7c624a2385846b

SHA256
4dfa4615066e513de14922fd487cf1ba91df9e0c482690410d0edb3f02e06eaf

SHA512
0c4212c3776ae8f6bd91fefc2ee36f1252f7bd9c298227ca5659fbcb7377f6d63351d30fadef12017e90b97497ae1b997694d4c8fb8e917eab87226f53670c75

Download Submit
C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe

Filesize
1.9MB

MD5
82aff6a3f0ad4533029392f48502a7e2

SHA1
f895f75e4ca2fa64ea2f7fc8026f7d45d6fb7a63

SHA256
40ea09eeb440e55f9020c374046c518009e516ee3efba244fa94fcf753325d61

SHA512
8f12d8f615b260cd390139a82bc8b8ec70bd383f7c0fc17df86c8edc6d1b2a902bb9c4f40209f7d096ff1ed8c1aac12806972ab14e4fe59248d152b7992134e7

Download Submit
C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RuntimeBroker.exe

Filesize
1.9MB

MD5
054e0e956d1b575adb8ccc99d163962d

SHA1
8ae61dfb0835f5d06d3e79e215698488082eb6f6

SHA256
f0773f25954d5c674905d6f16ffc9d3a8911f8d9ab220f6f2812dbe995f550a8

SHA512
f04fc939c47e6d0bb7bbc6a394c01ffe6a48bc357b52490ab062f26d37ff0edc42662cb82844a458cf6864213600616b6bec7c5784d17dea77d4e089caff0d62

Download Submit
memory/60-9-0x000000001C070000-0x000000001C0C6000-memory.dmp

Filesize
344KB

Download
memory/60-11-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/60-17-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

Filesize
56KB

Download
memory/60-16-0x000000001C290000-0x000000001C29A000-memory.dmp

Filesize
40KB

Download
memory/60-19-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

Filesize
48KB

Download
memory/60-18-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/60-15-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/60-14-0x000000001CB60000-0x000000001D088000-memory.dmp

Filesize
5.2MB

Download
memory/60-1-0x0000000000C80000-0x0000000000E6A000-memory.dmp

Filesize
1.9MB

Download
memory/60-209-0x00007FFD1E350000-0x00007FFD1EE11000-memory.dmp

Filesize
10.8MB

Download
memory/60-13-0x0000000003020000-0x0000000003032000-memory.dmp

Filesize
72KB

Download
memory/60-20-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/60-10-0x0000000003000000-0x000000000300C000-memory.dmp

Filesize
48KB

Download
memory/60-0-0x00007FFD1E353000-0x00007FFD1E355000-memory.dmp

Filesize
8KB

Download
memory/60-4-0x000000001C020000-0x000000001C070000-memory.dmp

Filesize
320KB

Download
memory/60-7-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/60-8-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/60-6-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/60-5-0x0000000002FA0000-0x0000000002FA8000-memory.dmp

Filesize
32KB

Download
memory/60-3-0x0000000002F30000-0x0000000002F4C000-memory.dmp

Filesize
112KB

Download
memory/60-2-0x00007FFD1E350000-0x00007FFD1EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3928-167-0x00000297B2080000-0x00000297B20A2000-memory.dmp

Filesize
136KB

Download