189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Size

1.9MB
MD5

9f30385fab69f24df7f2e9403fb5465e
SHA1

1f9027f32b0ad3b0783679096649f9941bc7e802
SHA256

896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17
SHA512

3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5876	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	5328	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5328	schtasks.exe	87

UAC bypass 3 TTPs 21 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2472	powershell.exe
3756	powershell.exe
1656	powershell.exe
5896	powershell.exe
5972	powershell.exe
5160	powershell.exe
4760	powershell.exe
4420	powershell.exe
4308	powershell.exe
1592	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 6 IoCs

pid	Process
5584	dllhost.exe
6116	dllhost.exe
5652	dllhost.exe
3300	dllhost.exe
2524	dllhost.exe
1460	dllhost.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\RCX7D47.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Tasks\dllhost.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Fonts\9e8d7a4ca61bd9	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\ModemLogs\System.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Tasks\5940a34987c991	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\ModemLogs\27d1bcfc3c54e0	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Tasks\RCX7D46.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Fonts\RuntimeBroker.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Fonts\RuntimeBroker.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\ModemLogs\RCX86D4.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\ModemLogs\RCX86E4.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Fonts\RCX8966.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File opened for modification	C:\Windows\Fonts\RCX8986.tmp	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\Tasks\dllhost.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
File created	C:\Windows\ModemLogs\System.exe	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4616	schtasks.exe
4808	schtasks.exe
5876	schtasks.exe
4868	schtasks.exe
4708	schtasks.exe
4908	schtasks.exe
4828	schtasks.exe
4048	schtasks.exe
2084	schtasks.exe
4996	schtasks.exe
4132	schtasks.exe
2580	schtasks.exe
4900	schtasks.exe
4976	schtasks.exe
5012	schtasks.exe
4876	schtasks.exe
4848	schtasks.exe
4888	schtasks.exe
4800	schtasks.exe
4656	schtasks.exe
4640	schtasks.exe
4732	schtasks.exe
3580	schtasks.exe
1452	schtasks.exe
4840	schtasks.exe
5036	schtasks.exe
5988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
5972	powershell.exe
5972	powershell.exe
1656	powershell.exe
1656	powershell.exe
5896	powershell.exe
5896	powershell.exe
3756	powershell.exe
3756	powershell.exe
4420	powershell.exe
4420	powershell.exe
1592	powershell.exe
1592	powershell.exe
2472	powershell.exe
2472	powershell.exe
4760	powershell.exe
4760	powershell.exe
4308	powershell.exe
4308	powershell.exe
5160	powershell.exe
5160	powershell.exe
4760	powershell.exe
1592	powershell.exe
1656	powershell.exe
5972	powershell.exe
5896	powershell.exe
3756	powershell.exe
2472	powershell.exe
4420	powershell.exe
4308	powershell.exe
5160	powershell.exe
5584	dllhost.exe
5652	dllhost.exe
3300	dllhost.exe
2524	dllhost.exe
1460	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Token: SeDebugPrivilege	5972	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	5584	dllhost.exe
Token: SeDebugPrivilege	5652	dllhost.exe
Token: SeDebugPrivilege	3300	dllhost.exe
Token: SeDebugPrivilege	2524	dllhost.exe
Token: SeDebugPrivilege	1460	dllhost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3756	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	120
PID 232 wrote to memory of 3756	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	120
PID 232 wrote to memory of 5896	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	121
PID 232 wrote to memory of 5896	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	121
PID 232 wrote to memory of 1656	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	122
PID 232 wrote to memory of 1656	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	122
PID 232 wrote to memory of 4760	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	124
PID 232 wrote to memory of 4760	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	124
PID 232 wrote to memory of 5972	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	125
PID 232 wrote to memory of 5972	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	125
PID 232 wrote to memory of 4420	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	126
PID 232 wrote to memory of 4420	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	126
PID 232 wrote to memory of 4308	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	127
PID 232 wrote to memory of 4308	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	127
PID 232 wrote to memory of 2472	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	128
PID 232 wrote to memory of 2472	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	128
PID 232 wrote to memory of 5160	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	130
PID 232 wrote to memory of 5160	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	130
PID 232 wrote to memory of 1592	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	131
PID 232 wrote to memory of 1592	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	131
PID 232 wrote to memory of 5128	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	140
PID 232 wrote to memory of 5128	232	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe	140
PID 5128 wrote to memory of 3364	5128	cmd.exe	142
PID 5128 wrote to memory of 3364	5128	cmd.exe	142
PID 5128 wrote to memory of 5584	5128	cmd.exe	144
PID 5128 wrote to memory of 5584	5128	cmd.exe	144
PID 5584 wrote to memory of 6108	5584	dllhost.exe	146
PID 5584 wrote to memory of 6108	5584	dllhost.exe	146
PID 5584 wrote to memory of 4552	5584	dllhost.exe	147
PID 5584 wrote to memory of 4552	5584	dllhost.exe	147
PID 6108 wrote to memory of 6116	6108	WScript.exe	150
PID 6108 wrote to memory of 6116	6108	WScript.exe	150
PID 1704 wrote to memory of 5652	1704	WScript.exe	159
PID 1704 wrote to memory of 5652	1704	WScript.exe	159
PID 5652 wrote to memory of 4980	5652	dllhost.exe	160
PID 5652 wrote to memory of 4980	5652	dllhost.exe	160
PID 5652 wrote to memory of 1112	5652	dllhost.exe	161
PID 5652 wrote to memory of 1112	5652	dllhost.exe	161
PID 4980 wrote to memory of 3300	4980	WScript.exe	163
PID 4980 wrote to memory of 3300	4980	WScript.exe	163
PID 3300 wrote to memory of 4448	3300	dllhost.exe	164
PID 3300 wrote to memory of 4448	3300	dllhost.exe	164
PID 3300 wrote to memory of 536	3300	dllhost.exe	165
PID 3300 wrote to memory of 536	3300	dllhost.exe	165
PID 4448 wrote to memory of 2524	4448	WScript.exe	166
PID 4448 wrote to memory of 2524	4448	WScript.exe	166
PID 2524 wrote to memory of 5184	2524	dllhost.exe	167
PID 2524 wrote to memory of 5184	2524	dllhost.exe	167
PID 2524 wrote to memory of 4672	2524	dllhost.exe	168
PID 2524 wrote to memory of 4672	2524	dllhost.exe	168
PID 5184 wrote to memory of 1460	5184	WScript.exe	169
PID 5184 wrote to memory of 1460	5184	WScript.exe	169
PID 1460 wrote to memory of 3152	1460	dllhost.exe	170
PID 1460 wrote to memory of 3152	1460	dllhost.exe	170
PID 1460 wrote to memory of 4732	1460	dllhost.exe	171
PID 1460 wrote to memory of 4732	1460	dllhost.exe	171

System policy modification 1 TTPs 21 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
"C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pWeIzPTbmL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5128
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3364
- - C:\Windows\Tasks\dllhost.exe
    "C:\Windows\Tasks\dllhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46563a00-cd34-4061-a4b0-1fa20f7d20ce.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6108
    - - C:\Windows\Tasks\dllhost.exe
        
        C:\Windows\Tasks\dllhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:6116
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac3daec-57db-4991-9608-bd1bc236b4f9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\Tasks\dllhost.exe
        
        C:\Windows\Tasks\dllhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7466eddc-71d3-4805-8e5d-289433d3a929.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\Tasks\dllhost.exe
        
        C:\Windows\Tasks\dllhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ebfa81e-aec7-432d-ae35-9ee637f87a12.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\Tasks\dllhost.exe
        
        C:\Windows\Tasks\dllhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b304b7d-6209-42d0-83b0-96d6be79c261.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5184
        
        C:\Windows\Tasks\dllhost.exe
        
        C:\Windows\Tasks\dllhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8767651-aeb1-4a17-aa61-b58dec782bb2.vbs"
        14⤵
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0a499d9-ad0b-431b-815e-cb30c4cbdbee.vbs"
        14⤵
        
        PID:4732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\346dcbc8-85a8-4190-8ff2-a6e4f8ae7e71.vbs"
        12⤵
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b9efc5e-f3a6-4cce-aa08-470d1678479d.vbs"
        10⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6aa4ac-1bb9-42f0-add5-1492afd5e967.vbs"
        8⤵
        
        PID:1112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a7a50f-cbff-4ff2-a1f6-6af94f0c5bbf.vbs"
        6⤵
        
        PID:4764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\899a4f92-867f-45a3-8820-591bfc72fbeb.vbs"
      4⤵
      PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 6 /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17" /sc ONLOGON /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1806F366AD9D622F1071E6D1ACBA63E9; domain=.bing.com; expires=Thu, 16-Apr-2026 06:18:02 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3769F3AEBCB34CAABDA1F2C7434556AE Ref B: LON04EDGE0607 Ref C: 2025-03-22T06:18:02Z
date: Sat, 22 Mar 2025 06:18:01 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1806F366AD9D622F1071E6D1ACBA63E9

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=uRadCDkAFtzDa3xvTYDevr_YABOUwFy3AbPPk1rfvl0; domain=.bing.com; expires=Thu, 16-Apr-2026 06:18:02 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DDABCD5755274DA4804826077F18D801 Ref B: LON04EDGE0607 Ref C: 2025-03-22T06:18:02Z
date: Sat, 22 Mar 2025 06:18:02 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1806F366AD9D622F1071E6D1ACBA63E9; MSPTC=uRadCDkAFtzDa3xvTYDevr_YABOUwFy3AbPPk1rfvl0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 062BCBBD23584691873565629517E338 Ref B: LON04EDGE0607 Ref C: 2025-03-22T06:18:02Z
date: Sat, 22 Mar 2025 06:18:02 GMT
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 663065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1EE7E68E0BF043D9A38A422DA8A39CD3 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:42Z
date: Sat, 22 Mar 2025 06:18:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 594481
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5756064D187941439FA19A0B9196DD96 Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:42Z
date: Sat, 22 Mar 2025 06:18:42 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 606760
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7D2F9A8D8FD14E5498BA2B6446D6452D Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:45Z
date: Sat, 22 Mar 2025 06:18:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 640791
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 768DACF5AF3F4147B62523105AF0664E Ref B: LON04EDGE1008 Ref C: 2025-03-22T06:18:45Z
date: Sat, 22 Mar 2025 06:18:45 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.180.3
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.180.3:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Sat, 22 Mar 2025 05:59:32 GMT
Expires: Sat, 22 Mar 2025 06:49:32 GMT
Age: 1171
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

tls, http2

2.0kB
9.4kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c5e51c093acb48e98c1c76bb34600ff8&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

HTTP Response

204
46.3.197.86:80

dllhost.exe

260 B
200 B
5
5
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.7kB
7.8kB
18
14
150.171.28.10:443

tse1.mm.bing.net

tls, http2

2.0kB
7.8kB
19
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

92.4kB
2.6MB
1890
1880

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608910_1R4TEUG1LRQY39K7S&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360608909_1XWUMGMD2M0J0LDVR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

2.0kB
7.8kB
19
13
46.3.197.86:80

dllhost.exe

260 B
120 B
5
3
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
142.250.180.3:80

http://c.pki.goog/r/r1.crl

http

522 B
395 B
7
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
46.3.197.86:80

dllhost.exe

260 B
80 B
5
2
46.3.197.86:80

dllhost.exe

260 B
120 B
5
3
46.3.197.86:80

dllhost.exe

260 B
200 B
5
5
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
46.3.197.86:80

dllhost.exe

260 B
160 B
5
4
46.3.197.86:80

dllhost.exe

260 B
120 B
5
3

8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.180.3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

Filesize
1.9MB

MD5
6d3fc346713e89ca4b5245ca6464d320

SHA1
4ca2a82156e560a64bc1139d393c1ccee3382380

SHA256
6bf89b318cc2d02abe252e155e68ceb9377d84a72f110438b0c14afb0c7717d9

SHA512
65e0fed0cebf94cc03179e13221cfd1f0f3f46cf39ea763bc6b45260f0c429f4751f36df0eba72b1ca19889bae56bd7e8f335299b7152aceed9e50be25a19ce9

Download Submit
C:\900323d723f1dd1206\System.exe

Filesize
1.9MB

MD5
9f30385fab69f24df7f2e9403fb5465e

SHA1
1f9027f32b0ad3b0783679096649f9941bc7e802

SHA256
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17

SHA512
3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e452a0569a88103800ef1fdb9d028088

SHA1
b73c91d1a9b444033dd5824543c4b9e9538e379f

SHA256
c0f2157095cd92cebe6ea87b14b366ff5ff71ef681785ac8363b1ca59b0ca242

SHA512
5141bd6ceaaefae93e4663b8235ecb1ff87017c2ed1c5a1cfa249bb5d9b646d6d0493e1f85aebe4ae9bddfd2ff7210ada1217bb32d52a1ac582a2f6d636e08a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c7942d5130e519e28d6051f8513f7c4

SHA1
e768daf9cbd6a718a8a60c08c893ce1797cd86fb

SHA256
83042c329ad8e497403069fdb4718252bd97c127d4e04fae1977349d767c90a1

SHA512
c7456ee68bea337227d9ac5f20acdcce72abad524cc771f8d9e49e8ca8811a093d1972d88da72c612a865de9417c6dec258148ff94e739a50097b62415566bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ac71252a5ec972a71c8da205ce8b70ca

SHA1
7aecda992f788df0af9d62bf872a0bbe24ce28c6

SHA256
377b163bdf5d0c30ff2166c0d6ac4652acfbf9461339394b11ae9e5c855474a5

SHA512
77a842a39d0e25ed3000fa6dc99e56bb39ec8f19ee649d6368699384c61a01ce9e4d136e2b3a67a56f924986bcc42a18e60d2875117ed419ec4ca133414c1360

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b304b7d-6209-42d0-83b0-96d6be79c261.vbs

Filesize
704B

MD5
2ce1e543d712539bc3c867cf4c316997

SHA1
9b1562106bd8d23ebe5fbfe692ab61dbd5f803e2

SHA256
f91328f6198258552d88514aa97fb3c83af17203032e3312a7d8694c8a62b838

SHA512
47ecb6f4f4aeb9cf513d2ef971d7078bcb1a97d55dabe11bc6a7599a7d7a8f1e064f1fb217c386ff2156855330b4cbe21b0b9fee0e1a3a9fa7231c08ca8aab1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\46563a00-cd34-4061-a4b0-1fa20f7d20ce.vbs

Filesize
704B

MD5
df5ffad2773d3568f2b6018dbaaf6e5b

SHA1
cb10592a8c9622620bc36c1df2d9ab72c1dcee11

SHA256
1300b18dfeacd992b55a9f37f19a2502f52f72f0480b15a93689a0ebc1749684

SHA512
b9c077ae8f1304b4cdbe376299b2a2a82fd596c82b538dbce10b6e35b1a7f8401403bc1bac56cc6859af1cfaa7ba6f5deb4242cd9d5ec533764ffa86394bb209

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ebfa81e-aec7-432d-ae35-9ee637f87a12.vbs

Filesize
704B

MD5
5b99886eb55cebe1b79714b953633ec2

SHA1
9ccdf5e08e7d5c88401aa1bc811d065fc9f22262

SHA256
383a16a4c544fb04e11352fec9c7f9e6efd0c6411afc464027198c4fcf9a9caa

SHA512
05bf6b8c3bf53cab1d8110154e52630834590b34f0b9e881aba3cb960f09b2ba6ac5f42bd633efe96ef863831ca15e89c939392f85f5d1012d302de5b0897b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7466eddc-71d3-4805-8e5d-289433d3a929.vbs

Filesize
704B

MD5
8d78d98bfed50c8822d64a4123727644

SHA1
fd4c86f7da45093e5b3371c65045240598ea0f8a

SHA256
4a98593d20c63e78b9aba09ed5b1249393d249389e8b21c2e5690199811b2cd8

SHA512
aa6c6e592ca97626497824431cd2230bf8c2df89150cd5be81b3d336b2fe0a07cce52411a9d52a92565daecd4a5991e74de56dae5719faceb86d58a9623189c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\899a4f92-867f-45a3-8820-591bfc72fbeb.vbs

Filesize
480B

MD5
876996b45669af5dcaf6651b1632f96f

SHA1
e5d78c39baf94ddf2b996fee9c14386f62ffcd55

SHA256
df3d1f8bbbe47cdac26e6a08e251404e936623c87485702b4f170858cbb25365

SHA512
d4ee0208929f129387b8c41090a0b26157b59022c25e8085022f85fd0b0e208f33de96d325f05c5a6d5dad788535363e9a405d33fc9c6a09fee4019362c25aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzwl4iwp.klt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8767651-aeb1-4a17-aa61-b58dec782bb2.vbs

Filesize
704B

MD5
ce2fcbf6940139aa2f1ef6e2766f2c36

SHA1
956c4266e3556110cb24124be44f8d0bc3286b02

SHA256
ff0228a2ddbb038974d02f336de2a56d4122eb98559d9c615e2f8148ef524dc8

SHA512
f21c46fda1b56fd0e81fef08fa5bf8b3f9b09d2ec4fdc738437229eb057e45549830a01b1ca953bba5e9daad156a0ebd9e9dd982e1922da6aa4643ff813b3d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWeIzPTbmL.bat

Filesize
193B

MD5
f33ec99929cd3d2b91e4f70829dae7e3

SHA1
db2b16a1b58511dd1954b0b1f6f01f849cedab2a

SHA256
4ded7e00e380bd21d5d4c4c7906a93d0d79883248c9c58a9849ba91d7cd4c424

SHA512
789f61baa6ad9d7df87c2eb8f64da38f81bbbfd7014b7916cbef629e331bf8cdbc2197a67fc76bb03b611d1017a4674456356ca54bb529240a65b820c96bd738

Download Submit
C:\Users\Public\Desktop\dllhost.exe

Filesize
1.9MB

MD5
0d3dd83128c23a6c412751932b08494d

SHA1
4795c61babedebacbff327e1809eaaf2d2f3fd20

SHA256
ade08bc1cc1df48c957d5c2eecf99960e0ff5ad82ec11a0e24cb0d160b8f6d68

SHA512
9d2101d8b58e68684d239a623a7cc6f8e2c436e06f8d649761e180b12569bb8d3870a47603e44ebec9e8d00b4a4f9e2f5dccc4f2cd74961111e53f93725d479b

Download Submit
C:\Users\Public\Videos\sihost.exe

Filesize
1.9MB

MD5
5ed7126187c0d78ee16364b956d90bfe

SHA1
da470f645853982a06835a03f9dd6c9d141155bb

SHA256
2481d009255d1aee7c857ecafe7f180325607af84b15276033057bfa842a6e6c

SHA512
333a1274700aaeb2b128a0468635631da2e79278b7c64fb4e47330756cf84fced5bdf7e5f8d844b993a10c33bed42a40c3ead56f660ce093ba2f74810d18e9d4

Download Submit
memory/232-18-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/232-9-0x000000001AFC0000-0x000000001B016000-memory.dmp

Filesize
344KB

Download
memory/232-10-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/232-0-0x00007FFA878C3000-0x00007FFA878C5000-memory.dmp

Filesize
8KB

Download
memory/232-4-0x000000001AF70000-0x000000001AFC0000-memory.dmp

Filesize
320KB

Download
memory/232-153-0x00007FFA878C0000-0x00007FFA88381000-memory.dmp

Filesize
10.8MB

Download
memory/232-14-0x000000001C150000-0x000000001C678000-memory.dmp

Filesize
5.2MB

Download
memory/232-1-0x0000000000120000-0x000000000030A000-memory.dmp

Filesize
1.9MB

Download
memory/232-16-0x000000001B1E0000-0x000000001B1EA000-memory.dmp

Filesize
40KB

Download
memory/232-17-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

Filesize
56KB

Download
memory/232-19-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/232-5-0x0000000002430000-0x0000000002438000-memory.dmp

Filesize
32KB

Download
memory/232-3-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/232-8-0x0000000002470000-0x000000000247A000-memory.dmp

Filesize
40KB

Download
memory/232-20-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/232-2-0x00007FFA878C0000-0x00007FFA88381000-memory.dmp

Filesize
10.8MB

Download
memory/232-11-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/232-6-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/232-7-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/232-13-0x000000001B130000-0x000000001B142000-memory.dmp

Filesize
72KB

Download
memory/232-15-0x000000001B160000-0x000000001B16C000-memory.dmp

Filesize
48KB

Download
memory/1460-316-0x000000001BDC0000-0x000000001BE16000-memory.dmp

Filesize
344KB

Download
memory/3300-293-0x000000001B800000-0x000000001B812000-memory.dmp

Filesize
72KB

Download
memory/5584-268-0x0000000003200000-0x0000000003256000-memory.dmp

Filesize
344KB

Download
memory/5972-163-0x00000165A7D00000-0x00000165A7D22000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.