5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805bf5f6bd7c02b7949531ed13029fde.exe
Size

1.9MB
MD5

805bf5f6bd7c02b7949531ed13029fde
SHA1

5b05c1ba4b97b104772e683a75fe25ff527b6f57
SHA256

6a208a1038733f97141f540e04a2cd5a2f364191c341ef5c5bfdaa7e39f995f1
SHA512

bef22c52bc45b96377bdaaaacba0f623bf1b505fb75bd8c1352f873a30da76e78fb90ccd693a4f184365ff2818857ca386acbccd367318fd9063d188e52b3a69
SSDEEP

24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5416	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5672	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4636	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4636	schtasks.exe	87

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5680	powershell.exe
3032	powershell.exe
5636	powershell.exe
3112	powershell.exe
3644	powershell.exe
2924	powershell.exe
5184	powershell.exe
1376	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	805bf5f6bd7c02b7949531ed13029fde.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	805bf5f6bd7c02b7949531ed13029fde.exe

Executes dropped EXE 10 IoCs

pid	Process
4912	805bf5f6bd7c02b7949531ed13029fde.exe
5900	805bf5f6bd7c02b7949531ed13029fde.exe
5992	805bf5f6bd7c02b7949531ed13029fde.exe
5736	805bf5f6bd7c02b7949531ed13029fde.exe
4944	805bf5f6bd7c02b7949531ed13029fde.exe
4888	805bf5f6bd7c02b7949531ed13029fde.exe
2112	805bf5f6bd7c02b7949531ed13029fde.exe
432	805bf5f6bd7c02b7949531ed13029fde.exe
376	805bf5f6bd7c02b7949531ed13029fde.exe
844	805bf5f6bd7c02b7949531ed13029fde.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	805bf5f6bd7c02b7949531ed13029fde.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\6203df4a6bafc7	805bf5f6bd7c02b7949531ed13029fde.exe
File created	C:\Program Files (x86)\Google\Update\fontdrvhost.exe	805bf5f6bd7c02b7949531ed13029fde.exe
File created	C:\Program Files (x86)\Google\Update\5b884080fd4f94	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX99F6.tmp	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Google\Update\fontdrvhost.exe	805bf5f6bd7c02b7949531ed13029fde.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX9773.tmp	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX97F1.tmp	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX99F7.tmp	805bf5f6bd7c02b7949531ed13029fde.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe	805bf5f6bd7c02b7949531ed13029fde.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\c5b4cb5e9653cc	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\RCX9EBD.tmp	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\RCX9F3B.tmp	805bf5f6bd7c02b7949531ed13029fde.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe	805bf5f6bd7c02b7949531ed13029fde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	805bf5f6bd7c02b7949531ed13029fde.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3568	schtasks.exe
4648	schtasks.exe
5172	schtasks.exe
2268	schtasks.exe
4820	schtasks.exe
4796	schtasks.exe
3552	schtasks.exe
2064	schtasks.exe
1380	schtasks.exe
5164	schtasks.exe
5672	schtasks.exe
4812	schtasks.exe
5968	schtasks.exe
4956	schtasks.exe
4968	schtasks.exe
5416	schtasks.exe
3532	schtasks.exe
3864	schtasks.exe
4996	schtasks.exe
5004	schtasks.exe
4892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2956	805bf5f6bd7c02b7949531ed13029fde.exe
5680	powershell.exe
5680	powershell.exe
5636	powershell.exe
5636	powershell.exe
3112	powershell.exe
3112	powershell.exe
1376	powershell.exe
1376	powershell.exe
3644	powershell.exe
3644	powershell.exe
3032	powershell.exe
3032	powershell.exe
2924	powershell.exe
2924	powershell.exe
5184	powershell.exe
5184	powershell.exe
3112	powershell.exe
5680	powershell.exe
5636	powershell.exe
2924	powershell.exe
3032	powershell.exe
3644	powershell.exe
1376	powershell.exe
5184	powershell.exe
4912	805bf5f6bd7c02b7949531ed13029fde.exe
5900	805bf5f6bd7c02b7949531ed13029fde.exe
5992	805bf5f6bd7c02b7949531ed13029fde.exe
5992	805bf5f6bd7c02b7949531ed13029fde.exe
5736	805bf5f6bd7c02b7949531ed13029fde.exe
4944	805bf5f6bd7c02b7949531ed13029fde.exe
4888	805bf5f6bd7c02b7949531ed13029fde.exe
2112	805bf5f6bd7c02b7949531ed13029fde.exe
432	805bf5f6bd7c02b7949531ed13029fde.exe
376	805bf5f6bd7c02b7949531ed13029fde.exe
844	805bf5f6bd7c02b7949531ed13029fde.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	5680	powershell.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	4912	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	5900	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	5992	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	5736	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	4944	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	4888	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	2112	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	432	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	376	805bf5f6bd7c02b7949531ed13029fde.exe
Token: SeDebugPrivilege	844	805bf5f6bd7c02b7949531ed13029fde.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3112	2956	805bf5f6bd7c02b7949531ed13029fde.exe	113
PID 2956 wrote to memory of 3112	2956	805bf5f6bd7c02b7949531ed13029fde.exe	113
PID 2956 wrote to memory of 5636	2956	805bf5f6bd7c02b7949531ed13029fde.exe	114
PID 2956 wrote to memory of 5636	2956	805bf5f6bd7c02b7949531ed13029fde.exe	114
PID 2956 wrote to memory of 3032	2956	805bf5f6bd7c02b7949531ed13029fde.exe	116
PID 2956 wrote to memory of 3032	2956	805bf5f6bd7c02b7949531ed13029fde.exe	116
PID 2956 wrote to memory of 5680	2956	805bf5f6bd7c02b7949531ed13029fde.exe	117
PID 2956 wrote to memory of 5680	2956	805bf5f6bd7c02b7949531ed13029fde.exe	117
PID 2956 wrote to memory of 1376	2956	805bf5f6bd7c02b7949531ed13029fde.exe	119
PID 2956 wrote to memory of 1376	2956	805bf5f6bd7c02b7949531ed13029fde.exe	119
PID 2956 wrote to memory of 5184	2956	805bf5f6bd7c02b7949531ed13029fde.exe	120
PID 2956 wrote to memory of 5184	2956	805bf5f6bd7c02b7949531ed13029fde.exe	120
PID 2956 wrote to memory of 2924	2956	805bf5f6bd7c02b7949531ed13029fde.exe	121
PID 2956 wrote to memory of 2924	2956	805bf5f6bd7c02b7949531ed13029fde.exe	121
PID 2956 wrote to memory of 3644	2956	805bf5f6bd7c02b7949531ed13029fde.exe	122
PID 2956 wrote to memory of 3644	2956	805bf5f6bd7c02b7949531ed13029fde.exe	122
PID 2956 wrote to memory of 2920	2956	805bf5f6bd7c02b7949531ed13029fde.exe	129
PID 2956 wrote to memory of 2920	2956	805bf5f6bd7c02b7949531ed13029fde.exe	129
PID 2920 wrote to memory of 2740	2920	cmd.exe	131
PID 2920 wrote to memory of 2740	2920	cmd.exe	131
PID 2920 wrote to memory of 4912	2920	cmd.exe	133
PID 2920 wrote to memory of 4912	2920	cmd.exe	133
PID 4912 wrote to memory of 4840	4912	805bf5f6bd7c02b7949531ed13029fde.exe	135
PID 4912 wrote to memory of 4840	4912	805bf5f6bd7c02b7949531ed13029fde.exe	135
PID 4912 wrote to memory of 4956	4912	805bf5f6bd7c02b7949531ed13029fde.exe	136
PID 4912 wrote to memory of 4956	4912	805bf5f6bd7c02b7949531ed13029fde.exe	136
PID 4840 wrote to memory of 5900	4840	WScript.exe	137
PID 4840 wrote to memory of 5900	4840	WScript.exe	137
PID 5900 wrote to memory of 1836	5900	805bf5f6bd7c02b7949531ed13029fde.exe	138
PID 5900 wrote to memory of 1836	5900	805bf5f6bd7c02b7949531ed13029fde.exe	138
PID 5900 wrote to memory of 184	5900	805bf5f6bd7c02b7949531ed13029fde.exe	139
PID 5900 wrote to memory of 184	5900	805bf5f6bd7c02b7949531ed13029fde.exe	139
PID 1836 wrote to memory of 5992	1836	WScript.exe	145
PID 1836 wrote to memory of 5992	1836	WScript.exe	145
PID 5992 wrote to memory of 2600	5992	805bf5f6bd7c02b7949531ed13029fde.exe	146
PID 5992 wrote to memory of 2600	5992	805bf5f6bd7c02b7949531ed13029fde.exe	146
PID 5992 wrote to memory of 4444	5992	805bf5f6bd7c02b7949531ed13029fde.exe	147
PID 5992 wrote to memory of 4444	5992	805bf5f6bd7c02b7949531ed13029fde.exe	147
PID 2600 wrote to memory of 5736	2600	WScript.exe	151
PID 2600 wrote to memory of 5736	2600	WScript.exe	151
PID 5736 wrote to memory of 1868	5736	805bf5f6bd7c02b7949531ed13029fde.exe	152
PID 5736 wrote to memory of 1868	5736	805bf5f6bd7c02b7949531ed13029fde.exe	152
PID 5736 wrote to memory of 4560	5736	805bf5f6bd7c02b7949531ed13029fde.exe	153
PID 5736 wrote to memory of 4560	5736	805bf5f6bd7c02b7949531ed13029fde.exe	153
PID 1868 wrote to memory of 4944	1868	WScript.exe	154
PID 1868 wrote to memory of 4944	1868	WScript.exe	154
PID 4944 wrote to memory of 5828	4944	805bf5f6bd7c02b7949531ed13029fde.exe	155
PID 4944 wrote to memory of 5828	4944	805bf5f6bd7c02b7949531ed13029fde.exe	155
PID 4944 wrote to memory of 5912	4944	805bf5f6bd7c02b7949531ed13029fde.exe	156
PID 4944 wrote to memory of 5912	4944	805bf5f6bd7c02b7949531ed13029fde.exe	156
PID 5828 wrote to memory of 4888	5828	WScript.exe	158
PID 5828 wrote to memory of 4888	5828	WScript.exe	158
PID 4888 wrote to memory of 4984	4888	805bf5f6bd7c02b7949531ed13029fde.exe	159
PID 4888 wrote to memory of 4984	4888	805bf5f6bd7c02b7949531ed13029fde.exe	159
PID 4888 wrote to memory of 2468	4888	805bf5f6bd7c02b7949531ed13029fde.exe	160
PID 4888 wrote to memory of 2468	4888	805bf5f6bd7c02b7949531ed13029fde.exe	160
PID 4984 wrote to memory of 2112	4984	WScript.exe	161
PID 4984 wrote to memory of 2112	4984	WScript.exe	161
PID 2112 wrote to memory of 3160	2112	805bf5f6bd7c02b7949531ed13029fde.exe	162
PID 2112 wrote to memory of 3160	2112	805bf5f6bd7c02b7949531ed13029fde.exe	162
PID 2112 wrote to memory of 4876	2112	805bf5f6bd7c02b7949531ed13029fde.exe	163
PID 2112 wrote to memory of 4876	2112	805bf5f6bd7c02b7949531ed13029fde.exe	163
PID 3160 wrote to memory of 432	3160	WScript.exe	164
PID 3160 wrote to memory of 432	3160	WScript.exe	164

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	805bf5f6bd7c02b7949531ed13029fde.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	805bf5f6bd7c02b7949531ed13029fde.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\805bf5f6bd7c02b7949531ed13029fde.exe
"C:\Users\Admin\AppData\Local\Temp\805bf5f6bd7c02b7949531ed13029fde.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\805bf5f6bd7c02b7949531ed13029fde.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jYW78Z2iIt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2740
- - C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
    "C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4912
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10108e47-1a7c-4ba7-a4f3-2fc495e4bf09.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5900
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7f57e2-9f08-4273-b1a0-582de50f29a2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06aca050-19c5-4331-9510-47d26dde9008.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\854dc24e-63b1-44f5-bb10-12a892b15e42.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e550758a-983d-45b7-8f0c-243b4062185f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5828
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75374364-523c-4b2a-874b-f76999912947.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\117ad427-76be-47df-b8f8-55ad950866bc.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\800a4cd1-a615-4d08-932a-986cda8036fa.vbs"
        18⤵
        
        PID:2296
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239b9c35-6952-46ad-88c6-39bfe034664b.vbs"
        20⤵
        
        PID:2204
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        
        C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\013ad450-6bf2-40a6-9efe-55a72ca0ac53.vbs"
        22⤵
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d6c4c9-e0f7-4737-a3aa-ff48c825f141.vbs"
        22⤵
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf97fdc2-718a-4ecc-b276-ebb2a1233e01.vbs"
        20⤵
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1be6d568-9f67-443d-a8de-635a8063452c.vbs"
        18⤵
        
        PID:5652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8d19434-3c61-47fb-a2a6-a46b2f431d78.vbs"
        16⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3f8b7f-d479-44b8-b214-f70b645ad285.vbs"
        14⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\042b397d-1bab-445a-a0f4-df9382436c49.vbs"
        12⤵
        
        PID:5912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65696fd3-b05f-4c6b-ad68-9faa47da21a6.vbs"
        10⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2ee1571-4d0e-4281-a501-9bb3c9485383.vbs"
        8⤵
        
        PID:4444
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd3c284f-953f-4dff-b180-7a9bc027c901.vbs"
        6⤵
        
        PID:184
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c1a48a-72ff-4089-a125-ec3de72b5b14.vbs"
      4⤵
      PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "805bf5f6bd7c02b7949531ed13029fde8" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "805bf5f6bd7c02b7949531ed13029fde" /sc ONLOGON /tr "'C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "805bf5f6bd7c02b7949531ed13029fde8" /sc MINUTE /mo 6 /tr "'C:\60739cf6f660743813\805bf5f6bd7c02b7949531ed13029fde.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\900323d723f1dd1206\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\900323d723f1dd1206\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\900323d723f1dd1206\Idle.exe

Filesize
1.9MB

MD5
ccf1b34847c008d02a295228216067b8

SHA1
3edd1dbfd122558112b427559294f42ae08e8af4

SHA256
cb587063affae6b4dee966f78064a1f381824364b93c200b0475e4fc2b66757a

SHA512
1ac36d245fb6f0bbbdc72b67e1d6c34b139e7aecf643732189b5c6654b633d9f5c0a95627fc51d9cac7052101d7bec769d0bdd45c5fdbebad46fa4b342167909

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe

Filesize
1.9MB

MD5
665b9fa2621e92d0e1bd25cb0eca38f2

SHA1
f1aa89086f69e32ec767862b9a24396330d8c9ad

SHA256
7319f2902b7b0a8446e1a31be2addb5548a4032a398e5cc1de18d60fcc01aa25

SHA512
198394ebe8e02d30d7dcc59e786f3caaebaa20ae39aa909bd8aaf640dbfd11eac8950d2a2b27a6be28ed7a5cb7b6e47f69cd6248aa0be0249603422bcf48cfeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\805bf5f6bd7c02b7949531ed13029fde.exe.log

Filesize
1KB

MD5
364147c1feef3565925ea5b4ac701a01

SHA1
9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

SHA256
38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

SHA512
bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93771c301aacc738330a66a7e48b0c1b

SHA1
f7d7ac01f1f13620b1642d1638c1d212666abbae

SHA256
5512157a9ea31f455e244922910fcdb2b8116288d968b0e5e26c91b266d4de7c

SHA512
a51f43e335c8c6da130866115ee6d890f808379548b129e20e563c5ee0234cca186ecde4fd6bc609f0eba6e32b10d080f4f67483461cdd58ef0a60db78324309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44ae12563d9f97ac1136baee629673df

SHA1
38790549497302c43bd3ff6c5225e8c7054829e2

SHA256
b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

SHA512
07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\013ad450-6bf2-40a6-9efe-55a72ca0ac53.vbs

Filesize
733B

MD5
90918e1edfe4ee2a677f616f053ea162

SHA1
101a4aab3ebf86804fd6caabb537114f86d760a4

SHA256
31c185555fdb75b54e9049611d7db2d477f5d533d7a220a6107877687fa997d3

SHA512
d24e36b55f006ac2ea40ec3602e193a5fcceae48781ff785bde2d831bedea6ac0c37d4311abf53a5c19c818da0e0a78531f126d8db9a8d06218efa41057806bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\06aca050-19c5-4331-9510-47d26dde9008.vbs

Filesize
734B

MD5
01d85434ff9ff90762a7c4d9a7958403

SHA1
1a2500f4febd268c4fe6e5954dae06f149e26fcc

SHA256
213a0bc7a69c6d5d6d609d1bcc08a555773a795cf34bbf432137bc04b921eb40

SHA512
5fbcefc3184390e05ac98ec5aa722c43853d4580d31001770fc15fdbf911a8e3792af682bf5b001e55ecd7f0b0afbb141bcbccc29f950fed2e272a4cf4cace54

Download Submit
C:\Users\Admin\AppData\Local\Temp\10108e47-1a7c-4ba7-a4f3-2fc495e4bf09.vbs

Filesize
734B

MD5
c3a71445eedbcb09a30af13b963faffa

SHA1
b3dac54b5aacc7fcdf6469460779ecd435f9c062

SHA256
3018c12488ddcb9b004567fa8abf8bd288572e5d9c911a4c9aa9cb3aee9b9ea8

SHA512
5d53853d05868cc96db19e92f629187d710c5caca18a5c837c2889a1510c0f351758c7e96141d62a7e4d85fd98fcdaf37fbe6201e7cd872028f8cc225ec22ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\117ad427-76be-47df-b8f8-55ad950866bc.vbs

Filesize
734B

MD5
95fe080c6a08d5bd88d76b4537bbddb2

SHA1
17f95c4dbf09d31dc3b76b28c92c35e35468e668

SHA256
0df3aa491f3aeadce69b8813ebcb0e8b5d3bd7cf26c8090e4244dd38b80ee756

SHA512
eb790605ccb4fddb3d79801265e52177f024eb47c089dd25444376e563f0c3a1ca23e674552672423fe939490d6ff6ac4899d2849839e833fe30b0c1d6f09379

Download Submit
C:\Users\Admin\AppData\Local\Temp\239b9c35-6952-46ad-88c6-39bfe034664b.vbs

Filesize
733B

MD5
3336abbff7ff20da88c0b79f07216ae4

SHA1
d5a1137e1b9c02bbaea56b4e8501a5cf4da88923

SHA256
e07152c21bc36b03c99bdbb252fa14e558287c5c46cda8c829f8bf378c8177a4

SHA512
4f8601c880089b7248c30fc265adb7b6cd39b40e9128e5355b115cb277a2edd1577e225d836ea716e055b7543793e78a4c5d21833e4042035f02b4bfa146bca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\75374364-523c-4b2a-874b-f76999912947.vbs

Filesize
734B

MD5
540e31f63b68501cc688b1e2525650bc

SHA1
620e5f5e43f96d0cc7fb4419cae91a55c45c91a5

SHA256
13f6639034a33b77d8145796cc8c48f00a84edbcc2f5043480079156b400a503

SHA512
b1e119bf5c5da990a13a7455d1cba7ffab240f36750427d2ebc6873fc155549469bcbd0b489b58d78b39fbc8da8a7c0f81a70c7b1b7ab5e5673121ef6eb7c96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\800a4cd1-a615-4d08-932a-986cda8036fa.vbs

Filesize
733B

MD5
2c578137b513f042ca85bba1661d0f0e

SHA1
0b49726c94dfe7268b09c73d6c7a887afd842c63

SHA256
8aba0af3357f888897ae318528bdd5a6b42a4e53c4eed0ebc50cdd33a1ad5fdb

SHA512
985b376921652868b920b08390fb8c4f971aba7d64f94174c93542e4940a78de30b4adb4c63aae1e762cba090703da575e48d1f79f723e0460c7a07a052e1787

Download Submit
C:\Users\Admin\AppData\Local\Temp\854dc24e-63b1-44f5-bb10-12a892b15e42.vbs

Filesize
734B

MD5
73e529af36800ccedc4544453a5c8bb0

SHA1
751b778df38965b4beb5e528755d426361d303a5

SHA256
150190268f99e984be06e849ac91358c593a8ca4322ea53e5624b32ce1c9375e

SHA512
c299f88fd068b6745e6c42368ed8beb1d5d3805ad6ce85e53ecd49a57991009fcb59d1b507fdfe58167c4c5fb53713937cbd5ccb4262aaad1bfcf271b796564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pzai3ana.2zb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6c1a48a-72ff-4089-a125-ec3de72b5b14.vbs

Filesize
510B

MD5
86720626ac6e92ed977e943bb4b3defa

SHA1
427cf4371497f51c40f6bab320d4e3aa1c670214

SHA256
023d098f59a627c47b9ccb257640525ccdb66614ea63daa32815432d07f1c356

SHA512
c70f4f76754beedd8ab376722a5f46683334adfafacb36088c0bd7ef222f070b9c767e82fcf2ef6996a327ee760a894d5a979ada9f2d4bafd9432bba8bae9c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\e550758a-983d-45b7-8f0c-243b4062185f.vbs

Filesize
734B

MD5
53a983ccf02737fccfa548da47206361

SHA1
40087851e8f51ebd4e5fe1752a8d297ef114a358

SHA256
543cea6f45b7072c147b09d76852aa70fa198f3c866a074374252e2954408b34

SHA512
2638be2d891baf3ebb13e4277e67fcd64c318a4689816757116b0466cd382c1438815b0034d62ae9ae5c5a9083464c36ae48b8cdbb0d3654e5405fdb995e44df

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa7f57e2-9f08-4273-b1a0-582de50f29a2.vbs

Filesize
734B

MD5
a1ce80871fd0266854837e5d0bd486b8

SHA1
d23e572ff5f7cc489e9a6898368f03c265579662

SHA256
9e0be6ba919e1154f51b2ad452879f3b1cfd509d60ac7b64bf28a325c88c213f

SHA512
bb62e37086015ff80ca644813a2d4ad7241be2234999613e0b4191b37aaba7a9848fba5d9349b486a86947d38622175742737030557e59fb7a62a8140fe0fc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYW78Z2iIt.bat

Filesize
223B

MD5
5696acca990f94713d13578a773a1a2f

SHA1
4d55938e6235bd9e97d625bc58f3a0ff0bdb4990

SHA256
35effa3b385c88508c4919de287174eded79b1138b7be030a65d2b21e3c83b9e

SHA512
ee3144f71e546de30957bcb46a6b233ca56c4d7699414818565e0bb2e6ca42831ffc8c25acf56fa5b2d86b359a90a3470d100521b3456d69aa3e22546041eac2

Download Submit
C:\Users\Admin\AppData\Local\fontdrvhost.exe

Filesize
1.9MB

MD5
805bf5f6bd7c02b7949531ed13029fde

SHA1
5b05c1ba4b97b104772e683a75fe25ff527b6f57

SHA256
6a208a1038733f97141f540e04a2cd5a2f364191c341ef5c5bfdaa7e39f995f1

SHA512
bef22c52bc45b96377bdaaaacba0f623bf1b505fb75bd8c1352f873a30da76e78fb90ccd693a4f184365ff2818857ca386acbccd367318fd9063d188e52b3a69

Download Submit
C:\Windows\ServiceProfiles\LocalService\Downloads\services.exe

Filesize
1.9MB

MD5
8d147b1e6312673ab325f6af1def6dc1

SHA1
c5d39c6062910ca4fe12438627bb5da10200ecb3

SHA256
09bf0ddf51e1af3db7f200501362339899b78df451e11f58080cf1613cd15705

SHA512
78a620d95608b0d7213ad0d4e23e262037d28330b108553e22af96883d7cdd5518072c62290b297069220a1a6715f2cf90a352cafaf0d4d60bddabd02ff99e51

Download Submit
memory/844-333-0x000000001C2F0000-0x000000001C3F2000-memory.dmp

Filesize
1.0MB

Download
memory/2956-11-0x000000001B350000-0x000000001B358000-memory.dmp

Filesize
32KB

Download
memory/2956-1-0x0000000000450000-0x000000000063A000-memory.dmp

Filesize
1.9MB

Download
memory/2956-10-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/2956-141-0x00007FFB48DF0000-0x00007FFB498B1000-memory.dmp

Filesize
10.8MB

Download
memory/2956-14-0x000000001C3E0000-0x000000001C908000-memory.dmp

Filesize
5.2MB

Download
memory/2956-16-0x000000001BA60000-0x000000001BA6A000-memory.dmp

Filesize
40KB

Download
memory/2956-17-0x000000001BA70000-0x000000001BA7E000-memory.dmp

Filesize
56KB

Download
memory/2956-18-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/2956-19-0x000000001BA90000-0x000000001BA9C000-memory.dmp

Filesize
48KB

Download
memory/2956-20-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/2956-15-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/2956-13-0x000000001B360000-0x000000001B372000-memory.dmp

Filesize
72KB

Download
memory/2956-5-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/2956-9-0x000000001B300000-0x000000001B356000-memory.dmp

Filesize
344KB

Download
memory/2956-6-0x000000001B150000-0x000000001B160000-memory.dmp

Filesize
64KB

Download
memory/2956-8-0x000000001B180000-0x000000001B18A000-memory.dmp

Filesize
40KB

Download
memory/2956-7-0x000000001B160000-0x000000001B176000-memory.dmp

Filesize
88KB

Download
memory/2956-4-0x000000001B2B0000-0x000000001B300000-memory.dmp

Filesize
320KB

Download
memory/2956-3-0x00000000026B0000-0x00000000026CC000-memory.dmp

Filesize
112KB

Download
memory/2956-2-0x00007FFB48DF0000-0x00007FFB498B1000-memory.dmp

Filesize
10.8MB

Download
memory/2956-0-0x00007FFB48DF3000-0x00007FFB48DF5000-memory.dmp

Filesize
8KB

Download
memory/3112-126-0x000001E7E7310000-0x000001E7E7332000-memory.dmp

Filesize
136KB

Download
memory/4888-278-0x0000000003170000-0x00000000031C6000-memory.dmp

Filesize
344KB

Download
memory/5736-255-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

Filesize
72KB

Download
memory/5992-243-0x000000001BC60000-0x000000001BCB6000-memory.dmp

Filesize
344KB

Download