5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

Analysis

max time kernel
125s
max time network
155s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Size

1.9MB
MD5

98666af3ef6ab2bcc4a5b3153a2e8d78
SHA1

b936c266aa4b4b85c113321fead31164955b8fa9
SHA256

91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6
SHA512

29ac1f9ad8331924e8fc7cb964b5e417d957b7597347103196739b520dd7523c2f5836830cb98976ccd1af298809bf1a5529c46f879f4dd563a91d215d67d238
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2752	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
2288	powershell.exe
2196	powershell.exe
2104	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Executes dropped EXE 9 IoCs

pid	Process
1456	services.exe
2736	services.exe
1708	services.exe
1632	services.exe
1464	services.exe
1124	services.exe
1624	services.exe
2176	services.exe
2200	services.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX2E34.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX2E35.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\services.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File created	C:\Windows\DigitalLocker\en-US\c5b4cb5e9653cc	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX30A6.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX30A7.tmp	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\services.exe	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
2888	schtasks.exe
2772	schtasks.exe
3012	schtasks.exe
3060	schtasks.exe
3004	schtasks.exe
3008	schtasks.exe
2700	schtasks.exe
1668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
2104	powershell.exe
2288	powershell.exe
2196	powershell.exe
2388	powershell.exe
1456	services.exe
2736	services.exe
1708	services.exe
1632	services.exe
1464	services.exe
1124	services.exe
1624	services.exe
2176	services.exe
2200	services.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1456	services.exe
Token: SeDebugPrivilege	2736	services.exe
Token: SeDebugPrivilege	1708	services.exe
Token: SeDebugPrivilege	1632	services.exe
Token: SeDebugPrivilege	1464	services.exe
Token: SeDebugPrivilege	1124	services.exe
Token: SeDebugPrivilege	1624	services.exe
Token: SeDebugPrivilege	2176	services.exe
Token: SeDebugPrivilege	2200	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2388	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	40
PID 2128 wrote to memory of 2388	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	40
PID 2128 wrote to memory of 2388	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	40
PID 2128 wrote to memory of 2288	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	41
PID 2128 wrote to memory of 2288	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	41
PID 2128 wrote to memory of 2288	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	41
PID 2128 wrote to memory of 2196	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	42
PID 2128 wrote to memory of 2196	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	42
PID 2128 wrote to memory of 2196	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	42
PID 2128 wrote to memory of 2104	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	43
PID 2128 wrote to memory of 2104	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	43
PID 2128 wrote to memory of 2104	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	43
PID 2128 wrote to memory of 1456	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	48
PID 2128 wrote to memory of 1456	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	48
PID 2128 wrote to memory of 1456	2128	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe	48
PID 1456 wrote to memory of 1672	1456	services.exe	49
PID 1456 wrote to memory of 1672	1456	services.exe	49
PID 1456 wrote to memory of 1672	1456	services.exe	49
PID 1456 wrote to memory of 1712	1456	services.exe	50
PID 1456 wrote to memory of 1712	1456	services.exe	50
PID 1456 wrote to memory of 1712	1456	services.exe	50
PID 1672 wrote to memory of 2736	1672	WScript.exe	51
PID 1672 wrote to memory of 2736	1672	WScript.exe	51
PID 1672 wrote to memory of 2736	1672	WScript.exe	51
PID 2736 wrote to memory of 1524	2736	services.exe	52
PID 2736 wrote to memory of 1524	2736	services.exe	52
PID 2736 wrote to memory of 1524	2736	services.exe	52
PID 2736 wrote to memory of 2996	2736	services.exe	53
PID 2736 wrote to memory of 2996	2736	services.exe	53
PID 2736 wrote to memory of 2996	2736	services.exe	53
PID 1524 wrote to memory of 1708	1524	WScript.exe	54
PID 1524 wrote to memory of 1708	1524	WScript.exe	54
PID 1524 wrote to memory of 1708	1524	WScript.exe	54
PID 1708 wrote to memory of 2472	1708	services.exe	55
PID 1708 wrote to memory of 2472	1708	services.exe	55
PID 1708 wrote to memory of 2472	1708	services.exe	55
PID 1708 wrote to memory of 3004	1708	services.exe	56
PID 1708 wrote to memory of 3004	1708	services.exe	56
PID 1708 wrote to memory of 3004	1708	services.exe	56
PID 2472 wrote to memory of 1632	2472	WScript.exe	57
PID 2472 wrote to memory of 1632	2472	WScript.exe	57
PID 2472 wrote to memory of 1632	2472	WScript.exe	57
PID 1632 wrote to memory of 1684	1632	services.exe	58
PID 1632 wrote to memory of 1684	1632	services.exe	58
PID 1632 wrote to memory of 1684	1632	services.exe	58
PID 1632 wrote to memory of 2552	1632	services.exe	59
PID 1632 wrote to memory of 2552	1632	services.exe	59
PID 1632 wrote to memory of 2552	1632	services.exe	59
PID 1684 wrote to memory of 1464	1684	WScript.exe	60
PID 1684 wrote to memory of 1464	1684	WScript.exe	60
PID 1684 wrote to memory of 1464	1684	WScript.exe	60
PID 1464 wrote to memory of 1812	1464	services.exe	61
PID 1464 wrote to memory of 1812	1464	services.exe	61
PID 1464 wrote to memory of 1812	1464	services.exe	61
PID 1464 wrote to memory of 2012	1464	services.exe	62
PID 1464 wrote to memory of 2012	1464	services.exe	62
PID 1464 wrote to memory of 2012	1464	services.exe	62
PID 1812 wrote to memory of 1124	1812	WScript.exe	63
PID 1812 wrote to memory of 1124	1812	WScript.exe	63
PID 1812 wrote to memory of 1124	1812	WScript.exe	63
PID 1124 wrote to memory of 1056	1124	services.exe	64
PID 1124 wrote to memory of 1056	1124	services.exe	64
PID 1124 wrote to memory of 1056	1124	services.exe	64
PID 1124 wrote to memory of 1612	1124	services.exe	65

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe
"C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\DigitalLocker\en-US\services.exe
  "C:\Windows\DigitalLocker\en-US\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fd6c93-9218-4050-bc4d-99ef3286d48c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\DigitalLocker\en-US\services.exe
      C:\Windows\DigitalLocker\en-US\services.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27d70155-d59d-4856-85ac-72a6650c36c1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71d48e9-32c5-43b2-87f6-b69e602b9282.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\286cebce-14df-4591-b20a-332d85beab93.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32981076-7356-49b2-af78-41cc62a1833f.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f018f5c3-6f87-4d20-a099-d960ab833683.vbs"
        13⤵
        
        PID:1056
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64641165-f8bc-41c2-ae23-5c8a82501b67.vbs"
        15⤵
        
        PID:2916
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562ff41f-d14c-4a6d-9764-8f3b879efb05.vbs"
        17⤵
        
        PID:2104
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd21653-8dd7-4b28-80d2-eb615cfcffb7.vbs"
        19⤵
        
        PID:1284
        
        C:\Windows\DigitalLocker\en-US\services.exe
        
        C:\Windows\DigitalLocker\en-US\services.exe
        20⤵
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\970939be-7cd9-44b3-8b1f-5ea495772b5d.vbs"
        21⤵
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82e2f5ce-3050-40a2-9743-172cb7b1ed57.vbs"
        21⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c471e33-b16e-4ee1-945b-4cafc311f08a.vbs"
        19⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9be24d5f-9c24-494b-9ae1-cc9f0314b089.vbs"
        17⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df6413b-9297-4b55-a447-92d286d96451.vbs"
        15⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb59bf3e-0077-46a0-8bc6-47a88a69b4b8.vbs"
        13⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\943f7cb8-e09b-40f3-93e7-159ab2d2a633.vbs"
        11⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b5d492f-2280-4210-9ca3-8214d3f47bbb.vbs"
        9⤵
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91cb94d0-ba36-44a9-bb5d-966d11f6b38d.vbs"
        7⤵
        
        PID:3004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7ed675-140d-4578-b2b0-c064687e88b8.vbs"
        5⤵
        
        PID:2996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8f288b0-72a5-482b-8437-1e6b4d44df54.vbs"
    3⤵
    PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27d70155-d59d-4856-85ac-72a6650c36c1.vbs

Filesize
719B

MD5
066d06f1109b277ad66883e0aaa15f67

SHA1
2d01237726bf3ca7c1abfdf521ea4978a2661941

SHA256
8aff2bca5b96057a3c3908727f31296b4c5c932fc32d38267cc5b7e68bf5e131

SHA512
6a3b277703d89878ef56a24571c550a8016ea200b43930f0c3a873831888abdeb67d05bb1753bdccc2427d49d3e41f9aa28329805582361dc083a1683d8583f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\286cebce-14df-4591-b20a-332d85beab93.vbs

Filesize
719B

MD5
d0d56abb7f7a0678a6c66f55d3e1c1dd

SHA1
39ebf59c7d97bf10d209f31af0a8b8bfb2ecbf04

SHA256
9224364c86c6894cc337e4bb3628f6eacde24dcb1aded7e34618b1fa49aa78d6

SHA512
828ed9ab5d31488f80228db441499ec61f8bb55d6314e3cd8a07215ac650ab3c98d42a0a41525854f2ff7ab04ab34f09a95328ed3889a9405dec6d1d1b9898d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\32981076-7356-49b2-af78-41cc62a1833f.vbs

Filesize
719B

MD5
edcab726f6fbbadacc60b2907e6f063f

SHA1
816f37c6d0236d3b639016ea7891f10dfa693c73

SHA256
c74ce725a284f2eff7f097cacfb3252667c429a53ece0bfb0d24b561e34fe3c0

SHA512
271b6096e25512ea3b766efb728375a789cb0d16393e2d7c805cccdb197418078582013b6bf112812124f1aacd2857f61bcba57b1171b0238b2f70677f3ebb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\562ff41f-d14c-4a6d-9764-8f3b879efb05.vbs

Filesize
719B

MD5
2693605f472c064de267677c635940a1

SHA1
09eea81b1707b00e198a6cbc4e5b69439425073f

SHA256
bb6b4574252873e053652395c988aa816b6177dad90dde2a6077b0742f4e13c9

SHA512
85e126381a350cf424a4f6bf2a6cced5de994a96ddf1666422ea5391ee1bca2cb2d0491221e5b5e1beed40b8cb0b7ef201f9e65c26897500edefc2f28a23bac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\64641165-f8bc-41c2-ae23-5c8a82501b67.vbs

Filesize
719B

MD5
d15944410d9e59647aabf9cfeda2b14c

SHA1
2ccdc3e815d6b593a3a1eadb59d8d4ece2e5022e

SHA256
dbca9c430999bcc0577fb94e3f7a57b4783608918e6cea2975fc82fba3e858ef

SHA512
771327bf2eb773861d2ce4800996659f2e4d2037973fd0adefa21d3e95e9afeebfc969b26d4f5585d8a36a14652c9f17dfbee08cec7be577ee62349b9f703444

Download Submit
C:\Users\Admin\AppData\Local\Temp\67fd6c93-9218-4050-bc4d-99ef3286d48c.vbs

Filesize
719B

MD5
ee060e1363826d9269da57e91eb3cc64

SHA1
58507cddddb6350f3bc32d580862e719e57c445e

SHA256
03b5ce8ec2ab919683cd7d02149af1fbc77e29801e9d9a8ee672a41677b52c8e

SHA512
2f9123a8f38dd0946fa7b44c0e23bc683bb325546116a55a2eeeb462c48a0d17b57cdf7a30625051c3f5bf6d70cb8a3e2f69357106ad0139438691b52ba50572

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dd21653-8dd7-4b28-80d2-eb615cfcffb7.vbs

Filesize
719B

MD5
12ca3a8215a22080a47b96c9277ade32

SHA1
b813c895cacdc033c128c40558b39e8018bc9caf

SHA256
0897a577f7b859aa7c2c02b0f2d850c6a988c1a3c9a557d678c2ea3040d8c809

SHA512
ee9a31d2972db9d4c983b05394046b986233b77070e68d5df14a03573524716307b2344a8d236f40c077bfb776e82caead556d62f2f232bf2b978cc88e0deb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\970939be-7cd9-44b3-8b1f-5ea495772b5d.vbs

Filesize
718B

MD5
19b2fce9eb03fc80e7c17e0b579893d7

SHA1
bbf22ae95fcf64e6da65f2cf28cb05dff4c6bba4

SHA256
aecba0bbd456c42d57af0d80eec1bcfa04c5ce05258d50ce4ee4d7e9616d3e2f

SHA512
f3ebb8935f94191debef2329f54fad4274be78c66cd3b3336acb5f14c29ec99be0d8c500000d73c5a181d9b7dd1666f1939325e8b20e3e325b3333ea61865be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX2C20.tmp

Filesize
1.9MB

MD5
98666af3ef6ab2bcc4a5b3153a2e8d78

SHA1
b936c266aa4b4b85c113321fead31164955b8fa9

SHA256
91d2e3f758fbb2c6c8e7b069bd3ac7a4d68e4f9dea0e71ff60bdbcd2ac9dd4f6

SHA512
29ac1f9ad8331924e8fc7cb964b5e417d957b7597347103196739b520dd7523c2f5836830cb98976ccd1af298809bf1a5529c46f879f4dd563a91d215d67d238

Download Submit
C:\Users\Admin\AppData\Local\Temp\c71d48e9-32c5-43b2-87f6-b69e602b9282.vbs

Filesize
719B

MD5
0cfff12f35253ac13631b3a32b2ac4f8

SHA1
c8036e35ad0688f3c70bf4a67add88906461b2cd

SHA256
e243cc4bca448c318e4e323719cbf967ecb102e9ed160e89418ca71526659bf6

SHA512
0790f1bd01a2022ced10367185b88c27948862e57256f8b5b111564999e2adfa2c7961407bd27394f21b223ff102a6fba3f29941dc2793860de2d6ab0c869ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8f288b0-72a5-482b-8437-1e6b4d44df54.vbs

Filesize
495B

MD5
3fd90a7c24d2c77f2d486a76b2c9b80c

SHA1
f3c630773979ab1700508de159cfc56d08fd0fdf

SHA256
71f1bed49f63f87c573856644621028ebd94a54f8631496b97f505b861dd47ee

SHA512
e6643450ab21c4206426d3e75cf25f2694332cfd9c7cc9063a5e54f6e578ef5bfbac4cd04a39d2b1e90ced45a3db7e91aa6f253988d5ff28d03679f5ad05d3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f018f5c3-6f87-4d20-a099-d960ab833683.vbs

Filesize
719B

MD5
c6205d18e939bd409be75bd26c98711e

SHA1
045ab5966e6a243fe4915c786055e6f57baa421c

SHA256
e50abf4190397f097423eef4d4b376afa0fe40080c735728c525d797ab5e23ed

SHA512
84e48b19f8340f77826559b1cbe0597fa89d0ee971befbbdf15801651d2083f1292fa524a7000263a570e3477b0974ff78ae785d3e3b2f146cb0cbf636faf12f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf043ecf8865d0781bb66c010735e3e3

SHA1
3e5f679bbc33b87ebe8588051464e5065e394d70

SHA256
140a68ed697987fa1af83e455ecd1a0b7cd6da064d225ed10db9c9faa8760f82

SHA512
bfd09c4a7e8e95070aa7e321b6fc51cfc8807101630d6b1b9caaaf9a03a975256bcd52470470ff22443842ccd6970806cd7301ea674bf691c0100810b3478218

Download Submit
memory/808-201-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1124-154-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1456-91-0x0000000000E00000-0x0000000000FEA000-memory.dmp

Filesize
1.9MB

Download
memory/1464-142-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1464-141-0x0000000001380000-0x000000000156A000-memory.dmp

Filesize
1.9MB

Download
memory/1632-129-0x00000000000C0000-0x00000000002AA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-116-0x0000000000330000-0x000000000051A000-memory.dmp

Filesize
1.9MB

Download
memory/1708-117-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/2104-90-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2128-14-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2128-15-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/2128-17-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/2128-18-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2128-1-0x0000000000180000-0x000000000036A000-memory.dmp

Filesize
1.9MB

Download
memory/2128-2-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-10-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2128-92-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2128-13-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2128-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2128-16-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2128-6-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2128-4-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2128-12-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2128-8-0x0000000000730000-0x0000000000786000-memory.dmp

Filesize
344KB

Download
memory/2128-0-0x000007FEF6103000-0x000007FEF6104000-memory.dmp

Filesize
4KB

Download
memory/2128-7-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/2128-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2176-177-0x0000000000200000-0x00000000003EA000-memory.dmp

Filesize
1.9MB

Download
memory/2196-87-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2200-189-0x0000000000E60000-0x000000000104A000-memory.dmp

Filesize
1.9MB

Download
memory/2736-104-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2736-103-0x0000000001100000-0x00000000012EA000-memory.dmp

Filesize
1.9MB

Download