4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Size

1.9MB
MD5

f98ee08aed6b41b1f9e6e1ca752d22cc
SHA1

0ad8d0bac5c76e5f79ba872cf3ae18a6717ee6dd
SHA256

82db60e8849ee07cae78c7f49afbbed2e3544618bfcd5d01daf09b120e97b1e0
SHA512

63dcfc32399062ec5bb65a3a579c75a86bd80bc9bae28d63ff5df3510ef319a5e3237629fcea17232cdbaf96bca0347cd8d8b7669698188cbf08bdc2f3caed5a
SSDEEP

24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5148	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6004	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4472	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4472	schtasks.exe	84

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5424	powershell.exe
5888	powershell.exe
1144	powershell.exe
1248	powershell.exe
4148	powershell.exe
4184	powershell.exe
3972	powershell.exe
5600	powershell.exe
1652	powershell.exe
6044	powershell.exe
4892	powershell.exe
1740	powershell.exe
1896	powershell.exe
5376	powershell.exe
1744	powershell.exe
2632	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f98ee08aed6b41b1f9e6e1ca752d22cc.exe

Executes dropped EXE 10 IoCs

pid	Process
4188	Idle.exe
3776	Idle.exe
1848	Idle.exe
2044	Idle.exe
5824	Idle.exe
4708	Idle.exe
6100	Idle.exe
4348	Idle.exe
4876	Idle.exe
4356	Idle.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\5940a34987c991	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File created	C:\Program Files\Windows Mail\29c1c3cc0f7685	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX512A.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\dllhost.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Java\RCX5F6F.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Java\fontdrvhost.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Windows Mail\RCX65EC.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX50BC.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File created	C:\Program Files (x86)\Google\Update\dllhost.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File created	C:\Program Files\Java\fontdrvhost.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Java\RCX5F6E.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Windows Mail\unsecapp.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File created	C:\Program Files\Java\5b884080fd4f94	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File created	C:\Program Files\Windows Mail\unsecapp.exe	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
File opened for modification	C:\Program Files\Windows Mail\RCX665B.tmp	f98ee08aed6b41b1f9e6e1ca752d22cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5276	schtasks.exe
4448	schtasks.exe
5288	schtasks.exe
5788	schtasks.exe
5104	schtasks.exe
2120	schtasks.exe
6004	schtasks.exe
5776	schtasks.exe
2032	schtasks.exe
5700	schtasks.exe
5020	schtasks.exe
4816	schtasks.exe
1916	schtasks.exe
4576	schtasks.exe
5160	schtasks.exe
1920	schtasks.exe
5548	schtasks.exe
5148	schtasks.exe
2860	schtasks.exe
3080	schtasks.exe
1156	schtasks.exe
4864	schtasks.exe
2060	schtasks.exe
5000	schtasks.exe
788	schtasks.exe
5368	schtasks.exe
4000	schtasks.exe
912	schtasks.exe
780	schtasks.exe
3720	schtasks.exe
2724	schtasks.exe
3660	schtasks.exe
3268	schtasks.exe
2576	schtasks.exe
2432	schtasks.exe
2672	schtasks.exe
4056	schtasks.exe
752	schtasks.exe
4920	schtasks.exe
3324	schtasks.exe
2168	schtasks.exe
1800	schtasks.exe
2972	schtasks.exe
4588	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
5888	powershell.exe
5888	powershell.exe
1744	powershell.exe
1744	powershell.exe
4184	powershell.exe
4184	powershell.exe
1896	powershell.exe
1896	powershell.exe
3972	powershell.exe
3972	powershell.exe
5600	powershell.exe
5600	powershell.exe
5376	powershell.exe
5376	powershell.exe
4148	powershell.exe
4148	powershell.exe
6044	powershell.exe
6044	powershell.exe
1740	powershell.exe
1740	powershell.exe
4892	powershell.exe
4892	powershell.exe
5424	powershell.exe
5424	powershell.exe
2632	powershell.exe
2632	powershell.exe
1144	powershell.exe
1144	powershell.exe
1248	powershell.exe
1248	powershell.exe
1652	powershell.exe
1652	powershell.exe
5424	powershell.exe
1248	powershell.exe
1652	powershell.exe
5888	powershell.exe
5888	powershell.exe
4148	powershell.exe
1896	powershell.exe
1896	powershell.exe
1744	powershell.exe
1744	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	5600	powershell.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	4188	Idle.exe
Token: SeDebugPrivilege	3776	Idle.exe
Token: SeDebugPrivilege	1848	Idle.exe
Token: SeDebugPrivilege	2044	Idle.exe
Token: SeDebugPrivilege	5824	Idle.exe
Token: SeDebugPrivilege	4708	Idle.exe
Token: SeDebugPrivilege	6100	Idle.exe
Token: SeDebugPrivilege	4348	Idle.exe
Token: SeDebugPrivilege	4876	Idle.exe
Token: SeDebugPrivilege	4356	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4148	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	130
PID 3528 wrote to memory of 4148	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	130
PID 3528 wrote to memory of 4184	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	131
PID 3528 wrote to memory of 4184	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	131
PID 3528 wrote to memory of 5424	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	132
PID 3528 wrote to memory of 5424	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	132
PID 3528 wrote to memory of 1740	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	133
PID 3528 wrote to memory of 1740	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	133
PID 3528 wrote to memory of 5888	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	134
PID 3528 wrote to memory of 5888	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	134
PID 3528 wrote to memory of 3972	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	135
PID 3528 wrote to memory of 3972	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	135
PID 3528 wrote to memory of 1896	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	136
PID 3528 wrote to memory of 1896	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	136
PID 3528 wrote to memory of 5376	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	137
PID 3528 wrote to memory of 5376	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	137
PID 3528 wrote to memory of 1744	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	138
PID 3528 wrote to memory of 1744	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	138
PID 3528 wrote to memory of 1144	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	139
PID 3528 wrote to memory of 1144	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	139
PID 3528 wrote to memory of 1248	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	140
PID 3528 wrote to memory of 1248	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	140
PID 3528 wrote to memory of 4892	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	141
PID 3528 wrote to memory of 4892	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	141
PID 3528 wrote to memory of 5600	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	142
PID 3528 wrote to memory of 5600	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	142
PID 3528 wrote to memory of 1652	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	143
PID 3528 wrote to memory of 1652	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	143
PID 3528 wrote to memory of 6044	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	144
PID 3528 wrote to memory of 6044	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	144
PID 3528 wrote to memory of 2632	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	145
PID 3528 wrote to memory of 2632	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	145
PID 3528 wrote to memory of 4968	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	162
PID 3528 wrote to memory of 4968	3528	f98ee08aed6b41b1f9e6e1ca752d22cc.exe	162
PID 4968 wrote to memory of 3880	4968	cmd.exe	164
PID 4968 wrote to memory of 3880	4968	cmd.exe	164
PID 4968 wrote to memory of 4188	4968	cmd.exe	165
PID 4968 wrote to memory of 4188	4968	cmd.exe	165
PID 4188 wrote to memory of 6088	4188	Idle.exe	166
PID 4188 wrote to memory of 6088	4188	Idle.exe	166
PID 4188 wrote to memory of 5416	4188	Idle.exe	167
PID 4188 wrote to memory of 5416	4188	Idle.exe	167
PID 6088 wrote to memory of 3776	6088	WScript.exe	168
PID 6088 wrote to memory of 3776	6088	WScript.exe	168
PID 3776 wrote to memory of 4732	3776	Idle.exe	169
PID 3776 wrote to memory of 4732	3776	Idle.exe	169
PID 3776 wrote to memory of 3504	3776	Idle.exe	170
PID 3776 wrote to memory of 3504	3776	Idle.exe	170
PID 4732 wrote to memory of 1848	4732	WScript.exe	171
PID 4732 wrote to memory of 1848	4732	WScript.exe	171
PID 1848 wrote to memory of 5776	1848	Idle.exe	172
PID 1848 wrote to memory of 5776	1848	Idle.exe	172
PID 1848 wrote to memory of 2732	1848	Idle.exe	173
PID 1848 wrote to memory of 2732	1848	Idle.exe	173
PID 5776 wrote to memory of 2044	5776	WScript.exe	174
PID 5776 wrote to memory of 2044	5776	WScript.exe	174
PID 2044 wrote to memory of 1612	2044	Idle.exe	175
PID 2044 wrote to memory of 1612	2044	Idle.exe	175
PID 2044 wrote to memory of 5016	2044	Idle.exe	176
PID 2044 wrote to memory of 5016	2044	Idle.exe	176
PID 1612 wrote to memory of 5824	1612	WScript.exe	177
PID 1612 wrote to memory of 5824	1612	WScript.exe	177
PID 5824 wrote to memory of 1388	5824	Idle.exe	178
PID 5824 wrote to memory of 1388	5824	Idle.exe	178

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f98ee08aed6b41b1f9e6e1ca752d22cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe
"C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f98ee08aed6b41b1f9e6e1ca752d22cc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\9b8315d930f1ea91625c94a3\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\27ff7d19dedaaeb396341ab909de29f5\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\27ff7d19dedaaeb396341ab909de29f5\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\27ff7d19dedaaeb396341ab909de29f5\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\9b8315d930f1ea91625c94a3\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\9b8315d930f1ea91625c94a3\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3880
- - C:\Users\Admin\Idle.exe
    "C:\Users\Admin\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4188
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2fd0af2-3e9f-4a84-acbb-712ce5ae52a7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6088
    - - C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a62e8b10-75bb-4680-8ea0-af954ee3c88c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df891a96-3cfe-49d9-a112-ed87b30962fe.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b38c3e-2d29-46b9-a69d-109700769a5e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e38af3-4697-48b2-abc0-96f7c2170602.vbs"
        12⤵
        
        PID:1388
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48495976-38ba-4f6c-84f6-5d0b6c9969ac.vbs"
        14⤵
        
        PID:3552
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\662fb68f-e83b-449e-baca-151b4cba72cb.vbs"
        16⤵
        
        PID:4236
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d66ce7-5553-447c-84b9-b5115ffdf075.vbs"
        18⤵
        
        PID:4412
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ceb908-af9d-4bfd-8ccb-0f9f5830ff33.vbs"
        20⤵
        
        PID:4736
        
        C:\Users\Admin\Idle.exe
        
        C:\Users\Admin\Idle.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bad7903a-4e14-4ea6-a92d-84d321701ad1.vbs"
        22⤵
        
        PID:3484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f924f749-0321-47a1-bbb8-356acebe53ea.vbs"
        22⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49164757-1aae-43fd-879f-bdebaa26169a.vbs"
        20⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cd6eb58-8de2-416c-b3cf-460fd788ffa5.vbs"
        18⤵
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bad7c1cc-3e15-4d2d-b39f-d6e166edda71.vbs"
        16⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2a8d4c-ec1c-4224-a58e-f16f1be8e099.vbs"
        14⤵
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1f03369-0d47-48cd-9363-d7ff0670f1f3.vbs"
        12⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e195b30c-b008-404e-a7df-4d3db5affcd1.vbs"
        10⤵
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c32b003-ae38-4020-b2e7-19074eabad70.vbs"
        8⤵
        
        PID:2732
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbbe9ad4-7f6e-4fc3-8ade-388a07d96804.vbs"
        6⤵
        
        PID:3504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1323616b-ac34-4aa8-a71c-fafddbc16499.vbs"
      4⤵
      PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\9b8315d930f1ea91625c94a3\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\9b8315d930f1ea91625c94a3\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\9b8315d930f1ea91625c94a3\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\27ff7d19dedaaeb396341ab909de29f5\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\9b8315d930f1ea91625c94a3\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\9b8315d930f1ea91625c94a3\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\9b8315d930f1ea91625c94a3\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\9b8315d930f1ea91625c94a3\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\9b8315d930f1ea91625c94a3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\9b8315d930f1ea91625c94a3\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\27ff7d19dedaaeb396341ab909de29f5\backgroundTaskHost.exe

Filesize
1.9MB

MD5
c198ee067ef8da44d0f07f1b12860dd7

SHA1
4637e6c99204877cbb7c41003013aba1d2d17a1b

SHA256
d4ffb7997e50bd4fe08a74739be8effe80b16829cf5937249c8f9bd3668aeb6c

SHA512
77104a19d7a44c2413f24a220c6605829e07ecdd15dab0bc6189754bf288bfe1cebd4df8ab29890e4acde5b90e59dba2e7b6053ac1d68e4e965838f458faa40f

Download Submit
C:\27ff7d19dedaaeb396341ab909de29f5\sihost.exe

Filesize
1.9MB

MD5
4a8a20d91f8e8f30d7321b951d01f0db

SHA1
eac5ba41cc312e17fb04c67818b9b5360e1e3e3c

SHA256
3a3064f7151b12cd60d222b0380f9654238768945826467e9381b2063c4cf782

SHA512
6fd78dde36f6bedc7f397d74b8bdc5296db763eaeecc8f48586b972fc2aaed744436db00fa40f19d6863c47748de1025ace3025e38c0528bb14b434a5ab5f850

Download Submit
C:\Program Files (x86)\Google\Update\dllhost.exe

Filesize
1.9MB

MD5
218932319d775528b55dd7731b2b95a3

SHA1
612415fc56c2027247a1c1bafb1570a6e64d9c09

SHA256
5bdc8e020a694958cbbc189bcdea00b7b96222991ac98397ae4c5b7c2ce1dab8

SHA512
6df972cf70aabfb968cfb993dc6f464c63f895dcdd4a479d6bb7d8b5169a66e49dc2f584025133197d5ec39452f91f47e0c166911310c284c0350ae48b6a720a

Download Submit
C:\Program Files\Windows Mail\unsecapp.exe

Filesize
1.9MB

MD5
230b36f5708bd048ea8bac15427837da

SHA1
e541f07cbde46609a6a4d6e810e5db5f123d3eb4

SHA256
57f42efb6ca792f38ff11614025872029dc9f2fb2e5ef2d6ace8e97ddd2ce0e9

SHA512
c22300ea36756ca75ebd8d90a468e2f21e8b83f34f910957a6d8e61da5d291fcf88c5c2ae4f7f8f9de05abbfe9f52441610a8abc39af7f30e3d3ce7269d4353b

Download Submit
C:\Recovery\WindowsRE\SearchHost.exe

Filesize
1.9MB

MD5
f98ee08aed6b41b1f9e6e1ca752d22cc

SHA1
0ad8d0bac5c76e5f79ba872cf3ae18a6717ee6dd

SHA256
82db60e8849ee07cae78c7f49afbbed2e3544618bfcd5d01daf09b120e97b1e0

SHA512
63dcfc32399062ec5bb65a3a579c75a86bd80bc9bae28d63ff5df3510ef319a5e3237629fcea17232cdbaf96bca0347cd8d8b7669698188cbf08bdc2f3caed5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
4ec34effb845be5fed216a46039c8aae

SHA1
3e3efc8b3293ff05b9afe71889b29b98c51df9f7

SHA256
5fd59f9d3eb95ac44c3d9fbc6c9ffe35ef1ece4fee25a82674374e65c951d5f0

SHA512
510241adf11171e8f66a2775ec437eb829b1e0230b433e3f8d1a01985f89ceb306740135391860a9b2937a44f9c08f5a0b90e1adc016e73386af81d3dcc31368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc4dd6766dd68388d8733f1b729f87e9

SHA1
7b883d87afec5be3eff2088409cd1f57f877c756

SHA256
3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

SHA512
3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46be07258b725e1bf96cffe321fc24c5

SHA1
1b4d2672713249c43bc53586c98d8350a82e3ef4

SHA256
a8c358fe0e8a1b6def1f55c1e2caed2329b78cf6b48a9bb6e92797b6416dcd8b

SHA512
0e97b97b56f7dfae214ebc5900f2ff62e78ae79422bb06bd9b4fe7217a120166ba6045d0e4ed9aacbad82816b2afb5fdf9219003a591e8c61a94470e6b54cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\02ceb908-af9d-4bfd-8ccb-0f9f5830ff33.vbs

Filesize
699B

MD5
d50b478e1f2a75e97be9c136529fc55e

SHA1
bbf40e02604721eff866ef16cee00d248b723dda

SHA256
1bc9a8e2b99318d5c837277d3b1307a2a4c4584f1dc287f433acceca9d4edac2

SHA512
8d152f142b26d9530dccbd8a346ffd1255af84cd12c5a156f885b48eb7d8680761e84c52c29e26508008836d650638514481a24da91dfa7ba51daaac4a14bf0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1323616b-ac34-4aa8-a71c-fafddbc16499.vbs

Filesize
475B

MD5
bd3573f4ad72fe63ccfe6ee894de3ed8

SHA1
722b8e4c7525b759e47fc9dacb8248b32db1ebeb

SHA256
3bf8691a1c0d34caa1286f37ccfb472e6ca3af6ab38f948309e7a4fbbca5f2bc

SHA512
c8b2c02baed4341ffdf170b3d15d6d52763e55367ed14e287da2a45f376aa4838c17cd9df62bb6f8ff41064fed6b6ae08e604593ce3dfd665c0388bf5e6c38df

Download Submit
C:\Users\Admin\AppData\Local\Temp\47e38af3-4697-48b2-abc0-96f7c2170602.vbs

Filesize
699B

MD5
15ca007235b2440b2bd0c184c7488521

SHA1
acc1c0ba8e81a7cde727736e1916ae3cffe9ecf0

SHA256
d0e871340318bc87b1bc2b53b88f24bf08c9f11516c4f2f769c1467e71c2a23a

SHA512
b259e29f15a13bfec2cef2b347f7927bb86963994300b1549aa70ea742ff5a0cc8702e8a1262ef0549cbcbbb373615f28205d2c50c2f430171c024d68c832cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\48495976-38ba-4f6c-84f6-5d0b6c9969ac.vbs

Filesize
699B

MD5
d93b8e9fc3ade7987b5e862e59436803

SHA1
d86cedc67e1802f76cc6c2ce0bdd9352856f62b5

SHA256
571dd4af0c85f36abaa3eebafd63bbff4b4f62978a0b26d785d2963d01414901

SHA512
8d37ffa2f1f213df832499967c3adf01238db70edf49fe6d2879bfcb57f054aa206fca992b63753e692931e3f89d99966c4435deb9169d6d0782919311fc5eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\662fb68f-e83b-449e-baca-151b4cba72cb.vbs

Filesize
699B

MD5
c09c093c5bea77a0e7e3ba5fbc083392

SHA1
643d38e39538276d05a77ac5b1604e1715dc4ac5

SHA256
81c4ed83efd99fd6b8531b28d4d2af80d1ed38c2a0fbbdfb302b0e4b8d14972a

SHA512
0cfe918e8ce1ec136a483b395c983236b3f761edf11262e023a02a03d56546473f9e17d4c23f5247afd15f2b643e3d63c17e04f808b8befb610ccaac77600ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat

Filesize
188B

MD5
f4e38a4dab5eb252de47ecb8e7d51393

SHA1
d03ed1555ba12f59ef71b43f8989a1bb5ba118cc

SHA256
9538283664f1739ee11d713989d13cfc79307f3053b83c3d22a9f65f18b04661

SHA512
620f65da461e66ba5a216729f6c3cf8a1ba09ff13ab54972f7f0925040a654050839da2559d82710b184ff8c010d58ac52cae8ebed18b03ad6f78dd21f35cb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\81d66ce7-5553-447c-84b9-b5115ffdf075.vbs

Filesize
699B

MD5
f874679f9d123831c509c24369f124c0

SHA1
f0b61e869810cda484905109c4ce44414c8e58dc

SHA256
90a3daf038c728cf854046051095d5bf8850669d6e78d9e89c5a43222eba2813

SHA512
e5abf8853eb54e6d8a5df51f06f190a7a4dd89f22d2340d6fb99d20228aeca789a9d4cdad3af11f5a9bc0e7a3024a8dc95cb5414b0195728f53019a97dfd06bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4itegj14.2zh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a62e8b10-75bb-4680-8ea0-af954ee3c88c.vbs

Filesize
699B

MD5
474346b02ce2e0e346941d650573745c

SHA1
d5c9e52789ac28f2d708939e93897c4b85dba4bd

SHA256
4ebbe7ea3a6299613c347814f5747b2c14cf0f53313ca026e0b893c688d77736

SHA512
b0446536fe355966ca4cdac6a5940c9c8978e70c7c2b4f306025ddb4e11ee56e036864f52bb335af18b86b3dee01cff935c36b9c4d9bc15d9a1366f8e5ef0068

Download Submit
C:\Users\Admin\AppData\Local\Temp\bad7903a-4e14-4ea6-a92d-84d321701ad1.vbs

Filesize
699B

MD5
156e8e16db966aedb12b8065e17e98c7

SHA1
7bab750effc389c1abfc8138cb5608609215c4b9

SHA256
2a5cec07b1ebf7dfa9a0311959fdff301fd9dc304e248c3e9bd891e08262979f

SHA512
f8d8a83f6569132c40b029e6dad39af920ec7f0a7c659be305ed3691ceca9a792f7d74f5dfc5e74885276d0cb346c2da1cf8f3410059f767a91e1bc4596a283f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6b38c3e-2d29-46b9-a69d-109700769a5e.vbs

Filesize
699B

MD5
0b64572d04964b799bc6f12d57728fd4

SHA1
e79165d89743ac1143ddb1918ed7ea6bf0710b3b

SHA256
280a4e749108ae9a2397cbb2eb881ff277726400b65d7fa48d577c7e7b1aa35c

SHA512
8b0be7e3929d5a526371e6407a811cf7b389d6d073e37015fff2f60eee4697ea9eee42b426cb31500403513b98b2933ff327f7afa0b6a4f25bcb0b05cfa00dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\df891a96-3cfe-49d9-a112-ed87b30962fe.vbs

Filesize
699B

MD5
9279051214fbd5df312d96de84494647

SHA1
5b916e72a74e25bc9e594cf44dba68c0827c5b22

SHA256
5cb94e48e4958cdeb6f9ff3ec22c813eb1cd9879cd36abc392a4eec419b4149a

SHA512
d996da224cf3fef418d1994fa5ef7dc355a77a075bd29e28eb04a36eb81772fddd206481975a0b0b2f60e63403df8fc8c4b9b524df662e8f3f116b4ab3838608

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2fd0af2-3e9f-4a84-acbb-712ce5ae52a7.vbs

Filesize
699B

MD5
574051c57b5f5c66461116c4a23101da

SHA1
4e483eb67add37bab74a607c09d83856fedf26d8

SHA256
858621e722ccbced5745fb54ae2567b4e9ba4c3465482e1e71cad23fa48ca88d

SHA512
e529d74317b616f761990b20657ca720356a4d67c05b6217d3d82e8737084fcf227de1330667f2cc0b7849f4cb63e42b688cdbf9c39ee72b9515907b56ad4e6c

Download Submit
C:\Users\Admin\Idle.exe

Filesize
1.9MB

MD5
8c1a51de25931bd7bc51df2f4d19a360

SHA1
f91c98acf632e786a012a942f5727244fd7a7509

SHA256
1803390b0a3ee744bc3a82e67aec4a1cc3bace65a8950ab9df5975ff1235b559

SHA512
7a5ee7e10206467bbeab58adab0c715cf25dd4c2f58c25f58cb06ed7cdbbe5cfe0f52464ce84703c1ccdea31f5a53beda0470123e076e101232f6dac777bc96d

Download Submit
memory/1848-428-0x000000001B7D0000-0x000000001B7E2000-memory.dmp

Filesize
72KB

Download
memory/2044-440-0x0000000002B40000-0x0000000002B52000-memory.dmp

Filesize
72KB

Download
memory/3528-8-0x00000000029D0000-0x00000000029DA000-memory.dmp

Filesize
40KB

Download
memory/3528-11-0x000000001B4D0000-0x000000001B4D8000-memory.dmp

Filesize
32KB

Download
memory/3528-18-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/3528-19-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

Filesize
48KB

Download
memory/3528-20-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/3528-16-0x000000001BCA0000-0x000000001BCAA000-memory.dmp

Filesize
40KB

Download
memory/3528-17-0x000000001BCB0000-0x000000001BCBE000-memory.dmp

Filesize
56KB

Download
memory/3528-15-0x000000001B520000-0x000000001B52C000-memory.dmp

Filesize
48KB

Download
memory/3528-14-0x000000001C580000-0x000000001CAA8000-memory.dmp

Filesize
5.2MB

Download
memory/3528-13-0x000000001B4E0000-0x000000001B4F2000-memory.dmp

Filesize
72KB

Download
memory/3528-1-0x0000000000600000-0x00000000007EA000-memory.dmp

Filesize
1.9MB

Download
memory/3528-2-0x00007FFAB5B30000-0x00007FFAB65F2000-memory.dmp

Filesize
10.8MB

Download
memory/3528-0-0x00007FFAB5B33000-0x00007FFAB5B35000-memory.dmp

Filesize
8KB

Download
memory/3528-270-0x00007FFAB5B30000-0x00007FFAB65F2000-memory.dmp

Filesize
10.8MB

Download
memory/3528-10-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/3528-3-0x0000000002970000-0x000000000298C000-memory.dmp

Filesize
112KB

Download
memory/3528-9-0x000000001BA90000-0x000000001BAE6000-memory.dmp

Filesize
344KB

Download
memory/3528-194-0x00007FFAB5B33000-0x00007FFAB5B35000-memory.dmp

Filesize
8KB

Download
memory/3528-210-0x00007FFAB5B30000-0x00007FFAB65F2000-memory.dmp

Filesize
10.8MB

Download
memory/3528-4-0x000000001BA40000-0x000000001BA90000-memory.dmp

Filesize
320KB

Download
memory/3528-7-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/3528-6-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/3528-5-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/3776-416-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download
memory/4188-403-0x000000001BA80000-0x000000001BA92000-memory.dmp

Filesize
72KB

Download
memory/4188-402-0x0000000000C50000-0x0000000000E3A000-memory.dmp

Filesize
1.9MB

Download
memory/5888-249-0x000001B6A1A50000-0x000001B6A1A72000-memory.dmp

Filesize
136KB

Download