4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
150s
max time network
146s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/04/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f736c152b3d1812f1142ed0da99e0ac8.exe
Size

5.9MB
MD5

f736c152b3d1812f1142ed0da99e0ac8
SHA1

5df819dd9a3c73b64b33950ecfac1c690fa0f03d
SHA256

78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
SHA512

a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4976	schtasks.exe	80
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4976	schtasks.exe	80

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4952	powershell.exe
5540	powershell.exe
2244	powershell.exe
2336	powershell.exe
1184	powershell.exe
3728	powershell.exe
3884	powershell.exe
3204	powershell.exe
5248	powershell.exe
5116	powershell.exe
3984	powershell.exe
4016	powershell.exe
4352	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f736c152b3d1812f1142ed0da99e0ac8.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 3 IoCs

pid	Process
736	sysmon.exe
3448	sysmon.exe
724	sysmon.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
736	sysmon.exe
736	sysmon.exe
3448	sysmon.exe
3448	sysmon.exe
724	sysmon.exe
724	sysmon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6B76.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6BF4.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX6E66.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX6EF3.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	f736c152b3d1812f1142ed0da99e0ac8.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\uk-UA\e6c9b481da804f	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\RCX60FE.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\uk-UA\RCX644D.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\uk-UA\OfficeClickToRun.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\RCX617C.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\services.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\uk-UA\RCX63CF.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\ShellComponents\services.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\ShellComponents\c5b4cb5e9653cc	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\uk-UA\OfficeClickToRun.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3276626056-3619442337-829025701-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1368	schtasks.exe
1636	schtasks.exe
736	schtasks.exe
3864	schtasks.exe
3492	schtasks.exe
3520	schtasks.exe
4120	schtasks.exe
4092	schtasks.exe
2800	schtasks.exe
2156	schtasks.exe
3444	schtasks.exe
1720	schtasks.exe
3384	schtasks.exe
3336	schtasks.exe
4536	schtasks.exe
2448	schtasks.exe
1912	schtasks.exe
3056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
3588	f736c152b3d1812f1142ed0da99e0ac8.exe
4952	powershell.exe
4952	powershell.exe
1184	powershell.exe
1184	powershell.exe
3984	powershell.exe
3984	powershell.exe
2336	powershell.exe
2336	powershell.exe
5248	powershell.exe
5248	powershell.exe
4016	powershell.exe
4016	powershell.exe
5540	powershell.exe
5540	powershell.exe
4352	powershell.exe
4352	powershell.exe
3204	powershell.exe
3204	powershell.exe
3884	powershell.exe
3884	powershell.exe
3728	powershell.exe
3728	powershell.exe
2244	powershell.exe
2244	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
5248	powershell.exe
4952	powershell.exe
1184	powershell.exe
3984	powershell.exe
3884	powershell.exe
5540	powershell.exe
2336	powershell.exe
3204	powershell.exe
4352	powershell.exe
2244	powershell.exe
4016	powershell.exe
3728	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeIncreaseQuotaPrivilege	3984	powershell.exe
Token: SeSecurityPrivilege	3984	powershell.exe
Token: SeTakeOwnershipPrivilege	3984	powershell.exe
Token: SeLoadDriverPrivilege	3984	powershell.exe
Token: SeSystemProfilePrivilege	3984	powershell.exe
Token: SeSystemtimePrivilege	3984	powershell.exe
Token: SeProfSingleProcessPrivilege	3984	powershell.exe
Token: SeIncBasePriorityPrivilege	3984	powershell.exe
Token: SeCreatePagefilePrivilege	3984	powershell.exe
Token: SeBackupPrivilege	3984	powershell.exe
Token: SeRestorePrivilege	3984	powershell.exe
Token: SeShutdownPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeSystemEnvironmentPrivilege	3984	powershell.exe
Token: SeRemoteShutdownPrivilege	3984	powershell.exe
Token: SeUndockPrivilege	3984	powershell.exe
Token: SeManageVolumePrivilege	3984	powershell.exe
Token: 33	3984	powershell.exe
Token: 34	3984	powershell.exe
Token: 35	3984	powershell.exe
Token: 36	3984	powershell.exe
Token: SeIncreaseQuotaPrivilege	5248	powershell.exe
Token: SeSecurityPrivilege	5248	powershell.exe
Token: SeTakeOwnershipPrivilege	5248	powershell.exe
Token: SeLoadDriverPrivilege	5248	powershell.exe
Token: SeSystemProfilePrivilege	5248	powershell.exe
Token: SeSystemtimePrivilege	5248	powershell.exe
Token: SeProfSingleProcessPrivilege	5248	powershell.exe
Token: SeIncBasePriorityPrivilege	5248	powershell.exe
Token: SeCreatePagefilePrivilege	5248	powershell.exe
Token: SeBackupPrivilege	5248	powershell.exe
Token: SeRestorePrivilege	5248	powershell.exe
Token: SeShutdownPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeSystemEnvironmentPrivilege	5248	powershell.exe
Token: SeRemoteShutdownPrivilege	5248	powershell.exe
Token: SeUndockPrivilege	5248	powershell.exe
Token: SeManageVolumePrivilege	5248	powershell.exe
Token: 33	5248	powershell.exe
Token: 34	5248	powershell.exe
Token: 35	5248	powershell.exe
Token: 36	5248	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	powershell.exe
Token: SeSecurityPrivilege	5116	powershell.exe
Token: SeTakeOwnershipPrivilege	5116	powershell.exe
Token: SeLoadDriverPrivilege	5116	powershell.exe
Token: SeSystemProfilePrivilege	5116	powershell.exe
Token: SeSystemtimePrivilege	5116	powershell.exe
Token: SeProfSingleProcessPrivilege	5116	powershell.exe
Token: SeIncBasePriorityPrivilege	5116	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4952	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	99
PID 3588 wrote to memory of 4952	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	99
PID 3588 wrote to memory of 3884	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	100
PID 3588 wrote to memory of 3884	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	100
PID 3588 wrote to memory of 3204	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	101
PID 3588 wrote to memory of 3204	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	101
PID 3588 wrote to memory of 5248	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 3588 wrote to memory of 5248	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 3588 wrote to memory of 5540	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	103
PID 3588 wrote to memory of 5540	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	103
PID 3588 wrote to memory of 5116	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 3588 wrote to memory of 5116	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 3588 wrote to memory of 4016	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	105
PID 3588 wrote to memory of 4016	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	105
PID 3588 wrote to memory of 3984	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 3588 wrote to memory of 3984	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 3588 wrote to memory of 2244	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	107
PID 3588 wrote to memory of 2244	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	107
PID 3588 wrote to memory of 3728	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 3588 wrote to memory of 3728	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 3588 wrote to memory of 4352	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 3588 wrote to memory of 4352	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 3588 wrote to memory of 1184	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	110
PID 3588 wrote to memory of 1184	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	110
PID 3588 wrote to memory of 2336	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	111
PID 3588 wrote to memory of 2336	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	111
PID 3588 wrote to memory of 5656	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	125
PID 3588 wrote to memory of 5656	3588	f736c152b3d1812f1142ed0da99e0ac8.exe	125
PID 5656 wrote to memory of 3292	5656	cmd.exe	127
PID 5656 wrote to memory of 3292	5656	cmd.exe	127
PID 5656 wrote to memory of 736	5656	cmd.exe	129
PID 5656 wrote to memory of 736	5656	cmd.exe	129
PID 736 wrote to memory of 5020	736	sysmon.exe	130
PID 736 wrote to memory of 5020	736	sysmon.exe	130
PID 736 wrote to memory of 5084	736	sysmon.exe	131
PID 736 wrote to memory of 5084	736	sysmon.exe	131
PID 5020 wrote to memory of 3448	5020	WScript.exe	133
PID 5020 wrote to memory of 3448	5020	WScript.exe	133
PID 3448 wrote to memory of 416	3448	sysmon.exe	134
PID 3448 wrote to memory of 416	3448	sysmon.exe	134
PID 3448 wrote to memory of 5740	3448	sysmon.exe	135
PID 3448 wrote to memory of 5740	3448	sysmon.exe	135
PID 416 wrote to memory of 724	416	WScript.exe	136
PID 416 wrote to memory of 724	416	WScript.exe	136
PID 724 wrote to memory of 5408	724	sysmon.exe	137
PID 724 wrote to memory of 5408	724	sysmon.exe	137
PID 724 wrote to memory of 2012	724	sysmon.exe	138
PID 724 wrote to memory of 2012	724	sysmon.exe	138

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/9fc39dc9f75971e2c4a07ec7c355b7a8/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d65bb63aeb037b661825a36d996e08/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rM7RdxFNIA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5656
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3292
- - C:\Users\Admin\Recent\sysmon.exe
    "C:\Users\Admin\Recent\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c24976-52dd-468b-b3ca-858d736f5696.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\Recent\sysmon.exe
        
        C:\Users\Admin\Recent\sysmon.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0b585b-5b25-4565-ba70-ee71f9848cdb.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Users\Admin\Recent\sysmon.exe
        
        C:\Users\Admin\Recent\sysmon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf039dd0-f50d-468c-8a94-e084326ae560.vbs"
        8⤵
        
        PID:5408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\432b596b-0db6-4c8b-ae06-187da5a552f9.vbs"
        8⤵
        
        PID:2012
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9888f127-3c98-40d5-8882-6f1b4f179854.vbs"
        6⤵
        
        PID:5740
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3175b6a8-526e-4b2f-9989-af40a683d557.vbs"
      4⤵
      PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellComponents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Recent\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
72f263f3091b76ff7dfae9f3deb73011

SHA1
639f765bc559a03aa06c98045d6ce49c23be5b89

SHA256
95840a9162b19e597d2bed57c4ea1a792a213c2a184d856eaeee383a478b0400

SHA512
5b52238b1793408871502f360a59811198760924791e423e329c40cc739b48c71d2409c95e1c90fdd55f9b99dc0a043991196714146c7fcd5b0c465efcf1c847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf3d14027e901c4bad52cc5e255742a9

SHA1
e24ef14627f3cdc309ff8a39c9cf5fe2fcb319fb

SHA256
c00ab526aaabcaf9c4e1fe3305bf8f5e906348f7646c549094414000a8cb1438

SHA512
2f109441b8fd56360adee3549d0955e55fb57c479c27eb018764755e7dd98ee02b2b97b11221c4acc737e4b1fcde5ab3795141247c077b24b4bcc39434be2bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9e28aa9fc6600dd5e4a8c19358fa593d

SHA1
1ae8674dbf6a001ea95dcea9060c1cf26fc24266

SHA256
a1ca494e921a92d0857906cd9760eca9542305d74a8591bbc9094be34c51a97d

SHA512
2f59d4fe0c1287f349e3465cb0f3964a5799fc4bcbbcffac8fbe681b6d8d96515ae045b73f61e6a7a68ad7f7055125ffc9cf7e3fb6e794cf1f116ba6532eb938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c6e0adc09203595be620291df2b027b

SHA1
1735ffcb7565f085304d3f2e44f4226e876f54b8

SHA256
b4eeda0fb972cda9f586f1c8c6380977dd5509481f61fe2fb157b8bbbacc1a62

SHA512
9c2ea224eca8c645f9de8b7f545c1c872cde510f5e27044fcbba212d6d427a8c0163a08437fccf998a70e5af3527414d733cc4596baf49dcc68de3b8cd8e71ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ca6849476e3dcd432a22bdeb2d0d8e2

SHA1
34547757f3f39dc7790fe5a38db4adf7177e2c5f

SHA256
b3890d26299686106e9b8aadb7ef84713db7b81aaeb5a04c0803fb73a65f46d4

SHA512
df1ab1ee000d666d7a9852fea2f1c84e9b619583e174c54b0714749afd29baf7b9714c64bf69654d2263ac92406fd2b1dca54cd92944360555984f6ec8196eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
972bda0739bfb9719274733038a1c06d

SHA1
3bcc3ff7777a51fe61980fbec24de7c743878e63

SHA256
5c33cd940ebc1ba57c5ae5a81e4e7b2641a878879e136647fe29933c272c762a

SHA512
adf1edfe4c8e11540b0f8e833fbafa19cf4d61a5b14b22dfb9e848ebb6c00857a875acab213afc7f11432a3617622dadf134fde2af36380be27ff77eb03b0aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3175b6a8-526e-4b2f-9989-af40a683d557.vbs

Filesize
484B

MD5
56662c4e71765d807a420cb50e8a746a

SHA1
038405707cf231baed098289ffff98bcd5cbc872

SHA256
79cbf1bccbd1c8bd11906baafec4cfed3ae6ec215756c687f6658b7aa8960947

SHA512
c8ea158396be314ea45833b65540a3c7c3ef93f3b213dff00ef444800b761e8407215526def30adde11872052fdb8024d337ceb10811c06b5051d2901e2472be

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c24976-52dd-468b-b3ca-858d736f5696.vbs

Filesize
707B

MD5
8c9da80b0d57251a7404c952e67115a3

SHA1
5963edebfa657f02f23b2d9f4d834af7817dc461

SHA256
47bb0a2d8d7ad02b9923fc95234fa889c005a607df1f4963a30b616a4bc0fc5f

SHA512
ade00ffa762398730cefb181bde000b53ce7b556edca40529b33c95c2683149144b31888c27bf6e1f1288c464a38c3cd03950765104091828c6d12aeeefbda46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rg4hsh0e.sdk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc0b585b-5b25-4565-ba70-ee71f9848cdb.vbs

Filesize
708B

MD5
28d36e6fe12bd0c9ace89f1185e5a15b

SHA1
64baaaa0706bc75675124fca304f54afc680efed

SHA256
0716e55088d0afad0cde417906ea4b8cef3e1de0f0b8e65fa69c1af164efbee3

SHA512
e0007d561454f5516ad2e272c3286963a3818f08b3427f1c53123a461fe2dae06801719fae42d54af7b0c0c0ab0febb116ac4340a38f6dc89523ffee7579b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf039dd0-f50d-468c-8a94-e084326ae560.vbs

Filesize
707B

MD5
f28a2e6b7d18d9ac661a141384faa397

SHA1
4178cb3017477c9835d461c93972db44e38b9b74

SHA256
1f75e4cba3ef7ff1a3675c36ade14bfb920c6454074e698ba6625846da880dae

SHA512
232224061898ddfbf79476fa2ea29b9a740e0ef976029d6efb4decf6e040c2ad6957da79a2bd435ed891a39e14ec6d241e9abac3832a734533835e6405e49ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rM7RdxFNIA.bat

Filesize
197B

MD5
138766932ce6e4b9ba361d78e0749440

SHA1
edcae5b83e47051a8ec5fbfc0cd34aa294bea5e1

SHA256
deb2cf7bc4d08c824a0ccf9f17453c9eca99c10a2d782c42ee8bb729f3a2127f

SHA512
705971c87473d9b2899da33d0878004e4493010fbd992fc39e5e0b82d45e7b47165aadfabc0a59de4f4878681b5e7cba9f64506c42547e68b3c9c8f2973ebc2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\sysmon.exe

Filesize
5.9MB

MD5
b75c5288545474fef1e3efdbd979a0b0

SHA1
958cf7b8609e2f65e75dd4a0fbf7708a361f32e8

SHA256
20bc27abc974af960838a54c25163fbf5c73a97ffd5e53f4fba58e23803edfbf

SHA512
528167c73411674231ffcdcbaaf68c811fec716d8e753667482c3fce5eb4ea576900bcab7163f9a27349c999275b97daea34f36bdf469e3862fea1bcd0cc4f4b

Download Submit
C:\Users\Default\fontdrvhost.exe

Filesize
5.9MB

MD5
6405aab0eede80c3ccac11b04183140b

SHA1
a0ef3b553c5ba8f0e072daadb8b11f2a7b9abef0

SHA256
89e840b427db8f374168f33f2ce058b74e5cefe13e8ee79dfc525988adf31af0

SHA512
270fc1294a237446afec78bb9e3ccab5205db62cafcd8f70faa2b1284bfa108e601e3ea62dffd8394252bb3c3cf31562a7d00ceffa369fc3901f28fbdd597b09

Download Submit
C:\Windows\ShellComponents\services.exe

Filesize
5.9MB

MD5
10556cec4afb26f0336d3a64c9b10fa2

SHA1
fe8f872e9b03e3508775419996af7bb0d7e41d53

SHA256
91a16dfa53f84e2b8d5a5ebfdeb02f9545935948532ba6629b67a9c2fee7d6e1

SHA512
5d2aa9fe1ac84e6b0fa7ac1e0d44a01568ecf6af21d7e57df6df029714b76372dc76937131fdbb4e0221baf4bb39cfb15347954edbfc2e3ea500ea08f14d5511

Download Submit
C:\Windows\uk-UA\OfficeClickToRun.exe

Filesize
5.9MB

MD5
47361d32e1e75ea301a13da5ca47b887

SHA1
b813e7b6848239b6850dd8653741a3eedbb6d961

SHA256
2d2f045585c9f6d73f1002ec222ce61e4f9cdcc68269fa0af651fd702df0539a

SHA512
44872eeae61f0b48341fba67a5ea30e9913944c2b55b14ddc33a85de7752eb2afe9b112a2357e1a09288361149f2ccca6264d83b422f9084ffb8993fbdf67937

Download Submit
memory/724-309-0x000000001B9D0000-0x000000001B9E2000-memory.dmp

Filesize
72KB

Download
memory/736-272-0x0000000000CC0000-0x00000000015B8000-memory.dmp

Filesize
9.0MB

Download
memory/1184-248-0x00000224BD7C0000-0x00000224BD9DD000-memory.dmp

Filesize
2.1MB

Download
memory/2244-266-0x0000022DEE3A0000-0x0000022DEE5BD000-memory.dmp

Filesize
2.1MB

Download
memory/2336-267-0x0000025C7AD30000-0x0000025C7AF4D000-memory.dmp

Filesize
2.1MB

Download
memory/3204-257-0x0000023DC27D0000-0x0000023DC29ED000-memory.dmp

Filesize
2.1MB

Download
memory/3448-292-0x000000001BF30000-0x000000001BF42000-memory.dmp

Filesize
72KB

Download
memory/3588-39-0x000000001D0A0000-0x000000001D0A8000-memory.dmp

Filesize
32KB

Download
memory/3588-18-0x000000001CD10000-0x000000001CD66000-memory.dmp

Filesize
344KB

Download
memory/3588-27-0x000000001CDD0000-0x000000001CDDC000-memory.dmp

Filesize
48KB

Download
memory/3588-29-0x000000001CDF0000-0x000000001CDFC000-memory.dmp

Filesize
48KB

Download
memory/3588-28-0x000000001CDE0000-0x000000001CDE8000-memory.dmp

Filesize
32KB

Download
memory/3588-30-0x000000001CE00000-0x000000001CE0C000-memory.dmp

Filesize
48KB

Download
memory/3588-32-0x000000001CE10000-0x000000001CE1C000-memory.dmp

Filesize
48KB

Download
memory/3588-31-0x000000001D090000-0x000000001D098000-memory.dmp

Filesize
32KB

Download
memory/3588-33-0x000000001CE20000-0x000000001CE2A000-memory.dmp

Filesize
40KB

Download
memory/3588-35-0x000000001CE40000-0x000000001CE48000-memory.dmp

Filesize
32KB

Download
memory/3588-34-0x000000001CE30000-0x000000001CE3E000-memory.dmp

Filesize
56KB

Download
memory/3588-36-0x000000001CE50000-0x000000001CE5E000-memory.dmp

Filesize
56KB

Download
memory/3588-37-0x000000001CE60000-0x000000001CE68000-memory.dmp

Filesize
32KB

Download
memory/3588-38-0x000000001CE70000-0x000000001CE7C000-memory.dmp

Filesize
48KB

Download
memory/3588-0-0x00007FFF33D83000-0x00007FFF33D85000-memory.dmp

Filesize
8KB

Download
memory/3588-40-0x000000001D1B0000-0x000000001D1BA000-memory.dmp

Filesize
40KB

Download
memory/3588-41-0x000000001D0B0000-0x000000001D0BC000-memory.dmp

Filesize
48KB

Download
memory/3588-25-0x000000001D3C0000-0x000000001D8E8000-memory.dmp

Filesize
5.2MB

Download
memory/3588-24-0x000000001CD90000-0x000000001CDA2000-memory.dmp

Filesize
72KB

Download
memory/3588-22-0x000000001CD80000-0x000000001CD88000-memory.dmp

Filesize
32KB

Download
memory/3588-21-0x000000001CE80000-0x000000001CE8C000-memory.dmp

Filesize
48KB

Download
memory/3588-20-0x000000001CD70000-0x000000001CD78000-memory.dmp

Filesize
32KB

Download
memory/3588-19-0x000000001CD60000-0x000000001CD6C000-memory.dmp

Filesize
48KB

Download
memory/3588-1-0x0000000000EC0000-0x00000000017B8000-memory.dmp

Filesize
9.0MB

Download
memory/3588-200-0x00007FFF33D80000-0x00007FFF34842000-memory.dmp

Filesize
10.8MB

Download
memory/3588-26-0x000000001CDC0000-0x000000001CDCC000-memory.dmp

Filesize
48KB

Download
memory/3588-17-0x000000001C4F0000-0x000000001C4FA000-memory.dmp

Filesize
40KB

Download
memory/3588-2-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/3588-3-0x00007FFF33D80000-0x00007FFF34842000-memory.dmp

Filesize
10.8MB

Download
memory/3588-16-0x000000001C4E0000-0x000000001C4F0000-memory.dmp

Filesize
64KB

Download
memory/3588-15-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

Filesize
32KB

Download
memory/3588-4-0x0000000001F90000-0x0000000001F9E000-memory.dmp

Filesize
56KB

Download
memory/3588-5-0x0000000001FA0000-0x0000000001FAE000-memory.dmp

Filesize
56KB

Download
memory/3588-14-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

Filesize
48KB

Download
memory/3588-6-0x0000000003900000-0x0000000003908000-memory.dmp

Filesize
32KB

Download
memory/3588-7-0x0000000003910000-0x000000000392C000-memory.dmp

Filesize
112KB

Download
memory/3588-13-0x000000001C4B0000-0x000000001C4C2000-memory.dmp

Filesize
72KB

Download
memory/3588-11-0x000000001C430000-0x000000001C446000-memory.dmp

Filesize
88KB

Download
memory/3588-10-0x000000001C420000-0x000000001C430000-memory.dmp

Filesize
64KB

Download
memory/3588-12-0x000000001C450000-0x000000001C458000-memory.dmp

Filesize
32KB

Download
memory/3588-8-0x000000001C460000-0x000000001C4B0000-memory.dmp

Filesize
320KB

Download
memory/3588-9-0x000000001C410000-0x000000001C418000-memory.dmp

Filesize
32KB

Download
memory/3728-246-0x000001D8356D0000-0x000001D8358ED000-memory.dmp

Filesize
2.1MB

Download
memory/3884-249-0x000001CEF49F0000-0x000001CEF4C0D000-memory.dmp

Filesize
2.1MB

Download
memory/3984-240-0x000002204A440000-0x000002204A65D000-memory.dmp

Filesize
2.1MB

Download
memory/4016-247-0x000001FDAE140000-0x000001FDAE35D000-memory.dmp

Filesize
2.1MB

Download
memory/4352-258-0x0000026CE5B00000-0x0000026CE5D1D000-memory.dmp

Filesize
2.1MB

Download
memory/4952-254-0x0000011EF9300000-0x0000011EF951D000-memory.dmp

Filesize
2.1MB

Download
memory/4952-126-0x0000011EF91A0000-0x0000011EF91C2000-memory.dmp

Filesize
136KB

Download
memory/5116-268-0x0000025F19860000-0x0000025F19A7D000-memory.dmp

Filesize
2.1MB

Download
memory/5248-243-0x0000021369660000-0x000002136987D000-memory.dmp

Filesize
2.1MB

Download
memory/5540-259-0x000001CC7C670000-0x000001CC7C88D000-memory.dmp

Filesize
2.1MB

Download