colibri | ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f

Analysis

max time kernel
117s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b026a4ecfe2b95b153f91b7c0c854200N.exe
Size

4.9MB
MD5

b026a4ecfe2b95b153f91b7c0c854200
SHA1

687a6bfae0785206cdd4577755626d046e844015
SHA256

ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f
SHA512

0afebbee95f50178db721ecb1f4aca644d9357d6ac9a7825ac775f83372fb9c0b7a56878f94dbe08e5d48bd0fe566cabc4f9b4195c218d1ff48aef3c22853388
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1060	schtasks.exe	86

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3640-3-0x000000001BFE0000-0x000000001C10E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3212	powershell.exe
1496	powershell.exe
2336	powershell.exe
4936	powershell.exe
1396	powershell.exe
4580	powershell.exe
3400	powershell.exe
1584	powershell.exe
4924	powershell.exe
3348	powershell.exe
4248	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	b026a4ecfe2b95b153f91b7c0c854200N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 38 IoCs

pid	Process
4360	tmp7FFF.tmp.exe
4468	tmp7FFF.tmp.exe
3500	fontdrvhost.exe
3476	tmpCBCC.tmp.exe
3112	tmpCBCC.tmp.exe
3400	fontdrvhost.exe
4364	tmpE947.tmp.exe
1492	tmpE947.tmp.exe
3560	fontdrvhost.exe
1080	tmp6A2.tmp.exe
3840	tmp6A2.tmp.exe
4384	fontdrvhost.exe
4280	tmp39C8.tmp.exe
4984	tmp39C8.tmp.exe
2492	fontdrvhost.exe
2080	tmp6A5D.tmp.exe
2644	tmp6A5D.tmp.exe
4776	fontdrvhost.exe
2388	tmp87E8.tmp.exe
1272	tmp87E8.tmp.exe
1788	tmp87E8.tmp.exe
1696	tmp87E8.tmp.exe
2256	fontdrvhost.exe
4028	tmpA4D6.tmp.exe
4936	tmpA4D6.tmp.exe
3460	tmpA4D6.tmp.exe
400	fontdrvhost.exe
4224	tmpD666.tmp.exe
1020	tmpD666.tmp.exe
2108	tmpD666.tmp.exe
1056	tmpD666.tmp.exe
840	tmpD666.tmp.exe
3712	fontdrvhost.exe
1652	tmpA18.tmp.exe
1948	tmpA18.tmp.exe
1696	fontdrvhost.exe
216	tmp3BB7.tmp.exe
3036	tmp3BB7.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b026a4ecfe2b95b153f91b7c0c854200N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4360 set thread context of 4468	4360	tmp7FFF.tmp.exe	144
PID 3476 set thread context of 3112	3476	tmpCBCC.tmp.exe	181
PID 4364 set thread context of 1492	4364	tmpE947.tmp.exe	188
PID 1080 set thread context of 3840	1080	tmp6A2.tmp.exe	195
PID 4280 set thread context of 4984	4280	tmp39C8.tmp.exe	201
PID 2080 set thread context of 2644	2080	tmp6A5D.tmp.exe	207
PID 1788 set thread context of 1696	1788	tmp87E8.tmp.exe	215
PID 4936 set thread context of 3460	4936	tmpA4D6.tmp.exe	222
PID 1056 set thread context of 840	1056	tmpD666.tmp.exe	231
PID 1652 set thread context of 1948	1652	tmpA18.tmp.exe	237
PID 216 set thread context of 3036	216	tmp3BB7.tmp.exe	243

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Registry.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA22D.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Internet Explorer\ee2ad38f3d4382	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\SearchApp.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX96FC.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\0a1fd5f707cd16	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Internet Explorer\Registry.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX8BAD.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCXA441.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\38384e6a620884	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX8129.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX92D4.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\SearchApp.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\eddb19405b7ce1	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX9C00.tmp	b026a4ecfe2b95b153f91b7c0c854200N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe	b026a4ecfe2b95b153f91b7c0c854200N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCBCC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD666.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87E8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA4D6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD666.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD666.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3BB7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FFF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp39C8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87E8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE947.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6A2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87E8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6A5D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA4D6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD666.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	b026a4ecfe2b95b153f91b7c0c854200N.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3284	schtasks.exe
4028	schtasks.exe
2252	schtasks.exe
1172	schtasks.exe
1192	schtasks.exe
2324	schtasks.exe
2124	schtasks.exe
3496	schtasks.exe
2896	schtasks.exe
2860	schtasks.exe
3084	schtasks.exe
1140	schtasks.exe
2644	schtasks.exe
3624	schtasks.exe
768	schtasks.exe
4056	schtasks.exe
3476	schtasks.exe
3620	schtasks.exe
964	schtasks.exe
2532	schtasks.exe
2544	schtasks.exe
1068	schtasks.exe
1196	schtasks.exe
3172	schtasks.exe
640	schtasks.exe
2960	schtasks.exe
1432	schtasks.exe
2296	schtasks.exe
5004	schtasks.exe
976	schtasks.exe
4032	schtasks.exe
3524	schtasks.exe
2304	schtasks.exe
1408	schtasks.exe
1624	schtasks.exe
2612	schtasks.exe
3980	schtasks.exe
1496	schtasks.exe
5028	schtasks.exe
3932	schtasks.exe
740	schtasks.exe
2240	schtasks.exe
3296	schtasks.exe
4656	schtasks.exe
1160	schtasks.exe
4768	schtasks.exe
372	schtasks.exe
4292	schtasks.exe
4500	schtasks.exe
2440	schtasks.exe
4812	schtasks.exe
880	schtasks.exe
3096	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
3348	powershell.exe
3348	powershell.exe
1584	powershell.exe
1584	powershell.exe
3400	powershell.exe
3400	powershell.exe
3212	powershell.exe
3212	powershell.exe
4248	powershell.exe
4248	powershell.exe
2336	powershell.exe
2336	powershell.exe
4936	powershell.exe
4936	powershell.exe
4924	powershell.exe
4924	powershell.exe
4580	powershell.exe
4580	powershell.exe
1396	powershell.exe
1396	powershell.exe
1496	powershell.exe
1496	powershell.exe
4580	powershell.exe
3348	powershell.exe
3400	powershell.exe
4924	powershell.exe
1584	powershell.exe
3212	powershell.exe
1396	powershell.exe
4248	powershell.exe
2336	powershell.exe
4936	powershell.exe
1496	powershell.exe
3500	fontdrvhost.exe
3400	fontdrvhost.exe
3560	fontdrvhost.exe
4384	fontdrvhost.exe
2492	fontdrvhost.exe
4776	fontdrvhost.exe
2256	fontdrvhost.exe
400	fontdrvhost.exe
3712	fontdrvhost.exe
1696	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3500	fontdrvhost.exe
Token: SeDebugPrivilege	3400	fontdrvhost.exe
Token: SeDebugPrivilege	3560	fontdrvhost.exe
Token: SeDebugPrivilege	4384	fontdrvhost.exe
Token: SeDebugPrivilege	2492	fontdrvhost.exe
Token: SeDebugPrivilege	4776	fontdrvhost.exe
Token: SeDebugPrivilege	2256	fontdrvhost.exe
Token: SeDebugPrivilege	400	fontdrvhost.exe
Token: SeDebugPrivilege	3712	fontdrvhost.exe
Token: SeDebugPrivilege	1696	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 4360	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	141
PID 3640 wrote to memory of 4360	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	141
PID 3640 wrote to memory of 4360	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	141
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 4360 wrote to memory of 4468	4360	tmp7FFF.tmp.exe	144
PID 3640 wrote to memory of 1396	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	151
PID 3640 wrote to memory of 1396	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	151
PID 3640 wrote to memory of 3348	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	152
PID 3640 wrote to memory of 3348	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	152
PID 3640 wrote to memory of 4924	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	153
PID 3640 wrote to memory of 4924	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	153
PID 3640 wrote to memory of 4936	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	154
PID 3640 wrote to memory of 4936	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	154
PID 3640 wrote to memory of 2336	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	155
PID 3640 wrote to memory of 2336	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	155
PID 3640 wrote to memory of 1584	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	157
PID 3640 wrote to memory of 1584	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	157
PID 3640 wrote to memory of 3400	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	158
PID 3640 wrote to memory of 3400	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	158
PID 3640 wrote to memory of 1496	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	159
PID 3640 wrote to memory of 1496	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	159
PID 3640 wrote to memory of 3212	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	160
PID 3640 wrote to memory of 3212	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	160
PID 3640 wrote to memory of 4248	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	161
PID 3640 wrote to memory of 4248	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	161
PID 3640 wrote to memory of 4580	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	162
PID 3640 wrote to memory of 4580	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	162
PID 3640 wrote to memory of 3588	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	172
PID 3640 wrote to memory of 3588	3640	b026a4ecfe2b95b153f91b7c0c854200N.exe	172
PID 3588 wrote to memory of 696	3588	cmd.exe	175
PID 3588 wrote to memory of 696	3588	cmd.exe	175
PID 3588 wrote to memory of 3500	3588	cmd.exe	176
PID 3588 wrote to memory of 3500	3588	cmd.exe	176
PID 3500 wrote to memory of 1732	3500	fontdrvhost.exe	177
PID 3500 wrote to memory of 1732	3500	fontdrvhost.exe	177
PID 3500 wrote to memory of 3616	3500	fontdrvhost.exe	178
PID 3500 wrote to memory of 3616	3500	fontdrvhost.exe	178
PID 3500 wrote to memory of 3476	3500	fontdrvhost.exe	179
PID 3500 wrote to memory of 3476	3500	fontdrvhost.exe	179
PID 3500 wrote to memory of 3476	3500	fontdrvhost.exe	179
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 3476 wrote to memory of 3112	3476	tmpCBCC.tmp.exe	181
PID 1732 wrote to memory of 3400	1732	WScript.exe	182
PID 1732 wrote to memory of 3400	1732	WScript.exe	182
PID 3400 wrote to memory of 4580	3400	fontdrvhost.exe	183
PID 3400 wrote to memory of 4580	3400	fontdrvhost.exe	183
PID 3400 wrote to memory of 2324	3400	fontdrvhost.exe	184
PID 3400 wrote to memory of 2324	3400	fontdrvhost.exe	184
PID 3400 wrote to memory of 4364	3400	fontdrvhost.exe	186
PID 3400 wrote to memory of 4364	3400	fontdrvhost.exe	186
PID 3400 wrote to memory of 4364	3400	fontdrvhost.exe	186
PID 4364 wrote to memory of 1492	4364	tmpE947.tmp.exe	188
PID 4364 wrote to memory of 1492	4364	tmpE947.tmp.exe	188
PID 4364 wrote to memory of 1492	4364	tmpE947.tmp.exe	188

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b026a4ecfe2b95b153f91b7c0c854200N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b026a4ecfe2b95b153f91b7c0c854200N.exe
"C:\Users\Admin\AppData\Local\Temp\b026a4ecfe2b95b153f91b7c0c854200N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3640
- C:\Users\Admin\AppData\Local\Temp\tmp7FFF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FFF.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\tmp7FFF.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp7FFF.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dn8Em9rir7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:696
- - C:\Recovery\WindowsRE\fontdrvhost.exe
    "C:\Recovery\WindowsRE\fontdrvhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3500
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deef9046-0be6-4b40-8def-e3d1cf07dda2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd6f679b-adf3-421b-b970-cd7c3c5f0333.vbs"
        6⤵
        
        PID:4580
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4891c49f-f67a-4e7d-a792-50d21e5bca17.vbs"
        8⤵
        
        PID:2336
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eaac9dd-3e0d-49ef-90c0-37d1d7749e09.vbs"
        10⤵
        
        PID:3348
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee535249-642f-4b7b-82b0-989738e4d7a3.vbs"
        12⤵
        
        PID:456
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\250119da-d207-41ae-963a-68853d1a8d49.vbs"
        14⤵
        
        PID:4376
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4caf2100-81c6-4a36-8811-aee34b30d683.vbs"
        16⤵
        
        PID:4264
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79a2398b-24ca-4c6c-96e9-6efad147ff46.vbs"
        18⤵
        
        PID:2216
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db84dcce-ce8b-4837-a730-723e0dcb96cb.vbs"
        20⤵
        
        PID:1044
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1348670-5a5c-4fb7-bcb1-90e4772d6c3c.vbs"
        22⤵
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16c6b5a5-f6f3-4b6b-97f4-be35190c625d.vbs"
        22⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp3BB7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3BB7.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp3BB7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3BB7.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab41fbef-ad76-4cfb-b89b-0f33a8284454.vbs"
        20⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmpA18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA18.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmpA18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA18.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9835e54-fc8e-4448-8e77-3dadccf3b880.vbs"
        18⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD666.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64a32299-e3ef-49b9-acfc-061928d97923.vbs"
        16⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4D6.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c9554a-7905-4852-9090-34751a6cb502.vbs"
        14⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bec88c7-1f53-4c3b-8988-1f1da27067bb.vbs"
        12⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp6A5D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6A5D.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp6A5D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6A5D.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89cad272-9c61-4f8e-bd93-cf8b606124d8.vbs"
        10⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp39C8.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a02d49-2342-493d-b7b3-cbd48e875b70.vbs"
        8⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6A2.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e258e68-b9eb-48a9-9403-9ecf588f460e.vbs"
        6⤵
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\tmpE947.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE947.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmpE947.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE947.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1492
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b271704f-9773-4f35-a639-59e4a79e7d92.vbs"
      4⤵
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCBCC.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SearchApp.exe

Filesize
4.9MB

MD5
3a9fb4dbb40fdb3caaee8e683f158c4c

SHA1
ed2f2b31fdb13897f31c0b8f2543dcca64254f5a

SHA256
73f0f1c5480d1e14a8efdefaef29210fc24135d424a5034ae30d32a52e94175a

SHA512
c3d6bd624ba44e7bfa2855f2d4f00f87a26ec7944fce9be4210d3dc9ccda94a48a7d0cf2dfa75095af12f92875b6a9737d1ff39b31cdbc7ceddd253a1eaca94c

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
4.9MB

MD5
b026a4ecfe2b95b153f91b7c0c854200

SHA1
687a6bfae0785206cdd4577755626d046e844015

SHA256
ca018a6c42cbcff62953c8df1a288d315d86f182876a8037b41d02a604e2191f

SHA512
0afebbee95f50178db721ecb1f4aca644d9357d6ac9a7825ac775f83372fb9c0b7a56878f94dbe08e5d48bd0fe566cabc4f9b4195c218d1ff48aef3c22853388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\250119da-d207-41ae-963a-68853d1a8d49.vbs

Filesize
713B

MD5
a8fa1d596ffc040208fd8db52a6c0ecd

SHA1
ba7ab45a4a64abd62d3bad918301c08ba9160118

SHA256
5e3a14317fd412148d9bfc022ee6a9c494ca075f1942d8e089695eae257d98bd

SHA512
3e700f7ea30e8eb25b65c593ad4dbcd69b00b588d642a20d87801ea4c665f5ebffe8123c194157c5abbd100ac0f81c447a620ac698a56296ff4a8641a147ec7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4891c49f-f67a-4e7d-a792-50d21e5bca17.vbs

Filesize
713B

MD5
3b2c8f5e6aaa3b078ec368a05d090c9a

SHA1
54c3094e5605b3cce341dc20bb318423a79f5022

SHA256
00f41f4a99bd48ed69993e3b5fdfea978c1d267dbf96a77ba327a980b97cc7db

SHA512
77ff99bdb6ecb96d000680b26c09d544e5be72af9e35660e5e756b65626e0a682cc556c9151f63c9daccbeaf4b7488e958e5a64e23053ae3560a8bed69346962

Download Submit
C:\Users\Admin\AppData\Local\Temp\4caf2100-81c6-4a36-8811-aee34b30d683.vbs

Filesize
713B

MD5
4128f7adea9da657339974716fa05c65

SHA1
bb370f7f7e6818ca4c52b6b623845c232af1e058

SHA256
31d42a3c491d86e54fbefbce59f1ca8f49aa866930a3acb5164ebb82a3107d22

SHA512
4f12b4d7f17ead5287d7d2074e2347ec8ba9300eb5def3e4832451452a5a4137c0fa4cf0caf9d3429928764b3f5dfe794938e1446105dbad3acca490acb9f573

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eaac9dd-3e0d-49ef-90c0-37d1d7749e09.vbs

Filesize
713B

MD5
4d8259b9b83ca99dd792666fe1d894dc

SHA1
d649484911426f88112575f75edf6aeb2c37d4fd

SHA256
a0771d5c4ceb7ba1af3cef6db0ddd88725fb82ec9dbf50a4c36e08de023c7a9f

SHA512
73956544c627ef2735f066ee9e3612ba44b00435e0323359174241dc15036a3a343d56a7598a424d48a3d0b2cc550dce76caeb90dd8014c22c0ef9bae554190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dn8Em9rir7.bat

Filesize
202B

MD5
a1ac6ad0a39fcaee927e86cfe60e26a2

SHA1
24e58b613d0f02f6559ceaaac58a0db2b628d491

SHA256
5f967f517f75b6c6e8be5645eb35f2df6e19c6f13d6cf152f07049acabe75221

SHA512
f36fac230e05e21fce2b31e510b7666df747449639d2f5bd0368715cdc807969cd8fa90803bf46eb0842106bf3e0999312e2919f1ab2293c3d472db836f9c98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifgt4znt.3fg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b271704f-9773-4f35-a639-59e4a79e7d92.vbs

Filesize
489B

MD5
e669728e03b7a01d1ddf1499b07be0bd

SHA1
064a012ce7420005103d588441f0035b6ad37389

SHA256
206c61ed7ef7089591358d3505a80ef5793faa8a758e7590642fceb9d2038601

SHA512
59bfb73123f4e33b24c04beacf46d280f90fc0f63fc0a3e3cb7372f1c9354d449123c07b555646c5ae1efc563112afbc8801b94e0c10b6c454955ccead6eeb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\deef9046-0be6-4b40-8def-e3d1cf07dda2.vbs

Filesize
713B

MD5
dbd70f68b91add82feff4e2dbfb7e1f1

SHA1
085dd506911711e42fe25fe898f4c5c66c132ac9

SHA256
3bac463879588fcadc9416cf21cf0d4d5ae2a0c52c12df6db6bb5c818bcf43b0

SHA512
3b91e324f7aa9cd6466e40b578fcc34c19cd54e94ced4c0cda5f6db013de9c291007dd2968e76522ddd52c20ee06b42508ab6de4566fc970d9604a1606e7ca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee535249-642f-4b7b-82b0-989738e4d7a3.vbs

Filesize
713B

MD5
9e1d65c92fde28a1d9df2816b5d2fa84

SHA1
0ef1203db522b42a90f855d382deed7af9a0d5a1

SHA256
24317787f2e79bc96ea7e776a1d2b0126106f65104b2994b6e8ec37d264b897f

SHA512
19c5ebc4180d562d0ece2ebf111f0336c812bdb15cf16dccb7f65ca624509ff9d2fb82067be894951babc5a33c879f96a33641adc75d19762681e332dfc68236

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd6f679b-adf3-421b-b970-cd7c3c5f0333.vbs

Filesize
713B

MD5
fb7328093d2b8dabf7c9ed682ed55fa3

SHA1
928bbeeae6335a9f8c9de99df1a0c5314978cc51

SHA256
ddb44cac5d16599b05428b16fb425d191ee73cb27de57dd2d30ab17e964ed034

SHA512
4621d1223f6d0fa70a9a2521cc203961a7420f0ff52cd0a357defede50ca137b555170f7432097a585644d9d926a93db5ad0818559c6648b6347c6247d1b86bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FFF.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/2256-466-0x000000001C090000-0x000000001C0A2000-memory.dmp

Filesize
72KB

Download
memory/3348-204-0x0000022454960000-0x0000022454982000-memory.dmp

Filesize
136KB

Download
memory/3560-367-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/3640-11-0x0000000003480000-0x0000000003492000-memory.dmp

Filesize
72KB

Download
memory/3640-12-0x000000001CCB0000-0x000000001D1D8000-memory.dmp

Filesize
5.2MB

Download
memory/3640-194-0x00007FFE509A0000-0x00007FFE51461000-memory.dmp

Filesize
10.8MB

Download
memory/3640-145-0x00007FFE509A3000-0x00007FFE509A5000-memory.dmp

Filesize
8KB

Download
memory/3640-1-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/3640-16-0x000000001BFA0000-0x000000001BFA8000-memory.dmp

Filesize
32KB

Download
memory/3640-17-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/3640-18-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

Filesize
48KB

Download
memory/3640-13-0x0000000003490000-0x000000000349A000-memory.dmp

Filesize
40KB

Download
memory/3640-14-0x000000001BF80000-0x000000001BF8E000-memory.dmp

Filesize
56KB

Download
memory/3640-15-0x000000001BF90000-0x000000001BF9E000-memory.dmp

Filesize
56KB

Download
memory/3640-152-0x00007FFE509A0000-0x00007FFE51461000-memory.dmp

Filesize
10.8MB

Download
memory/3640-0-0x00007FFE509A3000-0x00007FFE509A5000-memory.dmp

Filesize
8KB

Download
memory/3640-6-0x0000000001B60000-0x0000000001B68000-memory.dmp

Filesize
32KB

Download
memory/3640-10-0x0000000003470000-0x000000000347A000-memory.dmp

Filesize
40KB

Download
memory/3640-8-0x0000000001B90000-0x0000000001BA6000-memory.dmp

Filesize
88KB

Download
memory/3640-9-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/3640-7-0x0000000001B70000-0x0000000001B80000-memory.dmp

Filesize
64KB

Download
memory/3640-5-0x000000001C110000-0x000000001C160000-memory.dmp

Filesize
320KB

Download
memory/3640-4-0x0000000001B40000-0x0000000001B5C000-memory.dmp

Filesize
112KB

Download
memory/3640-3-0x000000001BFE0000-0x000000001C10E000-memory.dmp

Filesize
1.2MB

Download
memory/3640-2-0x00007FFE509A0000-0x00007FFE51461000-memory.dmp

Filesize
10.8MB

Download
memory/4468-81-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download