colibri | 7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc13b91c624a83201054fb4958f229f0N.exe
Size

4.9MB
MD5

bc13b91c624a83201054fb4958f229f0
SHA1

e27bb3f83e915fff4a688543cc1c2077f7772683
SHA256

7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e
SHA512

99c8350b74759c11ef9f0a52091127624d0fb2105f836799733bb48104a7e4b6d4fa5cf27588c6f32c43370f4e373a1415b055240778d1a689a20691ba550077
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	184	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	184	schtasks.exe	86

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2616-3-0x000000001BEB0000-0x000000001BFDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
3780	powershell.exe
3392	powershell.exe
724	powershell.exe
5112	powershell.exe
4344	powershell.exe
4580	powershell.exe
4368	powershell.exe
3964	powershell.exe
4800	powershell.exe
4412	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	bc13b91c624a83201054fb4958f229f0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	MusNotification.exe

Executes dropped EXE 37 IoCs

pid	Process
4796	tmpA5D7.tmp.exe
1280	tmpA5D7.tmp.exe
2844	MusNotification.exe
724	tmpF03C.tmp.exe
4816	tmpF03C.tmp.exe
3768	MusNotification.exe
3988	tmpD78.tmp.exe
1380	tmpD78.tmp.exe
2760	MusNotification.exe
2108	tmp3F56.tmp.exe
4696	tmp3F56.tmp.exe
1572	MusNotification.exe
2024	tmp6FDC.tmp.exe
1072	tmp6FDC.tmp.exe
3260	tmp6FDC.tmp.exe
2624	MusNotification.exe
2004	tmp8BD0.tmp.exe
3492	tmp8BD0.tmp.exe
2656	MusNotification.exe
2108	tmpBDEC.tmp.exe
2728	tmpBDEC.tmp.exe
4576	MusNotification.exe
3684	tmpEEB0.tmp.exe
2344	tmpEEB0.tmp.exe
1820	MusNotification.exe
4768	tmpE5E.tmp.exe
2536	tmpE5E.tmp.exe
2984	tmpE5E.tmp.exe
2476	MusNotification.exe
1276	tmp29F4.tmp.exe
3860	tmp29F4.tmp.exe
4756	MusNotification.exe
2228	tmp450E.tmp.exe
2168	tmp450E.tmp.exe
3116	MusNotification.exe
3324	tmp6102.tmp.exe
4596	tmp6102.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc13b91c624a83201054fb4958f229f0N.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 1280	4796	tmpA5D7.tmp.exe	145
PID 724 set thread context of 4816	724	tmpF03C.tmp.exe	181
PID 3988 set thread context of 1380	3988	tmpD78.tmp.exe	188
PID 2108 set thread context of 4696	2108	tmp3F56.tmp.exe	195
PID 1072 set thread context of 3260	1072	tmp6FDC.tmp.exe	202
PID 2004 set thread context of 3492	2004	tmp8BD0.tmp.exe	208
PID 2108 set thread context of 2728	2108	tmpBDEC.tmp.exe	214
PID 3684 set thread context of 2344	3684	tmpEEB0.tmp.exe	220
PID 2536 set thread context of 2984	2536	tmpE5E.tmp.exe	227
PID 1276 set thread context of 3860	1276	tmp29F4.tmp.exe	233
PID 2228 set thread context of 2168	2228	tmp450E.tmp.exe	239
PID 3324 set thread context of 4596	3324	tmp6102.tmp.exe	245

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXAD2E.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\smss.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\55b276f4edf653	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\5940a34987c991	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXB166.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB87E.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXC7A7.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files\WindowsApps\upfc.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows Mail\smss.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	bc13b91c624a83201054fb4958f229f0N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXA6B3.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\explorer.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXBA92.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Windows\Offline Web Pages\fontdrvhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\explorer.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\7a0fd90576e088	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\Offline Web Pages\fontdrvhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\Offline Web Pages\5b884080fd4f94	bc13b91c624a83201054fb4958f229f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF03C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD78.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6FDC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE5E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp450E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6102.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA5D7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3F56.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BD0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBDEC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEEB0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp29F4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6FDC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE5E.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	bc13b91c624a83201054fb4958f229f0N.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	MusNotification.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3240	schtasks.exe
3860	schtasks.exe
1552	schtasks.exe
1316	schtasks.exe
4636	schtasks.exe
4816	schtasks.exe
3384	schtasks.exe
648	schtasks.exe
3532	schtasks.exe
2816	schtasks.exe
4148	schtasks.exe
4984	schtasks.exe
1464	schtasks.exe
5076	schtasks.exe
4264	schtasks.exe
4176	schtasks.exe
3616	schtasks.exe
4492	schtasks.exe
4424	schtasks.exe
3460	schtasks.exe
4044	schtasks.exe
1664	schtasks.exe
4580	schtasks.exe
868	schtasks.exe
4140	schtasks.exe
4888	schtasks.exe
4220	schtasks.exe
5060	schtasks.exe
2672	schtasks.exe
4000	schtasks.exe
2428	schtasks.exe
5024	schtasks.exe
1224	schtasks.exe
4672	schtasks.exe
3732	schtasks.exe
4760	schtasks.exe
4112	schtasks.exe
5088	schtasks.exe
1548	schtasks.exe
4776	schtasks.exe
4720	schtasks.exe
1796	schtasks.exe
5080	schtasks.exe
388	schtasks.exe
1084	schtasks.exe
2020	schtasks.exe
3348	schtasks.exe
1068	schtasks.exe
4352	schtasks.exe
2368	schtasks.exe
664	schtasks.exe
4372	schtasks.exe
4080	schtasks.exe
436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
2616	bc13b91c624a83201054fb4958f229f0N.exe
4344	powershell.exe
4344	powershell.exe
4412	powershell.exe
4412	powershell.exe
3964	powershell.exe
3964	powershell.exe
4800	powershell.exe
4800	powershell.exe
4368	powershell.exe
4368	powershell.exe
724	powershell.exe
724	powershell.exe
2116	powershell.exe
2116	powershell.exe
3392	powershell.exe
3392	powershell.exe
5112	powershell.exe
5112	powershell.exe
4580	powershell.exe
4580	powershell.exe
3780	powershell.exe
3780	powershell.exe
724	powershell.exe
4368	powershell.exe
4344	powershell.exe
3964	powershell.exe
4412	powershell.exe
4580	powershell.exe
4800	powershell.exe
3392	powershell.exe
2116	powershell.exe
5112	powershell.exe
3780	powershell.exe
2844	MusNotification.exe
3768	MusNotification.exe
2760	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	bc13b91c624a83201054fb4958f229f0N.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	2844	MusNotification.exe
Token: SeDebugPrivilege	3768	MusNotification.exe
Token: SeDebugPrivilege	2760	MusNotification.exe
Token: SeDebugPrivilege	1572	MusNotification.exe
Token: SeDebugPrivilege	2624	MusNotification.exe
Token: SeDebugPrivilege	2656	MusNotification.exe
Token: SeDebugPrivilege	4576	MusNotification.exe
Token: SeDebugPrivilege	1820	MusNotification.exe
Token: SeDebugPrivilege	2476	MusNotification.exe
Token: SeDebugPrivilege	4756	MusNotification.exe
Token: SeDebugPrivilege	3116	MusNotification.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4796	2616	bc13b91c624a83201054fb4958f229f0N.exe	143
PID 2616 wrote to memory of 4796	2616	bc13b91c624a83201054fb4958f229f0N.exe	143
PID 2616 wrote to memory of 4796	2616	bc13b91c624a83201054fb4958f229f0N.exe	143
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 4796 wrote to memory of 1280	4796	tmpA5D7.tmp.exe	145
PID 2616 wrote to memory of 3780	2616	bc13b91c624a83201054fb4958f229f0N.exe	151
PID 2616 wrote to memory of 3780	2616	bc13b91c624a83201054fb4958f229f0N.exe	151
PID 2616 wrote to memory of 4368	2616	bc13b91c624a83201054fb4958f229f0N.exe	152
PID 2616 wrote to memory of 4368	2616	bc13b91c624a83201054fb4958f229f0N.exe	152
PID 2616 wrote to memory of 3964	2616	bc13b91c624a83201054fb4958f229f0N.exe	153
PID 2616 wrote to memory of 3964	2616	bc13b91c624a83201054fb4958f229f0N.exe	153
PID 2616 wrote to memory of 4580	2616	bc13b91c624a83201054fb4958f229f0N.exe	154
PID 2616 wrote to memory of 4580	2616	bc13b91c624a83201054fb4958f229f0N.exe	154
PID 2616 wrote to memory of 4344	2616	bc13b91c624a83201054fb4958f229f0N.exe	155
PID 2616 wrote to memory of 4344	2616	bc13b91c624a83201054fb4958f229f0N.exe	155
PID 2616 wrote to memory of 2116	2616	bc13b91c624a83201054fb4958f229f0N.exe	157
PID 2616 wrote to memory of 2116	2616	bc13b91c624a83201054fb4958f229f0N.exe	157
PID 2616 wrote to memory of 724	2616	bc13b91c624a83201054fb4958f229f0N.exe	158
PID 2616 wrote to memory of 724	2616	bc13b91c624a83201054fb4958f229f0N.exe	158
PID 2616 wrote to memory of 5112	2616	bc13b91c624a83201054fb4958f229f0N.exe	160
PID 2616 wrote to memory of 5112	2616	bc13b91c624a83201054fb4958f229f0N.exe	160
PID 2616 wrote to memory of 3392	2616	bc13b91c624a83201054fb4958f229f0N.exe	161
PID 2616 wrote to memory of 3392	2616	bc13b91c624a83201054fb4958f229f0N.exe	161
PID 2616 wrote to memory of 4412	2616	bc13b91c624a83201054fb4958f229f0N.exe	162
PID 2616 wrote to memory of 4412	2616	bc13b91c624a83201054fb4958f229f0N.exe	162
PID 2616 wrote to memory of 4800	2616	bc13b91c624a83201054fb4958f229f0N.exe	163
PID 2616 wrote to memory of 4800	2616	bc13b91c624a83201054fb4958f229f0N.exe	163
PID 2616 wrote to memory of 2108	2616	bc13b91c624a83201054fb4958f229f0N.exe	172
PID 2616 wrote to memory of 2108	2616	bc13b91c624a83201054fb4958f229f0N.exe	172
PID 2108 wrote to memory of 4972	2108	cmd.exe	175
PID 2108 wrote to memory of 4972	2108	cmd.exe	175
PID 2108 wrote to memory of 2844	2108	cmd.exe	176
PID 2108 wrote to memory of 2844	2108	cmd.exe	176
PID 2844 wrote to memory of 1432	2844	MusNotification.exe	177
PID 2844 wrote to memory of 1432	2844	MusNotification.exe	177
PID 2844 wrote to memory of 244	2844	MusNotification.exe	178
PID 2844 wrote to memory of 244	2844	MusNotification.exe	178
PID 2844 wrote to memory of 724	2844	MusNotification.exe	179
PID 2844 wrote to memory of 724	2844	MusNotification.exe	179
PID 2844 wrote to memory of 724	2844	MusNotification.exe	179
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 724 wrote to memory of 4816	724	tmpF03C.tmp.exe	181
PID 1432 wrote to memory of 3768	1432	WScript.exe	182
PID 1432 wrote to memory of 3768	1432	WScript.exe	182
PID 3768 wrote to memory of 864	3768	MusNotification.exe	183
PID 3768 wrote to memory of 864	3768	MusNotification.exe	183
PID 3768 wrote to memory of 2876	3768	MusNotification.exe	184
PID 3768 wrote to memory of 2876	3768	MusNotification.exe	184
PID 3768 wrote to memory of 3988	3768	MusNotification.exe	186
PID 3768 wrote to memory of 3988	3768	MusNotification.exe	186
PID 3768 wrote to memory of 3988	3768	MusNotification.exe	186
PID 3988 wrote to memory of 1380	3988	tmpD78.tmp.exe	188
PID 3988 wrote to memory of 1380	3988	tmpD78.tmp.exe	188
PID 3988 wrote to memory of 1380	3988	tmpD78.tmp.exe	188

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bc13b91c624a83201054fb4958f229f0N.exe
"C:\Users\Admin\AppData\Local\Temp\bc13b91c624a83201054fb4958f229f0N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Users\Admin\AppData\Local\Temp\tmpA5D7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA5D7.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\tmpA5D7.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA5D7.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFm4j3lsar.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4972
- - C:\Users\Default User\MusNotification.exe
    "C:\Users\Default User\MusNotification.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85493a62-bad5-479c-bb83-271cc2cc35ac.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3768
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\507e3331-db78-441c-a5ab-b8fc104cad6a.vbs"
        6⤵
        
        PID:864
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ad4afd0-1414-466f-b337-9cc1522406f6.vbs"
        8⤵
        
        PID:4484
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d209d095-7abe-4fd3-879b-413f99c10009.vbs"
        10⤵
        
        PID:3596
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ad4ac8-abd0-4efb-a92f-57e2c57b3dd7.vbs"
        12⤵
        
        PID:2128
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7dc653f-2d54-4b5e-9269-0d4efc5d27a9.vbs"
        14⤵
        
        PID:3148
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb68f0fe-9749-4141-9d34-a5e156625452.vbs"
        16⤵
        
        PID:3816
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bbd9ad0-b7a8-497b-af73-2892bfe1c223.vbs"
        18⤵
        
        PID:4152
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7e3727b-39f7-49a0-b15c-e256af6df9fb.vbs"
        20⤵
        
        PID:4896
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e61800cf-749d-49f7-9036-6df57637c581.vbs"
        22⤵
        
        PID:3856
        
        C:\Users\Default User\MusNotification.exe
        
        "C:\Users\Default User\MusNotification.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ec5f604-f40e-4c1e-b64e-6cf7873ea50b.vbs"
        24⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3db83558-6109-4831-8d97-3d787a9f6c5c.vbs"
        24⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp6102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6102.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp6102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6102.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0334c72-1a1d-4924-9b11-5575dbfd2399.vbs"
        22⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmp450E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp450E.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp450E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp450E.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bee077b-3bce-4db5-a99e-7697c055b067.vbs"
        20⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmp29F4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp29F4.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp29F4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp29F4.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a85ecf88-3f67-4223-b94e-213c7cb6b1cc.vbs"
        18⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE5E.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\753debfe-d37c-470f-a466-064dd8d0c21e.vbs"
        16⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmpEEB0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEEB0.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmpEEB0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEEB0.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9b33456-13be-4d7c-8f55-eca3934a4005.vbs"
        14⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBDEC.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85e95b25-5dca-4ffe-b4b7-4e4e4feb09f3.vbs"
        12⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp8BD0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8BD0.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp8BD0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8BD0.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b783133c-db5c-4266-a8f9-075747cedad4.vbs"
        10⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6FDC.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca8b012-fd4f-4359-a462-74ae0c71b8b1.vbs"
        8⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp3F56.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3F56.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp3F56.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3F56.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eda40887-5bf7-4533-ab94-f59a215434e7.vbs"
        6⤵
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1380
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be213dc3-a47e-41de-93c9-20c794d7f85f.vbs"
      4⤵
      PID:244
  - - C:\Users\Admin\AppData\Local\Temp\tmpF03C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF03C.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:724
    - - C:\Users\Admin\AppData\Local\Temp\tmpF03C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF03C.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bc13b91c624a83201054fb4958f229f0Nb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\bc13b91c624a83201054fb4958f229f0N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bc13b91c624a83201054fb4958f229f0N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\bc13b91c624a83201054fb4958f229f0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bc13b91c624a83201054fb4958f229f0Nb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\bc13b91c624a83201054fb4958f229f0N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Pictures\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Pictures\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\StartMenuExperienceHost.exe

Filesize
4.9MB

MD5
bc13b91c624a83201054fb4958f229f0

SHA1
e27bb3f83e915fff4a688543cc1c2077f7772683

SHA256
7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e

SHA512
99c8350b74759c11ef9f0a52091127624d0fb2105f836799733bb48104a7e4b6d4fa5cf27588c6f32c43370f4e373a1415b055240778d1a689a20691ba550077

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
4.9MB

MD5
66880be96a9430e71ee9e9d09a89d503

SHA1
72c69fab528fff0caa0d1d41822f75626b84347b

SHA256
f79472100afd5f47c12e6ed22af4e269a8b7b47cd87260cc69996aa6e0930d28

SHA512
0fbcc0c9782b9c5354139a500ea3d7f73d0285829a2cfc0838c312ca9c8736c69c98c91868ad0c8c4ac5a49e12256f345e1aba5a86fc44bf1848fde5385a9725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MusNotification.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ad4afd0-1414-466f-b337-9cc1522406f6.vbs

Filesize
717B

MD5
3cc8011970a7f668410a0b546caceaf4

SHA1
cdaab463af0f4a3d67a5643fe0844e73e13a50bc

SHA256
9b4abd971996d17e65f46802bcad83cff11757fae757afb6b8f4296d86ebb0de

SHA512
1577adb98a01246e4a6a417d5a824efd1f5799d71c0ac19cbe21677d6a4bb59e5da8f641444ebb04acbf5d2a90b19cbf84b488accf8a215ca66c52d3c9aa04cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\507e3331-db78-441c-a5ab-b8fc104cad6a.vbs

Filesize
717B

MD5
929c4237affae5ce75a3614839f35b48

SHA1
ec310f7118f82171d9ab22c6248bda2c6c1e4907

SHA256
a0117e2418f27d937e8dad400e14cf9f298ca78e6e672195b60538e3f37a8276

SHA512
bbe66bf69f3a619dba5d0a0b8b53dcda249a80b5f16b8cd799865f76d933d131a8ce99162020031e2db83dbaac27819f2e63d7121b7ee9256318eb395d0a214a

Download Submit
C:\Users\Admin\AppData\Local\Temp\85493a62-bad5-479c-bb83-271cc2cc35ac.vbs

Filesize
717B

MD5
4052ec174df6d2281444d567c0254d6e

SHA1
35334099f8e0fe54443fb01bd2903bce15efd345

SHA256
5675ced44534a279e54962d52f9ebee8d106b674a241ab01fb827243ca2bdf4c

SHA512
0696fb870d3ef4eb44119637bd783b5ea9777d1806c50746d9a3529e4dcde381e1b24c09e77bc8dbe91488bc46ed186023d3f25d523757897997fffe484c6fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\93ad4ac8-abd0-4efb-a92f-57e2c57b3dd7.vbs

Filesize
717B

MD5
26b100e390fefe63aeebb5a79f6e0551

SHA1
a239d211eb83c3478a2d32cc6c25a29305122a2b

SHA256
e5a82590112dd041b77ea4ebd3bdec7e6c4f680ea0a31d221a1396873a2bb31d

SHA512
0011119584a8e679a51d4c4242128fbdb5fffecddcc4020a0243cebe0a8a00c1db4deda95da4ce1c72f463559922c80a5bbf9c935f9d16d41bd183602905e0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mfhwxhr3.brp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be213dc3-a47e-41de-93c9-20c794d7f85f.vbs

Filesize
493B

MD5
aa91491f5ab4e4fd6a6b5bdb824b7762

SHA1
5b0b171a66572d280aab2a1ab3c7fb27f4f62b97

SHA256
2bf2b8c01cac2c2221f44f30946bb44dd58c2cad73d21000c705f729f2e4c441

SHA512
74f1f9c69344cc7bd408ecc2593e4d8fc52bbada70aab4db8c1f4ab5819c6e46687d59efa912221dc58619ee262b1dc904a650e16a6afc743f708b84e1000bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d209d095-7abe-4fd3-879b-413f99c10009.vbs

Filesize
717B

MD5
43ee724aafd7e7c30ebbe6f2b6eb681f

SHA1
051a1a40dbe6dcefc5d03b34e7b323a3b1134f69

SHA256
4ac942363150355959d61d53fe0dcfb429605553318e967a30c7b5781f4c96b8

SHA512
eb8edbdcbd359cf8cb8f6f8383b5ba2f217734982f01ed0ed0de4c0ecb5bd4737374161d25427cbe006255d1e8700c4187be0413b7d57937a4e31f24d48a71ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb68f0fe-9749-4141-9d34-a5e156625452.vbs

Filesize
717B

MD5
c6138fce66dc64755b700587e83343ec

SHA1
b0489beedf23b7a6b11956abe9765baea2f31b69

SHA256
c99e181ff61fe49a307094e43a3b90929cb03bc0c2fd199b8b248ec02e6ebed2

SHA512
a7811b12cf353a81533cb6d85aa3aabc18c233066a971c580563eff3780ff3bcda4453c2e8cb36971b0d34195bc23aac7b4e9716b9d487cc29230314595c2126

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7dc653f-2d54-4b5e-9269-0d4efc5d27a9.vbs

Filesize
717B

MD5
1df608ba41a239205ab7c8d8ef7b07d1

SHA1
0b36408da724e53f242038ec4778176cd91cc3f9

SHA256
dcba4517cd043cf8964e91a453be2581ade22721bbd710fd354c69df8b5a6365

SHA512
7c11734d2248d17f4d716a2ca80fb8661bdff1dbdb00937ad2b29d324e4b07be6b8edb5b9c840a0f5bb69576e13057466ce1042cb281c66a0414896bb5219d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFm4j3lsar.bat

Filesize
206B

MD5
b677c2cc6cb64b891132e75c25db622b

SHA1
7b1aacd0c071b1d49982450e55df16c5a3ace9d8

SHA256
b568bd1d8d2222c0eda1c2187e416976f588a68a0858a02b7e49a6af364ac0b7

SHA512
03e0591773d75edd2dadc778fa1a6f96ff3304e5dc9c218f1c44092454e80af890f52ba34f4e56e434b98c2e9a4dcf1a07a7b35c4f0d825c226b851ccf4f9168

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5D7.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1280-81-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1572-391-0x000000001BA80000-0x000000001BA92000-memory.dmp

Filesize
72KB

Download
memory/1820-484-0x0000000002B60000-0x0000000002B72000-memory.dmp

Filesize
72KB

Download
memory/2616-11-0x000000001C6A0000-0x000000001C6B2000-memory.dmp

Filesize
72KB

Download
memory/2616-12-0x000000001CC50000-0x000000001D178000-memory.dmp

Filesize
5.2MB

Download
memory/2616-192-0x00007FFC3A490000-0x00007FFC3AF51000-memory.dmp

Filesize
10.8MB

Download
memory/2616-149-0x00007FFC3A493000-0x00007FFC3A495000-memory.dmp

Filesize
8KB

Download
memory/2616-0-0x00007FFC3A493000-0x00007FFC3A495000-memory.dmp

Filesize
8KB

Download
memory/2616-17-0x000000001C740000-0x000000001C748000-memory.dmp

Filesize
32KB

Download
memory/2616-18-0x000000001C750000-0x000000001C75C000-memory.dmp

Filesize
48KB

Download
memory/2616-14-0x000000001C6C0000-0x000000001C6CE000-memory.dmp

Filesize
56KB

Download
memory/2616-16-0x000000001C730000-0x000000001C738000-memory.dmp

Filesize
32KB

Download
memory/2616-15-0x000000001C720000-0x000000001C72E000-memory.dmp

Filesize
56KB

Download
memory/2616-13-0x000000001C6B0000-0x000000001C6BA000-memory.dmp

Filesize
40KB

Download
memory/2616-159-0x00007FFC3A490000-0x00007FFC3AF51000-memory.dmp

Filesize
10.8MB

Download
memory/2616-1-0x0000000000CC0000-0x00000000011B4000-memory.dmp

Filesize
5.0MB

Download
memory/2616-10-0x00000000032C0000-0x00000000032CA000-memory.dmp

Filesize
40KB

Download
memory/2616-8-0x000000001C680000-0x000000001C696000-memory.dmp

Filesize
88KB

Download
memory/2616-9-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/2616-3-0x000000001BEB0000-0x000000001BFDE000-memory.dmp

Filesize
1.2MB

Download
memory/2616-7-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/2616-5-0x000000001C6D0000-0x000000001C720000-memory.dmp

Filesize
320KB

Download
memory/2616-6-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/2616-4-0x0000000003250000-0x000000000326C000-memory.dmp

Filesize
112KB

Download
memory/2616-2-0x00007FFC3A490000-0x00007FFC3AF51000-memory.dmp

Filesize
10.8MB

Download
memory/2760-367-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

Filesize
72KB

Download
memory/4412-207-0x00000222F6790000-0x00000222F67B2000-memory.dmp

Filesize
136KB

Download