Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
Resource
win7-20240903-en
General
-
Target
c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe
-
Size
4.9MB
-
MD5
6cfaf22786065665e95db058e2a9a182
-
SHA1
d7d892832905f76a6d5b9fd6958d0026f32a64fd
-
SHA256
c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98
-
SHA512
47fd9921b2ce73c24bb6df62130b7996fc936ec62cbfd634694cee5fbc1b6eeb4de0572ddc356b695129bf2a2f52a454bc35bee31105d2af83cf69d6059baf86
-
SSDEEP
49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3412 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3892 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3840 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3172 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3812 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4752 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 668 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 668 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found -
resource yara_rule behavioral2/memory/1472-3-0x000000001B500000-0x000000001B62E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4912 powershell.exe 5008 powershell.exe 2796 powershell.exe 4172 powershell.exe 3104 powershell.exe 2432 powershell.exe 3332 powershell.exe 4116 powershell.exe 1232 powershell.exe 4796 powershell.exe 4272 powershell.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation upfc.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3624 tmp8DEA.tmp.exe 1640 tmp8DEA.tmp.exe 616 tmp8DEA.tmp.exe 1824 tmp8DEA.tmp.exe 2400 tmp8DEA.tmp.exe 1524 tmp8DEA.tmp.exe 2276 tmp8DEA.tmp.exe 376 tmp8DEA.tmp.exe 2912 tmp8DEA.tmp.exe 1468 tmp8DEA.tmp.exe 4920 tmp8DEA.tmp.exe 2508 tmp8DEA.tmp.exe 3644 tmp8DEA.tmp.exe 2068 tmp8DEA.tmp.exe 2780 tmp8DEA.tmp.exe 2572 tmp8DEA.tmp.exe 5036 tmp8DEA.tmp.exe 2332 tmp8DEA.tmp.exe 4736 tmp8DEA.tmp.exe 244 tmp8DEA.tmp.exe 1588 tmp8DEA.tmp.exe 1528 tmp8DEA.tmp.exe 2784 tmp8DEA.tmp.exe 3936 tmp8DEA.tmp.exe 4388 tmp8DEA.tmp.exe 428 tmp8DEA.tmp.exe 2760 tmp8DEA.tmp.exe 4424 tmp8DEA.tmp.exe 772 tmp8DEA.tmp.exe 5112 tmp8DEA.tmp.exe 2232 tmp8DEA.tmp.exe 3940 tmp8DEA.tmp.exe 1440 tmp8DEA.tmp.exe 2368 tmp8DEA.tmp.exe 4272 tmp8DEA.tmp.exe 2012 tmp8DEA.tmp.exe 4604 tmp8DEA.tmp.exe 4620 tmp8DEA.tmp.exe 320 tmp8DEA.tmp.exe 3280 tmp8DEA.tmp.exe 8 tmp8DEA.tmp.exe 1076 tmp8DEA.tmp.exe 1948 tmp8DEA.tmp.exe 3324 tmp8DEA.tmp.exe 1608 tmp8DEA.tmp.exe 816 tmp8DEA.tmp.exe 1728 tmp8DEA.tmp.exe 5044 tmp8DEA.tmp.exe 4884 tmp8DEA.tmp.exe 2208 tmp8DEA.tmp.exe 2424 tmp8DEA.tmp.exe 1524 tmp8DEA.tmp.exe 2276 tmp8DEA.tmp.exe 3452 tmp8DEA.tmp.exe 2768 tmp8DEA.tmp.exe 1468 tmp8DEA.tmp.exe 2684 tmp8DEA.tmp.exe 2596 tmp8DEA.tmp.exe 4224 tmp8DEA.tmp.exe 4512 tmp8DEA.tmp.exe 1532 tmp8DEA.tmp.exe 1636 tmp8DEA.tmp.exe 1296 tmp8DEA.tmp.exe 3912 tmp8DEA.tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA upfc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2972 set thread context of 4912 2972 tmpC071.tmp.exe 1296 PID 112 set thread context of 1656 112 tmpDF44.tmp.exe 2055 PID 4908 set thread context of 4220 4908 Process not Found 3289 PID 2868 set thread context of 4324 2868 Process not Found 2647 PID 1584 set thread context of 2780 1584 Process not Found 4476 PID 2728 set thread context of 4036 2728 Process not Found 6851 -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXA3AF.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files\Internet Explorer\SIGNUP\dwm.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\9e8d7a4ca61bd9 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCX9551.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files\Internet Explorer\SIGNUP\6cb0b6c459d5d3 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\RCX90EA.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\dwm.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXAE05.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\schemas\ea1d8f6d871115 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Globalization\ELS\RuntimeBroker.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\IME\RCX8EC6.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\IME\MusNotification.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Globalization\ELS\RCXA1AB.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Performance\WinSAT\RCXA5C4.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\fr-FR\RCXA7C8.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\schemas\RCX9765.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\schemas\upfc.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Microsoft.NET\authman\lsass.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Microsoft.NET\authman\6203df4a6bafc7 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Globalization\ELS\9e8d7a4ca61bd9 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Performance\WinSAT\0a1fd5f707cd16 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\fr-FR\dllhost.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\fr-FR\5940a34987c991 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\schemas\upfc.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Performance\WinSAT\sppsvc.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Microsoft.NET\authman\RCX9B7E.tmp c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Microsoft.NET\authman\lsass.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\fr-FR\dllhost.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\IME\MusNotification.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\IME\aa97147c4c782d c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File created C:\Windows\Performance\WinSAT\sppsvc.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe File opened for modification C:\Windows\Globalization\ELS\RuntimeBroker.exe c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8DEA.tmp.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings upfc.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings Process not Found -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe 2164 schtasks.exe 4472 schtasks.exe 2068 schtasks.exe 3752 schtasks.exe 1468 schtasks.exe 5016 schtasks.exe 3812 schtasks.exe 4220 schtasks.exe 4112 schtasks.exe 5008 schtasks.exe 4752 schtasks.exe 3412 schtasks.exe 3172 schtasks.exe 3844 schtasks.exe 2852 schtasks.exe 3840 schtasks.exe 3644 schtasks.exe 3068 schtasks.exe 3916 schtasks.exe 1232 schtasks.exe 2236 schtasks.exe 2584 schtasks.exe 4104 schtasks.exe 2008 schtasks.exe 3460 schtasks.exe 3932 schtasks.exe 4952 schtasks.exe 3944 schtasks.exe 3956 schtasks.exe 3008 schtasks.exe 5004 schtasks.exe 3892 schtasks.exe 3664 schtasks.exe 2752 schtasks.exe 1044 schtasks.exe 212 schtasks.exe 2152 schtasks.exe 1920 schtasks.exe 3936 schtasks.exe 1196 schtasks.exe 3836 schtasks.exe 1184 schtasks.exe 2768 schtasks.exe 1556 schtasks.exe 1528 schtasks.exe 1424 schtasks.exe 5040 schtasks.exe 2796 schtasks.exe 2972 schtasks.exe 2844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 2432 powershell.exe 2432 powershell.exe 4172 powershell.exe 4172 powershell.exe 5008 powershell.exe 5008 powershell.exe 1232 powershell.exe 1232 powershell.exe 4116 powershell.exe 4116 powershell.exe 3104 powershell.exe 3104 powershell.exe 2796 powershell.exe 2796 powershell.exe 4272 powershell.exe 4272 powershell.exe 4796 powershell.exe 4796 powershell.exe 4912 powershell.exe 4912 powershell.exe 2432 powershell.exe 2432 powershell.exe 3332 powershell.exe 3332 powershell.exe 3104 powershell.exe 1232 powershell.exe 5008 powershell.exe 4172 powershell.exe 4116 powershell.exe 2796 powershell.exe 4912 powershell.exe 4796 powershell.exe 4272 powershell.exe 3332 powershell.exe 4068 upfc.exe 4068 upfc.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 4068 upfc.exe Token: SeDebugPrivilege 4360 upfc.exe Token: SeDebugPrivilege 1732 Process not Found Token: SeDebugPrivilege 2992 Process not Found Token: SeDebugPrivilege 2780 Process not Found Token: SeDebugPrivilege 1532 Process not Found Token: SeDebugPrivilege 2832 Process not Found Token: SeDebugPrivilege 1804 Process not Found Token: SeDebugPrivilege 3424 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 3624 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 140 PID 1472 wrote to memory of 3624 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 140 PID 1472 wrote to memory of 3624 1472 c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe 140 PID 3624 wrote to memory of 1640 3624 tmp8DEA.tmp.exe 142 PID 3624 wrote to memory of 1640 3624 tmp8DEA.tmp.exe 142 PID 3624 wrote to memory of 1640 3624 tmp8DEA.tmp.exe 142 PID 1640 wrote to memory of 616 1640 tmp8DEA.tmp.exe 143 PID 1640 wrote to memory of 616 1640 tmp8DEA.tmp.exe 143 PID 1640 wrote to memory of 616 1640 tmp8DEA.tmp.exe 143 PID 616 wrote to memory of 1824 616 tmp8DEA.tmp.exe 144 PID 616 wrote to memory of 1824 616 tmp8DEA.tmp.exe 144 PID 616 wrote to memory of 1824 616 tmp8DEA.tmp.exe 144 PID 1824 wrote to memory of 2400 1824 tmp8DEA.tmp.exe 145 PID 1824 wrote to memory of 2400 1824 tmp8DEA.tmp.exe 145 PID 1824 wrote to memory of 2400 1824 tmp8DEA.tmp.exe 145 PID 2400 wrote to memory of 1524 2400 tmp8DEA.tmp.exe 193 PID 2400 wrote to memory of 1524 2400 tmp8DEA.tmp.exe 193 PID 2400 wrote to memory of 1524 2400 tmp8DEA.tmp.exe 193 PID 1524 wrote to memory of 2276 1524 tmp8DEA.tmp.exe 194 PID 1524 wrote to memory of 2276 1524 tmp8DEA.tmp.exe 194 PID 1524 wrote to memory of 2276 1524 tmp8DEA.tmp.exe 194 PID 2276 wrote to memory of 376 2276 tmp8DEA.tmp.exe 148 PID 2276 wrote to memory of 376 2276 tmp8DEA.tmp.exe 148 PID 2276 wrote to memory of 376 2276 tmp8DEA.tmp.exe 148 PID 376 wrote to memory of 2912 376 tmp8DEA.tmp.exe 149 PID 376 wrote to memory of 2912 376 tmp8DEA.tmp.exe 149 PID 376 wrote to memory of 2912 376 tmp8DEA.tmp.exe 149 PID 2912 wrote to memory of 1468 2912 tmp8DEA.tmp.exe 197 PID 2912 wrote to memory of 1468 2912 tmp8DEA.tmp.exe 197 PID 2912 wrote to memory of 1468 2912 tmp8DEA.tmp.exe 197 PID 1468 wrote to memory of 4920 1468 tmp8DEA.tmp.exe 151 PID 1468 wrote to memory of 4920 1468 tmp8DEA.tmp.exe 151 PID 1468 wrote to memory of 4920 1468 tmp8DEA.tmp.exe 151 PID 4920 wrote to memory of 2508 4920 tmp8DEA.tmp.exe 250 PID 4920 wrote to memory of 2508 4920 tmp8DEA.tmp.exe 250 PID 4920 wrote to memory of 2508 4920 tmp8DEA.tmp.exe 250 PID 2508 wrote to memory of 3644 2508 tmp8DEA.tmp.exe 153 PID 2508 wrote to memory of 3644 2508 tmp8DEA.tmp.exe 153 PID 2508 wrote to memory of 3644 2508 tmp8DEA.tmp.exe 153 PID 3644 wrote to memory of 2068 3644 tmp8DEA.tmp.exe 154 PID 3644 wrote to memory of 2068 3644 tmp8DEA.tmp.exe 154 PID 3644 wrote to memory of 2068 3644 tmp8DEA.tmp.exe 154 PID 2068 wrote to memory of 2780 2068 tmp8DEA.tmp.exe 156 PID 2068 wrote to memory of 2780 2068 tmp8DEA.tmp.exe 156 PID 2068 wrote to memory of 2780 2068 tmp8DEA.tmp.exe 156 PID 2780 wrote to memory of 2572 2780 tmp8DEA.tmp.exe 157 PID 2780 wrote to memory of 2572 2780 tmp8DEA.tmp.exe 157 PID 2780 wrote to memory of 2572 2780 tmp8DEA.tmp.exe 157 PID 2572 wrote to memory of 5036 2572 tmp8DEA.tmp.exe 158 PID 2572 wrote to memory of 5036 2572 tmp8DEA.tmp.exe 158 PID 2572 wrote to memory of 5036 2572 tmp8DEA.tmp.exe 158 PID 5036 wrote to memory of 2332 5036 tmp8DEA.tmp.exe 256 PID 5036 wrote to memory of 2332 5036 tmp8DEA.tmp.exe 256 PID 5036 wrote to memory of 2332 5036 tmp8DEA.tmp.exe 256 PID 2332 wrote to memory of 4736 2332 tmp8DEA.tmp.exe 160 PID 2332 wrote to memory of 4736 2332 tmp8DEA.tmp.exe 160 PID 2332 wrote to memory of 4736 2332 tmp8DEA.tmp.exe 160 PID 4736 wrote to memory of 244 4736 tmp8DEA.tmp.exe 161 PID 4736 wrote to memory of 244 4736 tmp8DEA.tmp.exe 161 PID 4736 wrote to memory of 244 4736 tmp8DEA.tmp.exe 161 PID 244 wrote to memory of 1588 244 tmp8DEA.tmp.exe 162 PID 244 wrote to memory of 1588 244 tmp8DEA.tmp.exe 162 PID 244 wrote to memory of 1588 244 tmp8DEA.tmp.exe 162 PID 1588 wrote to memory of 1528 1588 tmp8DEA.tmp.exe 163 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" upfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe"C:\Users\Admin\AppData\Local\Temp\c35ea1634775a5e9e1d2df71f37c69fc16e0d960bf25de5e8b172f3099a4de98.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"23⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"24⤵
- Executes dropped EXE
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"25⤵
- Executes dropped EXE
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"26⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"27⤵
- Executes dropped EXE
PID:428 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"28⤵
- Executes dropped EXE
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"29⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"30⤵
- Executes dropped EXE
PID:772 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"31⤵
- Executes dropped EXE
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"32⤵
- Executes dropped EXE
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"33⤵
- Executes dropped EXE
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"34⤵
- Executes dropped EXE
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"35⤵
- Executes dropped EXE
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"36⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"37⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"38⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"39⤵
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"40⤵
- Executes dropped EXE
PID:320 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"41⤵
- Executes dropped EXE
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"42⤵
- Executes dropped EXE
PID:8 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"43⤵
- Executes dropped EXE
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"44⤵
- Executes dropped EXE
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"45⤵
- Executes dropped EXE
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"46⤵
- Executes dropped EXE
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"47⤵
- Executes dropped EXE
PID:816 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"49⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"50⤵
- Executes dropped EXE
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"51⤵
- Executes dropped EXE
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"52⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"53⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"54⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"55⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"56⤵
- Executes dropped EXE
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"57⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"58⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"59⤵
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"60⤵
- Executes dropped EXE
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"61⤵
- Executes dropped EXE
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"62⤵
- Executes dropped EXE
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"63⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"64⤵
- Executes dropped EXE
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"66⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"67⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"68⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"69⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"70⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"71⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"72⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"73⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"74⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"75⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"76⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"77⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"78⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"79⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"80⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"81⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"82⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"83⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"84⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"85⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"86⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"87⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"88⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"89⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"90⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"91⤵
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"92⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"93⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"94⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"95⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"96⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"97⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"98⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"99⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"100⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"101⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"102⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"103⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"104⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"105⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"106⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"107⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"108⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"109⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"110⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"111⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"112⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"113⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"114⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"115⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"116⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"117⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"118⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"119⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"120⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"121⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8DEA.tmp.exe"122⤵PID:1172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-