colibri | 37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Size

4.9MB
MD5

549a897f0c0298c512c30faf8a911840
SHA1

77864449acf9065d7522006aec1bc67b543cb514
SHA256

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc
SHA512

481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2320	schtasks.exe	83

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/680-3-0x000000001B4A0000-0x000000001B5CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4216	powershell.exe
2164	powershell.exe
880	powershell.exe
1252	powershell.exe
4656	powershell.exe
1228	powershell.exe
1400	powershell.exe
3760	powershell.exe
3596	powershell.exe
2444	powershell.exe
324	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Executes dropped EXE 32 IoCs

Processes:

tmp9454.tmp.exetmp9454.tmp.exetmp9454.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmpC803.tmp.exetmpC803.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmpF7FC.tmp.exetmpF7FC.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmp312D.tmp.exetmp312D.tmp.exetmp312D.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmp60D8.tmp.exetmp60D8.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmpCCE0.tmp.exetmpCCE0.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmpFCCA.tmp.exetmpFCCA.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmp1870.tmp.exetmp1870.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmp33A9.tmp.exetmp33A9.tmp.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

pid	Process
4400	tmp9454.tmp.exe
2936	tmp9454.tmp.exe
3184	tmp9454.tmp.exe
2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1116	tmpC803.tmp.exe
2696	tmpC803.tmp.exe
1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4168	tmpF7FC.tmp.exe
4488	tmpF7FC.tmp.exe
2984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
668	tmp312D.tmp.exe
392	tmp312D.tmp.exe
3124	tmp312D.tmp.exe
1732	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2988	tmp60D8.tmp.exe
4688	tmp60D8.tmp.exe
1548	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4932	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1512	tmpCCE0.tmp.exe
3784	tmpCCE0.tmp.exe
3956	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1252	tmpFCCA.tmp.exe
3448	tmpFCCA.tmp.exe
3984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2232	tmp1870.tmp.exe
4460	tmp1870.tmp.exe
2576	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4864	tmp33A9.tmp.exe
1972	tmp33A9.tmp.exe
3792	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

tmp9454.tmp.exetmpC803.tmp.exetmpF7FC.tmp.exetmp312D.tmp.exetmp60D8.tmp.exetmpCCE0.tmp.exetmp1870.tmp.exetmp33A9.tmp.exe

description	pid	Process	procid_target
PID 2936 set thread context of 3184	2936	tmp9454.tmp.exe	116
PID 1116 set thread context of 2696	1116	tmpC803.tmp.exe	151
PID 4168 set thread context of 4488	4168	tmpF7FC.tmp.exe	157
PID 392 set thread context of 3124	392	tmp312D.tmp.exe	169
PID 2988 set thread context of 4688	2988	tmp60D8.tmp.exe	175
PID 1512 set thread context of 3784	1512	tmpCCE0.tmp.exe	188
PID 2232 set thread context of 4460	2232	tmp1870.tmp.exe	200
PID 4864 set thread context of 1972	4864	tmp33A9.tmp.exe	206

Drops file in Program Files directory 16 IoCs

Processes:

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Google\Update\Idle.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Crashpad\reports\sysmon.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Crashpad\reports\121e5b5079f7c0	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Multimedia Platform\explorer.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXA031.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Multimedia Platform\7a0fd90576e088	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX902B.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9B9B.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXA245.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\explorer.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Common Files\6552710125983c	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Google\Update\6ccacd8608530f	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Idle.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Crashpad\reports\sysmon.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Drops file in Windows directory 4 IoCs

Processes:

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

description	ioc	Process
File created	C:\Windows\Speech\RuntimeBroker.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Speech\9e8d7a4ca61bd9	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Speech\RCX9DAF.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Speech\RuntimeBroker.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp60D8.tmp.exetmp1870.tmp.exetmp9454.tmp.exetmpC803.tmp.exetmpF7FC.tmp.exetmp312D.tmp.exetmp33A9.tmp.exetmp9454.tmp.exetmp312D.tmp.exetmpCCE0.tmp.exetmpFCCA.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp60D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1870.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9454.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC803.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF7FC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp312D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp33A9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9454.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp312D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCCE0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFCCA.tmp.exe

Modifies registry class 12 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3124	schtasks.exe
3680	schtasks.exe
3312	schtasks.exe
4528	schtasks.exe
2092	schtasks.exe
1436	schtasks.exe
4828	schtasks.exe
2780	schtasks.exe
2604	schtasks.exe
1792	schtasks.exe
3240	schtasks.exe
5004	schtasks.exe
3936	schtasks.exe
4404	schtasks.exe
2996	schtasks.exe
1936	schtasks.exe
1584	schtasks.exe
4544	schtasks.exe
1684	schtasks.exe
2232	schtasks.exe
1440	schtasks.exe
5060	schtasks.exe
3068	schtasks.exe
368	schtasks.exe
4776	schtasks.exe
2984	schtasks.exe
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

pid	Process
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1400	powershell.exe
1400	powershell.exe
4216	powershell.exe
4216	powershell.exe
2444	powershell.exe
2444	powershell.exe
880	powershell.exe
880	powershell.exe
3760	powershell.exe
3760	powershell.exe
2164	powershell.exe
2164	powershell.exe
1228	powershell.exe
1228	powershell.exe
324	powershell.exe
324	powershell.exe
4656	powershell.exe
4656	powershell.exe
3596	powershell.exe
3596	powershell.exe
4656	powershell.exe
2444	powershell.exe
3760	powershell.exe
1400	powershell.exe
4216	powershell.exe
2164	powershell.exe
1228	powershell.exe
880	powershell.exe
324	powershell.exe
3596	powershell.exe
2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1732	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1548	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
4932	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3956	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2576	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3792	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	3996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1732	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1548	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	4580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	4932	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	3956	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	3984	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2576	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	3792	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmp9454.tmp.exetmp9454.tmp.execmd.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exetmpC803.tmp.exeWScript.exe37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

description	pid	Process	procid_target
PID 680 wrote to memory of 4400	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	113
PID 680 wrote to memory of 4400	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	113
PID 680 wrote to memory of 4400	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	113
PID 4400 wrote to memory of 2936	4400	tmp9454.tmp.exe	115
PID 4400 wrote to memory of 2936	4400	tmp9454.tmp.exe	115
PID 4400 wrote to memory of 2936	4400	tmp9454.tmp.exe	115
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 2936 wrote to memory of 3184	2936	tmp9454.tmp.exe	116
PID 680 wrote to memory of 3596	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	119
PID 680 wrote to memory of 3596	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	119
PID 680 wrote to memory of 4216	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	120
PID 680 wrote to memory of 4216	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	120
PID 680 wrote to memory of 2444	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	121
PID 680 wrote to memory of 2444	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	121
PID 680 wrote to memory of 324	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	122
PID 680 wrote to memory of 324	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	122
PID 680 wrote to memory of 3760	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	123
PID 680 wrote to memory of 3760	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	123
PID 680 wrote to memory of 1400	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	124
PID 680 wrote to memory of 1400	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	124
PID 680 wrote to memory of 1228	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	125
PID 680 wrote to memory of 1228	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	125
PID 680 wrote to memory of 880	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	126
PID 680 wrote to memory of 880	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	126
PID 680 wrote to memory of 2164	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	127
PID 680 wrote to memory of 2164	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	127
PID 680 wrote to memory of 4656	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	128
PID 680 wrote to memory of 4656	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	128
PID 680 wrote to memory of 1252	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	129
PID 680 wrote to memory of 1252	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	129
PID 680 wrote to memory of 4316	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	140
PID 680 wrote to memory of 4316	680	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	140
PID 4316 wrote to memory of 4116	4316	cmd.exe	143
PID 4316 wrote to memory of 4116	4316	cmd.exe	143
PID 4316 wrote to memory of 2312	4316	cmd.exe	146
PID 4316 wrote to memory of 2312	4316	cmd.exe	146
PID 2312 wrote to memory of 4000	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	147
PID 2312 wrote to memory of 4000	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	147
PID 2312 wrote to memory of 2956	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	148
PID 2312 wrote to memory of 2956	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	148
PID 2312 wrote to memory of 1116	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	149
PID 2312 wrote to memory of 1116	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	149
PID 2312 wrote to memory of 1116	2312	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	149
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 1116 wrote to memory of 2696	1116	tmpC803.tmp.exe	151
PID 4000 wrote to memory of 1480	4000	WScript.exe	152
PID 4000 wrote to memory of 1480	4000	WScript.exe	152
PID 1480 wrote to memory of 1988	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	153
PID 1480 wrote to memory of 1988	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	153
PID 1480 wrote to memory of 3760	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	154
PID 1480 wrote to memory of 3760	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	154
PID 1480 wrote to memory of 4168	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	155
PID 1480 wrote to memory of 4168	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	155
PID 1480 wrote to memory of 4168	1480	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	155

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
"C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:680
- C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4116
- - C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
    "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2312
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2bbcf43-60d7-4032-bb1e-efe169609961.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1480
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6720c790-686a-458b-93ea-5543adddecc7.vbs"
        6⤵
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40721322-e1eb-4c2c-a99e-76943da99e32.vbs"
        8⤵
        
        PID:988
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1052365-6ae7-40ef-8986-b231d9db7f94.vbs"
        10⤵
        
        PID:5100
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b549c6a0-0125-43e3-9249-29cd512d1ffb.vbs"
        12⤵
        
        PID:3704
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991bf7df-74cb-4f2f-a7d4-c31e99048b0d.vbs"
        14⤵
        
        PID:536
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\684c3569-1177-43a8-aa38-720db34f103c.vbs"
        16⤵
        
        PID:4924
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04db1fc3-7ed6-4a8b-98e4-60554d9bcdcb.vbs"
        18⤵
        
        PID:2780
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0efe9f-a580-4278-b287-bcfc877e23a5.vbs"
        20⤵
        
        PID:2356
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307c1567-19a8-4b6b-abf4-2d589b930c99.vbs"
        22⤵
        
        PID:3012
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59907543-1fb0-4415-b033-eb7f43b5d4b5.vbs"
        24⤵
        
        PID:3520
        
        C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4724cec8-cc1a-4ea5-a1c1-0e406a96de17.vbs"
        24⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp33A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp33A9.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp33A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp33A9.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff59f34f-de72-4a01-841c-001f94b800f0.vbs"
        22⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1870.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cb3c69a-0104-437d-876e-ce842c7049eb.vbs"
        20⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCCA.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCCA.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10d3bff2-a134-4a2f-90ec-4a13e71e8c0e.vbs"
        18⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmpCCE0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCCE0.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmpCCE0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCCE0.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07a565eb-7701-4393-81b5-551001dfd68c.vbs"
        16⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd85d03d-d52e-4254-9772-5345d09d5e20.vbs"
        14⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9323.tmp.exe"
        14⤵
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\926ddef8-b81d-4b5b-b4fc-3b64c0370ddd.vbs"
        12⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp60D8.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36010608-6320-48d5-b383-23abfac9200f.vbs"
        10⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp312D.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3117459-f9d8-4735-9d17-2b957c1cc604.vbs"
        8⤵
        
        PID:1408
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\947e5213-3b81-47c5-80fc-f52ef7237675.vbs"
        6⤵
        
        PID:3760
      - C:\Users\Admin\AppData\Local\Temp\tmpF7FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF7FC.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmpF7FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF7FC.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ae7ae9b-80d2-40fe-9760-e4c455d16d6d.vbs"
      4⤵
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\tmpC803.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC803.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\tmpC803.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC803.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN" /sc ONLOGON /tr "'C:\Users\All Users\Templates\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
4.9MB

MD5
549a897f0c0298c512c30faf8a911840

SHA1
77864449acf9065d7522006aec1bc67b543cb514

SHA256
37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

SHA512
481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\04db1fc3-7ed6-4a8b-98e4-60554d9bcdcb.vbs

Filesize
781B

MD5
59990fd7b62e393cecc509c04f3d77df

SHA1
19212626308bd83c82fe7dd35ff4c7508fc00bb4

SHA256
f81e419dc050f516e0f1d89d8258b0ad876d7ff282991b8b3e1ebd7881bc99ab

SHA512
3751182bcae67626d6ef38ed6336cbf4657001ebacfbd230baa03d0995151979dbe8e485de11ff51340cd18780502adffbf5b741cd659547e24ee42aa19b3762

Download Submit
C:\Users\Admin\AppData\Local\Temp\40721322-e1eb-4c2c-a99e-76943da99e32.vbs

Filesize
781B

MD5
476e4be457ced31164510bf7a0287cb8

SHA1
557b9e64ff3e64532882fd22aa19943a53ad5832

SHA256
12e26f66c595c2b8a196e515f951d0ded75adaa013315114a3e530d795863ad6

SHA512
656ff9d877eb4edc1cab51f1a4c4282f5baf9435117cca591feba25bdf15ee619f0dc44c97529daf6068e1ff268174a4c13cf6500f20330d8aa048d9561e4630

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ae7ae9b-80d2-40fe-9760-e4c455d16d6d.vbs

Filesize
557B

MD5
384dad22d4e2ac432aebba5ebfd5b44a

SHA1
68523e828ef78109eb1bef55fd7cf8f2563ab148

SHA256
5e18dda74812cb5cb09359f70d03d690b31a810ecb696cf448ec6be5e878dc16

SHA512
aec2ad7855fe2b1455274383f0c820241dd76269a6ffcf98fcb5e641ec8bb94c66344b42575336b4593f11c615e7eb350691ee262751e93be3e2750b289e59b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6720c790-686a-458b-93ea-5543adddecc7.vbs

Filesize
781B

MD5
12e737156845289f1ab48b34cae5876a

SHA1
d416b0c47c4bd5d7a24ddaa231816673236c12d5

SHA256
559bddbba64f6a81490cee307d7db7eba0b7ee3f9fa2f60740c340f629634ced

SHA512
b4e3a6d9af75f66e05537f77b0b8006d84a485a72f024ac9d857a017e750e66b723d3228ac123bc692f0cf904a9c5efe6fc09f5ccfd36f5af969ca6f0c21808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\684c3569-1177-43a8-aa38-720db34f103c.vbs

Filesize
781B

MD5
ced391637cc25f3a6522bf17e1a26960

SHA1
8318cdda0be7f7c18818048160e8ea5b8a248aab

SHA256
0d2756814a4a178e40128f0c6c4a1c01d46cc018dc17878ccd6d395a9bed2525

SHA512
4c6133eb7703c3c1d309a11dbc3ac30af3492259331c0f2aebd14a8745708fd706f74ab2a74804e2863ab2a06ac6843b7eec6127dd30eb2de15bd8aa0802b448

Download Submit
C:\Users\Admin\AppData\Local\Temp\991bf7df-74cb-4f2f-a7d4-c31e99048b0d.vbs

Filesize
781B

MD5
e82fd9f121292c57225206e91d4dedc0

SHA1
6e220cfe4aedc3d2084fa3ea339743dc43f174fb

SHA256
ba79223a1acf55a99bc4820f3e46af58049201782e90043fc32e71a1b93e12d1

SHA512
8bfe59f203e032321ff8d219ec4c910dc0d0055dbd2530497a741b50e8b1c7c285fe00efdd4d2b1ad7c401a4d4b65962354aa22ecc8cac95ecdcc69d06f84f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat

Filesize
270B

MD5
1981810ee9bb43c9750bc44d7f40f313

SHA1
c04f39a6a83445b29f1a794f6ab6ac691737acab

SHA256
759543efb800376e96b43ca6095f932b3818a92c8a9db8f21f185394fdfa562c

SHA512
f7383697141901db17adf93a48f4dedec472c33d373d1fb8c493f4d562b9181e0fd1f23e7c79ecd3f24d91c2535c0ef2ad3311c3f0dc0af50d1c0f019b4e2a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wueeolas.suj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b549c6a0-0125-43e3-9249-29cd512d1ffb.vbs

Filesize
781B

MD5
d4fba5b6a89199820679ba178dde7c2e

SHA1
d31ec43d6a7b5fb710820d8734621eebb462a19b

SHA256
08770e40e178706c2a92d61eec44f268b86bcab819d9db952402af8eadf0edcb

SHA512
4a52bd974867d019d2509330e4c364f143b93a829281b7b88cbf14b9b480c037c2ab072a49d066323b753600fb2ac9b48a63d11a7afb9ea391c832252ec85517

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2bbcf43-60d7-4032-bb1e-efe169609961.vbs

Filesize
781B

MD5
c229f8d9ce0a38d90cc284595a642f3e

SHA1
f37814ac0ec20023e559bd861aef026a57f8cb05

SHA256
5704fcb4236877202bb869f16c8dfefe2724348b85702c3b30a7f1715caf5f6a

SHA512
5db2a0b721cc11b59e1c42487c42b0f0a4b599a21567b834a69fc3db6b8c3582e5f7f2ab37c8fe264a214ebd3a9db673ec5df69a680af52d0ea6f78c61d24b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1052365-6ae7-40ef-8986-b231d9db7f94.vbs

Filesize
781B

MD5
52b281d32ac2f6d4025b4059dedf4832

SHA1
64672b377824537c11a1ee7c38dbdf34aa2a2c65

SHA256
20f7c1d2fc942f6d5effeda7654f1a8c367b016f6d8170f125d859339edc2e50

SHA512
c2aa9684e68a6ca2eb2778ce13a34aa5b4f6dde0a7e1d7d40c61fadc7a94530abe5db5773484aba55a8d33c80952d734393cb6dfed6e6124de24747124555193

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9454.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/680-11-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/680-9-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/680-119-0x00007FF8FF570000-0x00007FF900031000-memory.dmp

Filesize
10.8MB

Download
memory/680-1-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download
memory/680-16-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/680-17-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/680-18-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/680-13-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/680-14-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/680-15-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/680-12-0x000000001C110000-0x000000001C638000-memory.dmp

Filesize
5.2MB

Download
memory/680-0-0x00007FF8FF573000-0x00007FF8FF575000-memory.dmp

Filesize
8KB

Download
memory/680-10-0x000000001B480000-0x000000001B48A000-memory.dmp

Filesize
40KB

Download
memory/680-2-0x00007FF8FF570000-0x00007FF900031000-memory.dmp

Filesize
10.8MB

Download
memory/680-8-0x000000001B400000-0x000000001B416000-memory.dmp

Filesize
88KB

Download
memory/680-6-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

Filesize
32KB

Download
memory/680-3-0x000000001B4A0000-0x000000001B5CE000-memory.dmp

Filesize
1.2MB

Download
memory/680-7-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/680-5-0x000000001B430000-0x000000001B480000-memory.dmp

Filesize
320KB

Download
memory/680-4-0x0000000002790000-0x00000000027AC000-memory.dmp

Filesize
112KB

Download
memory/2164-125-0x00000250D9BC0000-0x00000250D9BE2000-memory.dmp

Filesize
136KB

Download
memory/2984-280-0x0000000002930000-0x0000000002942000-memory.dmp

Filesize
72KB

Download
memory/3184-72-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4580-358-0x0000000003110000-0x0000000003122000-memory.dmp

Filesize
72KB

Download
memory/4932-370-0x000000001BB50000-0x000000001BB62000-memory.dmp

Filesize
72KB

Download