colibri | 37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Size

4.9MB
MD5

549a897f0c0298c512c30faf8a911840
SHA1

77864449acf9065d7522006aec1bc67b543cb514
SHA256

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc
SHA512

481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2576	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2576	schtasks.exe	82

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3116-3-0x000000001B550000-0x000000001B67E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4068	powershell.exe
3612	powershell.exe
2720	powershell.exe
432	powershell.exe
3632	powershell.exe
3888	powershell.exe
2296	powershell.exe
3844	powershell.exe
3212	powershell.exe
3496	powershell.exe
3720	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 48 IoCs

pid	Process
1260	tmpB171.tmp.exe
1068	tmpB171.tmp.exe
3076	sysmon.exe
4864	tmpE697.tmp.exe
2196	tmpE697.tmp.exe
1160	sysmon.exe
4612	tmp4FC.tmp.exe
3636	tmp4FC.tmp.exe
2648	sysmon.exe
724	tmp2258.tmp.exe
4968	tmp2258.tmp.exe
792	sysmon.exe
3884	tmp3DC0.tmp.exe
3556	tmp3DC0.tmp.exe
5040	sysmon.exe
4956	tmp7133.tmp.exe
4612	tmp7133.tmp.exe
3436	sysmon.exe
4280	tmpA0FE.tmp.exe
4484	sysmon.exe
436	tmpBE0B.tmp.exe
4960	tmpBE0B.tmp.exe
1220	sysmon.exe
4612	tmpDB38.tmp.exe
4248	tmpDB38.tmp.exe
1408	sysmon.exe
2936	tmpF680.tmp.exe
3608	tmpF680.tmp.exe
828	sysmon.exe
972	tmp25DD.tmp.exe
4448	tmp25DD.tmp.exe
3896	tmp25DD.tmp.exe
3424	tmp25DD.tmp.exe
4148	sysmon.exe
4400	tmp553A.tmp.exe
4416	tmp553A.tmp.exe
2552	sysmon.exe
1640	tmp84D6.tmp.exe
1924	tmp84D6.tmp.exe
2856	sysmon.exe
2728	tmpA09B.tmp.exe
880	tmpA09B.tmp.exe
680	sysmon.exe
1900	tmpD037.tmp.exe
3076	tmpD037.tmp.exe
3696	sysmon.exe
4436	tmpED15.tmp.exe
2340	tmpED15.tmp.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 1068	1260	tmpB171.tmp.exe	138
PID 4864 set thread context of 2196	4864	tmpE697.tmp.exe	170
PID 4612 set thread context of 3636	4612	tmp4FC.tmp.exe	176
PID 724 set thread context of 4968	724	tmp2258.tmp.exe	183
PID 3884 set thread context of 3556	3884	tmp3DC0.tmp.exe	190
PID 4956 set thread context of 4612	4956	tmp7133.tmp.exe	196
PID 436 set thread context of 4960	436	tmpBE0B.tmp.exe	211
PID 4612 set thread context of 4248	4612	tmpDB38.tmp.exe	217
PID 2936 set thread context of 3608	2936	tmpF680.tmp.exe	223
PID 3896 set thread context of 3424	3896	tmp25DD.tmp.exe	231
PID 4400 set thread context of 4416	4400	tmp553A.tmp.exe	237
PID 1640 set thread context of 1924	1640	tmp84D6.tmp.exe	243
PID 2728 set thread context of 880	2728	tmpA09B.tmp.exe	249
PID 1900 set thread context of 3076	1900	tmpD037.tmp.exe	255
PID 4436 set thread context of 2340	4436	tmpED15.tmp.exe	261

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\38384e6a620884	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Defender\uk-UA\69ddcba757bf72	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Common Files\DESIGNER\886983d96e3d3e	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Common Files\DESIGNER\csrss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\SearchApp.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXC735.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Portable Devices\SearchApp.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\7-Zip\Lang\SearchApp.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\smss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\SearchApp.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Defender\uk-UA\smss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB54B.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCXCE3D.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Portable Devices\38384e6a620884	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\WindowsApps\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXB974.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\5940a34987c991	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCXBB88.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\csrss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXB75F.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\PLA\56085415360792	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\RCXCC29.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXC4B4.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\9e8d7a4ca61bd9	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\PLA\wininit.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Web\Wallpaper\Windows\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\TAPI\fontdrvhost.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RCXB102.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Speech_OneCore\Engines\e6c9b481da804f	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\121e5b5079f7c0	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Web\Wallpaper\Windows\f3b6ecef712a24	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\RCXBE09.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\TAPI\fontdrvhost.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\TAPI\RCXD2D3.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\TAPI\5b884080fd4f94	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\PLA\RCXCA15.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\PLA\wininit.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5092	4280	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB171.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2258.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE0B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDB38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD037.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3DC0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpED15.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE697.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4FC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp25DD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp553A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84D6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA09B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7133.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA0FE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF680.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp25DD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp25DD.tmp.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3212	schtasks.exe
3700	schtasks.exe
928	schtasks.exe
3896	schtasks.exe
5040	schtasks.exe
1840	schtasks.exe
532	schtasks.exe
1236	schtasks.exe
4660	schtasks.exe
3428	schtasks.exe
216	schtasks.exe
3608	schtasks.exe
4264	schtasks.exe
2648	schtasks.exe
4324	schtasks.exe
3192	schtasks.exe
2340	schtasks.exe
4640	schtasks.exe
312	schtasks.exe
1124	schtasks.exe
1256	schtasks.exe
1976	schtasks.exe
3660	schtasks.exe
2468	schtasks.exe
4916	schtasks.exe
3364	schtasks.exe
3144	schtasks.exe
432	schtasks.exe
828	schtasks.exe
5012	schtasks.exe
2900	schtasks.exe
2136	schtasks.exe
3960	schtasks.exe
1724	schtasks.exe
4224	schtasks.exe
3612	schtasks.exe
4956	schtasks.exe
1536	schtasks.exe
1676	schtasks.exe
2108	schtasks.exe
4440	schtasks.exe
3992	schtasks.exe
1316	schtasks.exe
4792	schtasks.exe
2264	schtasks.exe
2932	schtasks.exe
1668	schtasks.exe
860	schtasks.exe
1800	schtasks.exe
3720	schtasks.exe
5028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
3888	powershell.exe
3888	powershell.exe
3496	powershell.exe
3496	powershell.exe
3844	powershell.exe
3844	powershell.exe
4068	powershell.exe
4068	powershell.exe
3720	powershell.exe
3720	powershell.exe
3212	powershell.exe
3212	powershell.exe
3612	powershell.exe
3612	powershell.exe
3632	powershell.exe
3632	powershell.exe
432	powershell.exe
432	powershell.exe
2720	powershell.exe
2720	powershell.exe
2296	powershell.exe
2296	powershell.exe
3496	powershell.exe
3888	powershell.exe
3888	powershell.exe
3720	powershell.exe
3844	powershell.exe
3212	powershell.exe
4068	powershell.exe
3632	powershell.exe
3612	powershell.exe
432	powershell.exe
2720	powershell.exe
2296	powershell.exe
3076	sysmon.exe
3076	sysmon.exe
1160	sysmon.exe
2648	sysmon.exe
792	sysmon.exe
5040	sysmon.exe
3436	sysmon.exe
4484	sysmon.exe
1220	sysmon.exe
1408	sysmon.exe
828	sysmon.exe
4148	sysmon.exe
2552	sysmon.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3076	sysmon.exe
Token: SeDebugPrivilege	1160	sysmon.exe
Token: SeDebugPrivilege	2648	sysmon.exe
Token: SeDebugPrivilege	792	sysmon.exe
Token: SeDebugPrivilege	5040	sysmon.exe
Token: SeDebugPrivilege	3436	sysmon.exe
Token: SeDebugPrivilege	4484	sysmon.exe
Token: SeDebugPrivilege	1220	sysmon.exe
Token: SeDebugPrivilege	1408	sysmon.exe
Token: SeDebugPrivilege	828	sysmon.exe
Token: SeDebugPrivilege	4148	sysmon.exe
Token: SeDebugPrivilege	2552	sysmon.exe
Token: SeDebugPrivilege	2856	sysmon.exe
Token: SeDebugPrivilege	680	sysmon.exe
Token: SeDebugPrivilege	3696	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1260	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	136
PID 3116 wrote to memory of 1260	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	136
PID 3116 wrote to memory of 1260	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	136
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 1260 wrote to memory of 1068	1260	tmpB171.tmp.exe	138
PID 3116 wrote to memory of 2296	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	143
PID 3116 wrote to memory of 2296	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	143
PID 3116 wrote to memory of 3844	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	144
PID 3116 wrote to memory of 3844	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	144
PID 3116 wrote to memory of 3212	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	145
PID 3116 wrote to memory of 3212	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	145
PID 3116 wrote to memory of 4068	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	146
PID 3116 wrote to memory of 4068	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	146
PID 3116 wrote to memory of 3612	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	147
PID 3116 wrote to memory of 3612	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	147
PID 3116 wrote to memory of 3496	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	148
PID 3116 wrote to memory of 3496	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	148
PID 3116 wrote to memory of 2720	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	149
PID 3116 wrote to memory of 2720	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	149
PID 3116 wrote to memory of 432	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	150
PID 3116 wrote to memory of 432	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	150
PID 3116 wrote to memory of 3632	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	151
PID 3116 wrote to memory of 3632	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	151
PID 3116 wrote to memory of 3720	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	152
PID 3116 wrote to memory of 3720	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	152
PID 3116 wrote to memory of 3888	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	153
PID 3116 wrote to memory of 3888	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	153
PID 3116 wrote to memory of 3076	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	165
PID 3116 wrote to memory of 3076	3116	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	165
PID 3076 wrote to memory of 3548	3076	sysmon.exe	166
PID 3076 wrote to memory of 3548	3076	sysmon.exe	166
PID 3076 wrote to memory of 1352	3076	sysmon.exe	167
PID 3076 wrote to memory of 1352	3076	sysmon.exe	167
PID 3076 wrote to memory of 4864	3076	sysmon.exe	168
PID 3076 wrote to memory of 4864	3076	sysmon.exe	168
PID 3076 wrote to memory of 4864	3076	sysmon.exe	168
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 4864 wrote to memory of 2196	4864	tmpE697.tmp.exe	170
PID 3548 wrote to memory of 1160	3548	WScript.exe	171
PID 3548 wrote to memory of 1160	3548	WScript.exe	171
PID 1160 wrote to memory of 1716	1160	sysmon.exe	172
PID 1160 wrote to memory of 1716	1160	sysmon.exe	172
PID 1160 wrote to memory of 2832	1160	sysmon.exe	173
PID 1160 wrote to memory of 2832	1160	sysmon.exe	173
PID 1160 wrote to memory of 4612	1160	sysmon.exe	174
PID 1160 wrote to memory of 4612	1160	sysmon.exe	174
PID 1160 wrote to memory of 4612	1160	sysmon.exe	174
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176
PID 4612 wrote to memory of 3636	4612	tmp4FC.tmp.exe	176

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
"C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3116
- C:\Users\Admin\AppData\Local\Temp\tmpB171.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB171.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\tmpB171.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB171.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
  "C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3076
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c5ff3ab-2aac-43bb-8a22-b5ab18f91488.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
      C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1160
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7622624b-0192-45b0-89dc-eef67bef990d.vbs"
        5⤵
        
        PID:1716
      - C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b7744f8-874a-4ab2-bb90-8215c663cb51.vbs"
        7⤵
        
        PID:3680
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b51dce1b-bfb7-4ae9-953b-620bde5a3489.vbs"
        9⤵
        
        PID:1848
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd69e54-ee44-4fb1-bd38-ef711c7a5825.vbs"
        11⤵
        
        PID:5032
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d82cb5b9-2e1c-4904-b912-a5e2a9c56590.vbs"
        13⤵
        
        PID:944
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b07075f-339c-4eb9-8253-302c4f9f1a98.vbs"
        15⤵
        
        PID:1060
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62495f06-1c0b-4dd7-96c9-bbd6a4473d66.vbs"
        17⤵
        
        PID:1976
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96afee7c-ad90-44f4-bf9b-a897c03859ee.vbs"
        19⤵
        
        PID:1228
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42e0697f-9890-4446-a94e-304b6c7309bf.vbs"
        21⤵
        
        PID:1068
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72b71e3-e991-4302-9721-e9da1273bc30.vbs"
        23⤵
        
        PID:2132
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5226b1cf-83c2-42a0-a5d9-fbfb9d2d7b8f.vbs"
        25⤵
        
        PID:4804
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5713b66-d476-4313-a8f1-7212ff578a81.vbs"
        27⤵
        
        PID:2976
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ef1a16-5908-4ad6-b50b-d214761cfd91.vbs"
        29⤵
        
        PID:1392
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        
        C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87dd6506-f9c8-429a-acb2-dd7f12a25b6a.vbs"
        31⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef02668e-c944-4d78-9c4d-e9c3049462e5.vbs"
        31⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmpED15.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpED15.tmp.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpED15.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpED15.tmp.exe"
        32⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b89137a-e85a-4e70-9cfa-b1bf3815e732.vbs"
        29⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmpD037.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD037.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmpD037.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD037.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bc92d21-f239-4c38-8a06-668633312f89.vbs"
        27⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmpA09B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA09B.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\tmpA09B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA09B.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45831bc9-03ef-48c7-a758-1b01f813af52.vbs"
        25⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp84D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84D6.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp84D6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84D6.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26c4fc7b-4b69-4606-a768-9a077c78a122.vbs"
        23⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp553A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp553A.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp553A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp553A.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324ae71b-9e5f-4d9d-8b66-b93feff7e5c7.vbs"
        21⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25DD.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fadd4ac2-d19d-4259-a69c-707e0c466a67.vbs"
        19⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmpF680.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF680.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmpF680.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF680.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36ff19b8-6188-4272-8d15-bdd3d35cc854.vbs"
        17⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmpDB38.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDB38.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpDB38.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDB38.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce98e27-c69e-4b30-b3fb-aaaf3d367e4d.vbs"
        15⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE0B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE0B.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE0B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE0B.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bad9b3a9-712c-40df-bedf-7084f358b383.vbs"
        13⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmpA0FE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA0FE.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmpA0FE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA0FE.tmp.exe"
        14⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 312
        14⤵
        Program crash
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c7144a-1165-4bb0-94d8-f48886410275.vbs"
        11⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7133.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7133.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16763804-b787-42ff-91a3-9441b3d108c6.vbs"
        9⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99ba373e-1751-47b6-92d0-a6a37726d3ed.vbs"
        7⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp2258.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2258.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp2258.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2258.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b49a348-700b-422a-bafc-a7e839da17dc.vbs"
        5⤵
        
        PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\tmp4FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4FC.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Users\Admin\AppData\Local\Temp\tmp4FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4FC.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab5053e6-7ab4-4dd7-8ccd-c8bc10d17ea3.vbs"
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\tmpE697.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpE697.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Users\Admin\AppData\Local\Temp\tmpE697.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE697.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PLA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Windows\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Windows\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Windows\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Saved Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Saved Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 4280
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\SearchApp.exe

Filesize
4.9MB

MD5
549a897f0c0298c512c30faf8a911840

SHA1
77864449acf9065d7522006aec1bc67b543cb514

SHA256
37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

SHA512
481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b7744f8-874a-4ab2-bb90-8215c663cb51.vbs

Filesize
727B

MD5
3337c113d3eef92c49cf593d51e23ec7

SHA1
9e3f2a6343515f3c2fa111d38680c238238c1393

SHA256
7dd9db9f4ff4f9976295b49a8bd65144e12ff1d3067171f816ed9aa42cb263a8

SHA512
9ebd5686de72f5042464ebc71a76d82f25a5a6bf79cb9cc43b652f4e7faecf180f1a88054cab1daab119d3931d230955ac97b068cbc2728825f082b6c0087d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b07075f-339c-4eb9-8253-302c4f9f1a98.vbs

Filesize
727B

MD5
ca03a031f32fc211d9cda40f1e8a0d2d

SHA1
9556db1c2be35a694a48f76537eab6686b3aa2b1

SHA256
e11bbe3974a0de1dca4b03119eef30a6199b087f47ecf6394cf3ca13da5ed407

SHA512
18ca466035696bac619b8398a36c1acf94133de03bc329abd6aa1e4a37f22c2064db6f52a778b9dcb128b1a7ad3f3ecead3eac0b39bbb575d71df151c679518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c5ff3ab-2aac-43bb-8a22-b5ab18f91488.vbs

Filesize
727B

MD5
e4840325d8d8a07f15da1ad5f22ed051

SHA1
e6d8ae314915a697abebf500c84edad3be9cb6eb

SHA256
178234de70af48e6ac3e30d1eb1d850a366fbff95dd79ee7d95c60ffb7df6bce

SHA512
cde667da20954a48e28adf39620079b8389822701cc5d3854864ccef2ee10b2a25022588f58ca3135a942818829641ee8097e3670875bd07bc0d0d123ca3e5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7622624b-0192-45b0-89dc-eef67bef990d.vbs

Filesize
727B

MD5
a759ba693a69bc628aa1d5bbf7252467

SHA1
f9ee6cfc36d0f96eb80ab5c21734c18bc4379276

SHA256
27335b0bac8ae6b345ee7c376c8052d8cb8dc98371892c827f94ef101e93aedc

SHA512
00489010f92c23e9754728c28937e559b069387064958dca4a21a4d78d1cae8ea7900c995ca409d66d9506106bf3c3a7725c22a65a9734e02ff97ceca1117226

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lvc0mnx.rlz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab5053e6-7ab4-4dd7-8ccd-c8bc10d17ea3.vbs

Filesize
503B

MD5
785c72f97e265eb972d578f29937f518

SHA1
22fea544c2c3b373562cc94e398d4ff7c7c98f5f

SHA256
914edf90e79e5fb5d6997b3546bfba02c34dbbabd97571c813fc6ac2268cc262

SHA512
594437c11619296981dabd53b3e473da719edff85dab1186d3e404d1f8eb45415b46332046a5658efd4329e39b8d01682942a38f1608e8a4774e786a27a7c897

Download Submit
C:\Users\Admin\AppData\Local\Temp\b51dce1b-bfb7-4ae9-953b-620bde5a3489.vbs

Filesize
726B

MD5
b6e51d41bb52638f6a6973c9e6955176

SHA1
4ce3b143adfaf9bb33f54a5589aca28627344a25

SHA256
9c7a3d1edefa2571f5a31f0743b32125587478e124ff79b318a105e13c3fc253

SHA512
56cf69e7bdf680a66de8b2d62931b4a5dcb0fb0c7ab96b1574d7b7e46e775d0d1b511b3dd8228a5da5a7893d654e3739d7c468fbd9a137bca221f39d82420425

Download Submit
C:\Users\Admin\AppData\Local\Temp\d82cb5b9-2e1c-4904-b912-a5e2a9c56590.vbs

Filesize
727B

MD5
61c368cdc87202735be9d887034c8a3d

SHA1
9a6c5bdd81265102a1086b47c0bf81f1017c6a18

SHA256
13b1d03c31a9ebb9c80a18a4f7539384b36e8b4c168801c34dde75c01c23d997

SHA512
8cc9039f11efb90cf637e75ddf6d589df1bf2af1e684824cb0dffed35879f2d2e3b6c872306c3c1f641bd2047c28df847fa84d5d5d4d7e6277eb348dc7299ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffd69e54-ee44-4fb1-bd38-ef711c7a5825.vbs

Filesize
727B

MD5
f8a2d2e4ddbf77bdf436abef90a4b57f

SHA1
c54418949b991b609d00aee7e8abf1da16287e4e

SHA256
bcd171b76adf37adc7449ac11d163976b23aceca22aae326d20aea8e5cc75f61

SHA512
5a87d67baa65083c830b281cf6ba26de443514f421f529da4b29d69ad61b5944e94c3ea9d9669111eba1c3e823bf979cd54d6d2d49d1953e7952f01b50525d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB171.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\csrss.exe

Filesize
4.9MB

MD5
1a492a78877146f6632bec87ff3f62e0

SHA1
658ac0b042ef33c139ebe04f5b17ffa6ae2dde36

SHA256
31ff23b908b463746b6657ab7a8e8770d2892a9b0e19644af3898571d4f3c12b

SHA512
6f8cf9a1aacfdcfc6d6f8e6b9b6c0b75870c063ea745fd7acf8e1959b7a953dad736896ffc66fa5129cddd8d1370fd41a9192173c31ac6e8ab6b8130c808822d

Download Submit
C:\Windows\RemotePackages\RemoteDesktops\sysmon.exe

Filesize
4.9MB

MD5
da3343cb2c38fd12b3b5eb9e13dda13e

SHA1
011f1d5522ae30c8f80c68442e712f36dea591fd

SHA256
90e9ae3d8d3da797c9bee6d5fd80da01fd8ddb8122e2892f4923c1b2b8c76a0d

SHA512
0f5048cf289fdb6de37b88cc1bfe08383ab2b8eb92408d1ca05ef00eb796cba18ff86325a5cea0f18002a9c850f37c61f6db4509386bb5def99287e118994cdb

Download Submit
C:\Windows\Web\Wallpaper\Windows\RCXCC29.tmp

Filesize
4.9MB

MD5
fcaecb8edf37ad4b04e32dadb36c4688

SHA1
c06c0aa1b43005c35aa16fb5ad492959477c9ccc

SHA256
989a04fe230bfeaaab4fa767e437be45fb386f599364ee04cf1dd8c757f18f3e

SHA512
6b730f3d77954032250f26a29cec84a1d2f1f351724537ae96a4ebacef29304f06475f8c6739cd0aed4b104f0809bcce4353e31962889e3f9a0d973e9e058683

Download Submit
memory/1068-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3076-342-0x0000000000A80000-0x0000000000F74000-memory.dmp

Filesize
5.0MB

Download
memory/3116-13-0x000000001BCA0000-0x000000001BCAA000-memory.dmp

Filesize
40KB

Download
memory/3116-18-0x000000001BE40000-0x000000001BE4C000-memory.dmp

Filesize
48KB

Download
memory/3116-11-0x000000001BC90000-0x000000001BCA2000-memory.dmp

Filesize
72KB

Download
memory/3116-17-0x000000001BD30000-0x000000001BD38000-memory.dmp

Filesize
32KB

Download
memory/3116-10-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/3116-1-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/3116-147-0x00007FFCCDA23000-0x00007FFCCDA25000-memory.dmp

Filesize
8KB

Download
memory/3116-9-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/3116-14-0x000000001BCB0000-0x000000001BCBE000-memory.dmp

Filesize
56KB

Download
memory/3116-15-0x000000001BCC0000-0x000000001BCCE000-memory.dmp

Filesize
56KB

Download
memory/3116-16-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/3116-12-0x000000001C250000-0x000000001C778000-memory.dmp

Filesize
5.2MB

Download
memory/3116-162-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-0-0x00007FFCCDA23000-0x00007FFCCDA25000-memory.dmp

Filesize
8KB

Download
memory/3116-343-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3116-8-0x000000001B510000-0x000000001B526000-memory.dmp

Filesize
88KB

Download
memory/3116-7-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/3116-6-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/3116-5-0x000000001BCD0000-0x000000001BD20000-memory.dmp

Filesize
320KB

Download
memory/3116-4-0x00000000028C0000-0x00000000028DC000-memory.dmp

Filesize
112KB

Download
memory/3116-3-0x000000001B550000-0x000000001B67E000-memory.dmp

Filesize
1.2MB

Download
memory/3116-2-0x00007FFCCDA20000-0x00007FFCCE4E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-240-0x00000207AB700000-0x00000207AB722000-memory.dmp

Filesize
136KB

Download
memory/3696-644-0x000000001C1B0000-0x000000001C1C2000-memory.dmp

Filesize
72KB

Download
memory/4484-504-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download