colibri | b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Size

4.9MB
MD5

604f0b5ecdccdf0e76198b6a7d13b110
SHA1

ec5d3e886db59e7167834ac6124c8daafe2aaa08
SHA256

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09
SHA512

a42477393297ed9c246cc3d6eae43777194ba3ea7617cde4015821124203d7159bbb370fadcf7f4d7f1633d5d97de5d11a8b6d5758982c85c2ffd4e3fc4ab1ec
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4004	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4004	schtasks.exe	81

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2800-3-0x000000001BBF0000-0x000000001BD1E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4428	powershell.exe
1444	powershell.exe
4872	powershell.exe
3720	powershell.exe
2236	powershell.exe
4876	powershell.exe
4444	powershell.exe
3384	powershell.exe
2224	powershell.exe
2752	powershell.exe
2676	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesppsvc.exesppsvc.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 34 IoCs

Processes:

tmp890A.tmp.exetmp890A.tmp.exetmp890A.tmp.exesppsvc.exetmpAC8C.tmp.exetmpAC8C.tmp.exesppsvc.exesppsvc.exetmpE520.tmp.exetmpE520.tmp.exetmpE520.tmp.exesppsvc.exetmp16DE.tmp.exetmp16DE.tmp.exesppsvc.exetmp483F.tmp.exetmp483F.tmp.exetmp483F.tmp.exesppsvc.exetmp7AD8.tmp.exetmp7AD8.tmp.exesppsvc.exesppsvc.exetmpC8D9.tmp.exetmpC8D9.tmp.exesppsvc.exetmpE54A.tmp.exetmpE54A.tmp.exesppsvc.exetmp16CA.tmp.exetmp16CA.tmp.exesppsvc.exetmp484A.tmp.exetmp484A.tmp.exe

pid	Process
4764	tmp890A.tmp.exe
2804	tmp890A.tmp.exe
976	tmp890A.tmp.exe
3688	sppsvc.exe
4908	tmpAC8C.tmp.exe
4672	tmpAC8C.tmp.exe
2956	sppsvc.exe
3528	sppsvc.exe
4876	tmpE520.tmp.exe
4560	tmpE520.tmp.exe
5056	tmpE520.tmp.exe
1172	sppsvc.exe
4764	tmp16DE.tmp.exe
1152	tmp16DE.tmp.exe
1700	sppsvc.exe
3148	tmp483F.tmp.exe
1540	tmp483F.tmp.exe
3560	tmp483F.tmp.exe
4916	sppsvc.exe
3904	tmp7AD8.tmp.exe
3368	tmp7AD8.tmp.exe
5044	sppsvc.exe
3564	sppsvc.exe
1068	tmpC8D9.tmp.exe
5076	tmpC8D9.tmp.exe
3284	sppsvc.exe
2032	tmpE54A.tmp.exe
3884	tmpE54A.tmp.exe
3528	sppsvc.exe
2336	tmp16CA.tmp.exe
3356	tmp16CA.tmp.exe
4280	sppsvc.exe
2740	tmp484A.tmp.exe
4904	tmp484A.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in System32 directory 5 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

description	ioc	Process
File created	C:\Windows\System32\spoolsv.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Windows\SysWOW64\InstallShield\csrss.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Windows\SysWOW64\InstallShield\886983d96e3d3e	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\RCX917A.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\csrss.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

tmp890A.tmp.exetmpAC8C.tmp.exetmpE520.tmp.exetmp16DE.tmp.exetmp483F.tmp.exetmp7AD8.tmp.exetmpC8D9.tmp.exetmpE54A.tmp.exetmp16CA.tmp.exetmp484A.tmp.exe

description	pid	Process	procid_target
PID 2804 set thread context of 976	2804	tmp890A.tmp.exe	116
PID 4908 set thread context of 4672	4908	tmpAC8C.tmp.exe	148
PID 4560 set thread context of 5056	4560	tmpE520.tmp.exe	160
PID 4764 set thread context of 1152	4764	tmp16DE.tmp.exe	168
PID 1540 set thread context of 3560	1540	tmp483F.tmp.exe	175
PID 3904 set thread context of 3368	3904	tmp7AD8.tmp.exe	181
PID 1068 set thread context of 5076	1068	tmpC8D9.tmp.exe	190
PID 2032 set thread context of 3884	2032	tmpE54A.tmp.exe	196
PID 2336 set thread context of 3356	2336	tmp16CA.tmp.exe	202
PID 2740 set thread context of 4904	2740	tmp484A.tmp.exe	208

Drops file in Program Files directory 20 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Common Files\5940a34987c991	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX88CA.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX8F76.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\0a1fd5f707cd16	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Common Files\dllhost.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX8CF4.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Common Files\dllhost.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\9e8d7a4ca61bd9	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9610.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\9e8d7a4ca61bd9	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX8AE0.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

Drops file in Windows directory 4 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

description	ioc	Process
File created	C:\Windows\Logs\SettingSync\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File created	C:\Windows\Logs\SettingSync\9e8d7a4ca61bd9	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Windows\Logs\SettingSync\RCX8678.tmp	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
File opened for modification	C:\Windows\Logs\SettingSync\RuntimeBroker.exe	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpE54A.tmp.exetmp890A.tmp.exetmpE520.tmp.exetmp483F.tmp.exetmp7AD8.tmp.exetmpC8D9.tmp.exetmp16CA.tmp.exetmp484A.tmp.exetmp890A.tmp.exetmpAC8C.tmp.exetmpE520.tmp.exetmp16DE.tmp.exetmp483F.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE54A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp890A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE520.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp483F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7AD8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC8D9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp16CA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp484A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp890A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAC8C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE520.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp16DE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp483F.tmp.exe

Modifies registry class 12 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3368	schtasks.exe
4740	schtasks.exe
2776	schtasks.exe
1184	schtasks.exe
5088	schtasks.exe
3624	schtasks.exe
4016	schtasks.exe
1416	schtasks.exe
3532	schtasks.exe
660	schtasks.exe
4568	schtasks.exe
4828	schtasks.exe
3680	schtasks.exe
3048	schtasks.exe
4368	schtasks.exe
1868	schtasks.exe
1828	schtasks.exe
3876	schtasks.exe
1000	schtasks.exe
4940	schtasks.exe
2480	schtasks.exe
1980	schtasks.exe
4992	schtasks.exe
2032	schtasks.exe
2212	schtasks.exe
1916	schtasks.exe
1340	schtasks.exe
452	schtasks.exe
1792	schtasks.exe
1216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	Process
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
4872	powershell.exe
4872	powershell.exe
4428	powershell.exe
4428	powershell.exe
3384	powershell.exe
3384	powershell.exe
1444	powershell.exe
1444	powershell.exe
2236	powershell.exe
2236	powershell.exe
3720	powershell.exe
3720	powershell.exe
4444	powershell.exe
4444	powershell.exe
2224	powershell.exe
2224	powershell.exe
2676	powershell.exe
2676	powershell.exe
2752	powershell.exe
2752	powershell.exe
4428	powershell.exe
4872	powershell.exe
4872	powershell.exe
1444	powershell.exe
3384	powershell.exe
2236	powershell.exe
3720	powershell.exe
4444	powershell.exe
2676	powershell.exe
2224	powershell.exe
2752	powershell.exe
3688	sppsvc.exe
2956	sppsvc.exe
3528	sppsvc.exe
1172	sppsvc.exe
1700	sppsvc.exe
4916	sppsvc.exe
5044	sppsvc.exe
3564	sppsvc.exe
3284	sppsvc.exe
3528	sppsvc.exe
4280	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	3688	sppsvc.exe
Token: SeDebugPrivilege	2956	sppsvc.exe
Token: SeDebugPrivilege	3528	sppsvc.exe
Token: SeDebugPrivilege	1172	sppsvc.exe
Token: SeDebugPrivilege	1700	sppsvc.exe
Token: SeDebugPrivilege	4916	sppsvc.exe
Token: SeDebugPrivilege	5044	sppsvc.exe
Token: SeDebugPrivilege	3564	sppsvc.exe
Token: SeDebugPrivilege	3284	sppsvc.exe
Token: SeDebugPrivilege	3528	sppsvc.exe
Token: SeDebugPrivilege	4280	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exetmp890A.tmp.exetmp890A.tmp.exesppsvc.exetmpAC8C.tmp.exeWScript.exesppsvc.exeWScript.exesppsvc.exe

description	pid	Process	procid_target
PID 2800 wrote to memory of 4764	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	113
PID 2800 wrote to memory of 4764	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	113
PID 2800 wrote to memory of 4764	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	113
PID 4764 wrote to memory of 2804	4764	tmp890A.tmp.exe	115
PID 4764 wrote to memory of 2804	4764	tmp890A.tmp.exe	115
PID 4764 wrote to memory of 2804	4764	tmp890A.tmp.exe	115
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2804 wrote to memory of 976	2804	tmp890A.tmp.exe	116
PID 2800 wrote to memory of 2752	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	120
PID 2800 wrote to memory of 2752	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	120
PID 2800 wrote to memory of 3720	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	121
PID 2800 wrote to memory of 3720	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	121
PID 2800 wrote to memory of 1444	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	122
PID 2800 wrote to memory of 1444	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	122
PID 2800 wrote to memory of 4872	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	123
PID 2800 wrote to memory of 4872	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	123
PID 2800 wrote to memory of 2236	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	124
PID 2800 wrote to memory of 2236	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	124
PID 2800 wrote to memory of 4876	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	125
PID 2800 wrote to memory of 4876	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	125
PID 2800 wrote to memory of 4428	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	126
PID 2800 wrote to memory of 4428	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	126
PID 2800 wrote to memory of 4444	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	127
PID 2800 wrote to memory of 4444	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	127
PID 2800 wrote to memory of 3384	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	128
PID 2800 wrote to memory of 3384	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	128
PID 2800 wrote to memory of 2224	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	129
PID 2800 wrote to memory of 2224	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	129
PID 2800 wrote to memory of 2676	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	130
PID 2800 wrote to memory of 2676	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	130
PID 2800 wrote to memory of 3688	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	142
PID 2800 wrote to memory of 3688	2800	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe	142
PID 3688 wrote to memory of 5076	3688	sppsvc.exe	144
PID 3688 wrote to memory of 5076	3688	sppsvc.exe	144
PID 3688 wrote to memory of 2624	3688	sppsvc.exe	145
PID 3688 wrote to memory of 2624	3688	sppsvc.exe	145
PID 3688 wrote to memory of 4908	3688	sppsvc.exe	146
PID 3688 wrote to memory of 4908	3688	sppsvc.exe	146
PID 3688 wrote to memory of 4908	3688	sppsvc.exe	146
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 4908 wrote to memory of 4672	4908	tmpAC8C.tmp.exe	148
PID 5076 wrote to memory of 2956	5076	WScript.exe	151
PID 5076 wrote to memory of 2956	5076	WScript.exe	151
PID 2956 wrote to memory of 224	2956	sppsvc.exe	152
PID 2956 wrote to memory of 224	2956	sppsvc.exe	152
PID 2956 wrote to memory of 4464	2956	sppsvc.exe	153
PID 2956 wrote to memory of 4464	2956	sppsvc.exe	153
PID 224 wrote to memory of 3528	224	WScript.exe	154
PID 224 wrote to memory of 3528	224	WScript.exe	154
PID 3528 wrote to memory of 3464	3528	sppsvc.exe	155
PID 3528 wrote to memory of 3464	3528	sppsvc.exe	155
PID 3528 wrote to memory of 4780	3528	sppsvc.exe	156
PID 3528 wrote to memory of 4780	3528	sppsvc.exe	156
PID 3528 wrote to memory of 4876	3528	sppsvc.exe	157

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exeb30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe
"C:\Users\Admin\AppData\Local\Temp\b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800
- C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff0881d9-1321-4b62-b033-bf329e2bf4d0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2956
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c62db975-e113-4902-80b8-807d004c67e4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d177240-9279-462d-91c7-5b5650228e70.vbs"
        7⤵
        
        PID:3464
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689e5b37-ef43-4c7d-b791-37aec28b24be.vbs"
        9⤵
        
        PID:2852
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65221de5-645d-4f7f-b627-3f5c1fff7189.vbs"
        11⤵
        
        PID:3792
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9b04ec8-9fe5-434c-82e0-18f43f9c1695.vbs"
        13⤵
        
        PID:3980
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a27936ed-0529-4002-9a06-cf121b9a4adb.vbs"
        15⤵
        
        PID:3424
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf2fa34a-ec2d-46f6-9ae1-d3907fd951de.vbs"
        17⤵
        
        PID:1128
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62d06bf8-5864-4ef5-8258-b9f956b01095.vbs"
        19⤵
        
        PID:2380
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d672c02b-35e8-48bc-8371-bfc8a511cd28.vbs"
        21⤵
        
        PID:4960
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19bedd2a-a3e6-492b-b288-6ffa2ae284f5.vbs"
        23⤵
        
        PID:4888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ba0923-ac00-45d3-a4ce-e90aa012e3fe.vbs"
        23⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp484A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp484A.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp484A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp484A.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79edf0b4-fa71-4e43-a474-f542cdab2321.vbs"
        21⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp16CA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp16CA.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp16CA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp16CA.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7978e1b8-2214-4a24-b537-586f78f04290.vbs"
        19⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpE54A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE54A.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmpE54A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE54A.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df33b8a9-9df3-4bc9-9e52-51e6f13e0e25.vbs"
        17⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmpC8D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC8D9.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmpC8D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC8D9.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d11c583-e3ef-46ce-8961-f69bb9410d52.vbs"
        15⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01544779-ada3-48fe-97f7-d20486257f6d.vbs"
        13⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7AD8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7AD8.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7AD8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7AD8.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66ed5c5-3e84-474b-9fcc-664ba14fa990.vbs"
        11⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp483F.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01561538-9c0e-4757-abbe-efc8ddf2aaf6.vbs"
        9⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\558332b5-7f8d-45cf-92e4-d4b8afbd45f6.vbs"
        7⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE520.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:5056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcca4730-2529-4b70-8ef0-12ca603baa21.vbs"
        5⤵
        
        PID:4464
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe44002-59e7-4e17-adaa-8d9d3fa0cb47.vbs"
    3⤵
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\SettingSync\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\SettingSync\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\InstallShield\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\InstallShield\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\InstallShield\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe

Filesize
4.9MB

MD5
604f0b5ecdccdf0e76198b6a7d13b110

SHA1
ec5d3e886db59e7167834ac6124c8daafe2aaa08

SHA256
b30b93d0a245873a2870a1c0ca4ebd95c887bc816d3775bb61b28c203e549a09

SHA512
a42477393297ed9c246cc3d6eae43777194ba3ea7617cde4015821124203d7159bbb370fadcf7f4d7f1633d5d97de5d11a8b6d5758982c85c2ffd4e3fc4ab1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d177240-9279-462d-91c7-5b5650228e70.vbs

Filesize
737B

MD5
6de19feb3c10f4f6b248aef7fac7e6cb

SHA1
81141920e7268317e6e212b77300b6424f58638e

SHA256
f19e66b2b6c4459f127c2830379d1cf0c0164d9bf21ff663991b5e37bb6be128

SHA512
87c2514547cd1816c80bff800bbeb72ab71a64c72ccd6871d58e9c4f61554c3916df14216446a825d36985324f3d918a74a2663c603aefe6de814399ea61aaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\65221de5-645d-4f7f-b627-3f5c1fff7189.vbs

Filesize
737B

MD5
f0c052de9f73a04e8b306881eb4feeaf

SHA1
c5cd8188ee23987f1d387b25d32829e61aa86a2e

SHA256
3110e8b69bfa2c76445c8dc8f3ef61f2dd5c49354df66c5e71bb6926762c791e

SHA512
66b0b63aac21ed0e25361ccf85fec3902362621ae0f9e301c7c19e77af2387f18060bc12574462006743e6d0a4fff566a4990f2be74f04f00d32cf4718788cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\689e5b37-ef43-4c7d-b791-37aec28b24be.vbs

Filesize
737B

MD5
493a3a4798714ecf2fedcb1bc8c5f14d

SHA1
819cc03cbe74016c691ffa4394d00dda6f930a70

SHA256
1a309dec5cbf0297f4560f5295d2155f850d52ffcb2c48a0fb5757c9b36d7111

SHA512
95d0e83d468a1b3081811f31ea8253aa49f44ecddab173c4d7d8a30565b5bf802c27e657a4e412e8ce370a1ad7645579729e515e7c15e8e73bbbffec45e23aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2r4rq0t.10g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a27936ed-0529-4002-9a06-cf121b9a4adb.vbs

Filesize
737B

MD5
0993a19171a46cf1ac52d71ad79c950c

SHA1
967d70d18de6b16070adc86a75c9224119606cce

SHA256
8d961977d2ecc5dc8ec098fa1b9e7ae37be286bd13a06c026404e7559038b0ca

SHA512
ccb0057cbfe55e08eda258cb7f99296a802888060468df20a9179fa463b003ec9e1f71242be764e5117426bdd70a732db1426bd4b2425289b72db0b2ed953b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2fa34a-ec2d-46f6-9ae1-d3907fd951de.vbs

Filesize
737B

MD5
eff5b876e422ed9026cb88c0439ab383

SHA1
a49115aa50b0a141be4dfee31b7d8ebe973d0626

SHA256
79548e1d81dc02236cc43885f69493c5883e190d7db3d09b98bbcda52dd4223e

SHA512
724a6cd9dac4ad8d53c2209dc9c7118f5c4e882cd0617637ad7ff9ed7c82e6620444ec76a8def799578884e35233309563077f82e9ca06e2626b1ba3151b3ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c62db975-e113-4902-80b8-807d004c67e4.vbs

Filesize
737B

MD5
5135864076ce287d162832dbf3680f8b

SHA1
2825cde9a0d283bc99d2930d6b5f47fd465576c8

SHA256
8a8c145359145e0513853cb89303fd80c80a93250131856fb0a19bf979981937

SHA512
d2172b214b060b435bfbccaaad4b65f19822e84cb95f77c0f68449090ddae9b684972cd4515cd9a7f28c8f7137b84fe9eb8f2f7b083f3f0f0ec625df451fe2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\efe44002-59e7-4e17-adaa-8d9d3fa0cb47.vbs

Filesize
513B

MD5
ec7c27829cb96d275acdb839f841d613

SHA1
d51df1bc4fc18f1f9520b2bb366c90f2e2aedb94

SHA256
3d655a92f4968131a05d2e81481c245571e34b7e6277dfdbc2d7076ec024441a

SHA512
e7272b958f5e15414b3ea85d321a793dca3bcf0682fecc86bcec8325b50d62b20dfa6cc27a4ef8cdefdf7ead52c8f5c8b36c99bbfc4865ad9ad6ecf7057c810c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9b04ec8-9fe5-434c-82e0-18f43f9c1695.vbs

Filesize
737B

MD5
61e25da508797292a75c352206dc42ea

SHA1
b0f8da3aafac6b728528995d4779fa127e3de5e8

SHA256
9d26c3121122a4b757d0e7be022f53b38145adf72b5c6dc32c4018cc658c5604

SHA512
290b26624099494ac1cb7100d3ea5dce4faa586392d2c2f35a418c332945119e05dc5727e6c60a2d255b560421166cf4e3477300c816d836ee491c0f853c1e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff0881d9-1321-4b62-b033-bf329e2bf4d0.vbs

Filesize
737B

MD5
7c7c20da838fda756336675ae120fdb2

SHA1
a9b0dff7092ab285e0550f8d4eebcca8586d5ca1

SHA256
1e23496e345d7184bf31ae6a958a21db1aae851a4d51b96f1e8c2b155449d3ac

SHA512
ab9f605c356fb4584db686d32ec2fc1eed90816c1832bd6446029b0bdfa8f080b4d4c452dcacb46b24cdbbce3a2272d2213c31ff71cca0a980a57f9a8a5b6fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp890A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\Saved Games\RCX9892.tmp

Filesize
4.9MB

MD5
1d73e6b0b79f71800817e8b255a79cd8

SHA1
d5e549c2a7137f1e382897ecbc1d5dbc8a862730

SHA256
1b6e43aa8d118b9dcdb66d951782b03fbc07211c4363a39b6f0c966355208178

SHA512
66721dfcff1987b2a5be5b13e784b808527893ec3598be39200915d303ec47f13db27eaa2934eacd08c0022797faa3b3118a12bd19a4593f838dedd58c9b64a0

Download Submit
memory/976-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2800-11-0x000000001BAD0000-0x000000001BAE2000-memory.dmp

Filesize
72KB

Download
memory/2800-7-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2800-10-0x000000001BAC0000-0x000000001BACA000-memory.dmp

Filesize
40KB

Download
memory/2800-1-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/2800-9-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/2800-274-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/2800-13-0x000000001C380000-0x000000001C38A000-memory.dmp

Filesize
40KB

Download
memory/2800-2-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/2800-14-0x000000001C390000-0x000000001C39E000-memory.dmp

Filesize
56KB

Download
memory/2800-12-0x000000001C8B0000-0x000000001CDD8000-memory.dmp

Filesize
5.2MB

Download
memory/2800-3-0x000000001BBF0000-0x000000001BD1E000-memory.dmp

Filesize
1.2MB

Download
memory/2800-16-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

Filesize
32KB

Download
memory/2800-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/2800-17-0x000000001C3C0000-0x000000001C3C8000-memory.dmp

Filesize
32KB

Download
memory/2800-15-0x000000001C3A0000-0x000000001C3AE000-memory.dmp

Filesize
56KB

Download
memory/2800-8-0x000000001BA90000-0x000000001BAA6000-memory.dmp

Filesize
88KB

Download
memory/2800-4-0x000000001BA70000-0x000000001BA8C000-memory.dmp

Filesize
112KB

Download
memory/2800-5-0x000000001BD20000-0x000000001BD70000-memory.dmp

Filesize
320KB

Download
memory/2800-6-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/2800-18-0x000000001C3D0000-0x000000001C3DC000-memory.dmp

Filesize
48KB

Download
memory/2956-322-0x000000001BB30000-0x000000001BB42000-memory.dmp

Filesize
72KB

Download
memory/3284-461-0x0000000002C60000-0x0000000002C72000-memory.dmp

Filesize
72KB

Download
memory/3688-294-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/3688-319-0x000000001BC00000-0x000000001BC35000-memory.dmp

Filesize
212KB

Download
memory/4872-181-0x000001D2FBA20000-0x000001D2FBA42000-memory.dmp

Filesize
136KB

Download