colibri | baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353

Analysis

max time kernel
117s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Size

4.9MB
MD5

916dfec6e74a12ca331424d9a83f6270
SHA1

e0990916cd17d53000a9d4feec420c7965bcc23f
SHA256

baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353
SHA512

230dd85c3a6e7ff009a4ce16d692f32269c38a04681faf09badcad5cb9c7f7ee768960fd69f40e4203df31c0a6d06e1340499e0abb8bba45609de34b33f2a5d4
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1868	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1868	schtasks.exe	82

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3128-2-0x000000001B8A0000-0x000000001B9CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3316	powershell.exe
1012	powershell.exe
1260	powershell.exe
2272	powershell.exe
2112	powershell.exe
1856	powershell.exe
3552	powershell.exe
3416	powershell.exe
2108	powershell.exe
4472	powershell.exe
2892	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 33 IoCs

pid	Process
2844	tmpA78C.tmp.exe
4464	tmpA78C.tmp.exe
5064	tmpA78C.tmp.exe
4688	SearchApp.exe
1524	SearchApp.exe
2892	tmpE05.tmp.exe
2196	tmpE05.tmp.exe
3828	SearchApp.exe
692	SearchApp.exe
2896	tmp5B2B.tmp.exe
2980	tmp5B2B.tmp.exe
3588	SearchApp.exe
5072	tmp7903.tmp.exe
4128	tmp7903.tmp.exe
2196	SearchApp.exe
3676	tmp9601.tmp.exe
5016	tmp9601.tmp.exe
2972	SearchApp.exe
3860	tmpB273.tmp.exe
212	tmpB273.tmp.exe
1540	tmpB273.tmp.exe
4512	SearchApp.exe
4204	tmpE4FC.tmp.exe
1396	tmpE4FC.tmp.exe
2728	SearchApp.exe
2652	tmp1737.tmp.exe
4880	tmp1737.tmp.exe
1880	SearchApp.exe
2980	tmp4721.tmp.exe
1624	tmp4721.tmp.exe
2356	SearchApp.exe
4168	tmp63A2.tmp.exe
2392	tmp63A2.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 5064	4464	tmpA78C.tmp.exe	140
PID 2892 set thread context of 2196	2892	tmpE05.tmp.exe	180
PID 2896 set thread context of 2980	2896	tmp5B2B.tmp.exe	191
PID 5072 set thread context of 4128	5072	tmp7903.tmp.exe	197
PID 3676 set thread context of 5016	3676	tmp9601.tmp.exe	203
PID 212 set thread context of 1540	212	tmpB273.tmp.exe	210
PID 4204 set thread context of 1396	4204	tmpE4FC.tmp.exe	216
PID 2652 set thread context of 4880	2652	tmp1737.tmp.exe	222
PID 2980 set thread context of 1624	2980	tmp4721.tmp.exe	228
PID 4168 set thread context of 2392	4168	tmp63A2.tmp.exe	234

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\spoolsv.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\sppsvc.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Microsoft Office 15\121e5b5079f7c0	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\MSBuild\Microsoft\dllhost.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Windows Defender\de-DE\smss.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXB30C.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\dllhost.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXB0F8.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\sysmon.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wininit.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\f3b6ecef712a24	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\MSBuild\Microsoft\5940a34987c991	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files (x86)\Windows Mail\56085415360792	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\RCXA634.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXACDF.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\sppsvc.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC8A1.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\spoolsv.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\0a1fd5f707cd16	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Microsoft Office 15\sysmon.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Program Files\Windows Defender\de-DE\69ddcba757bf72	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCXC478.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\smss.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\RCXB58E.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\38384e6a620884	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\SystemResources\TextInputHost.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Pictures\RCXB9B6.tmp	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
File created	C:\Windows\Sun\Java\Deployment\55b276f4edf653	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA78C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE05.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB273.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp63A2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1737.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4721.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA78C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5B2B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7903.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9601.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB273.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE4FC.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3620	schtasks.exe
5028	schtasks.exe
4404	schtasks.exe
2432	schtasks.exe
1880	schtasks.exe
464	schtasks.exe
812	schtasks.exe
2108	schtasks.exe
2024	schtasks.exe
3628	schtasks.exe
1692	schtasks.exe
4296	schtasks.exe
3000	schtasks.exe
3692	schtasks.exe
2104	schtasks.exe
512	schtasks.exe
1452	schtasks.exe
1564	schtasks.exe
2436	schtasks.exe
228	schtasks.exe
4492	schtasks.exe
3896	schtasks.exe
4012	schtasks.exe
4972	schtasks.exe
3192	schtasks.exe
8	schtasks.exe
2032	schtasks.exe
3260	schtasks.exe
2404	schtasks.exe
2236	schtasks.exe
5056	schtasks.exe
3972	schtasks.exe
1736	schtasks.exe
2508	schtasks.exe
232	schtasks.exe
2756	schtasks.exe
912	schtasks.exe
2044	schtasks.exe
4948	schtasks.exe
2580	schtasks.exe
3664	schtasks.exe
3400	schtasks.exe
1672	schtasks.exe
1020	schtasks.exe
3116	schtasks.exe
4380	schtasks.exe
1416	schtasks.exe
3176	schtasks.exe
4400	schtasks.exe
4888	schtasks.exe
4824	schtasks.exe
1116	schtasks.exe
3676	schtasks.exe
3132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
3552	powershell.exe
3552	powershell.exe
4472	powershell.exe
4472	powershell.exe
1260	powershell.exe
1260	powershell.exe
1012	powershell.exe
1012	powershell.exe
2892	powershell.exe
2892	powershell.exe
1856	powershell.exe
1856	powershell.exe
2112	powershell.exe
2112	powershell.exe
2272	powershell.exe
2272	powershell.exe
3416	powershell.exe
3416	powershell.exe
2108	powershell.exe
2108	powershell.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
3552	powershell.exe
1260	powershell.exe
1012	powershell.exe
4472	powershell.exe
3416	powershell.exe
2272	powershell.exe
2112	powershell.exe
2892	powershell.exe
1856	powershell.exe
2108	powershell.exe
4688	SearchApp.exe
1524	SearchApp.exe
3828	SearchApp.exe
692	SearchApp.exe
3588	SearchApp.exe
2196	SearchApp.exe
2972	SearchApp.exe
4512	SearchApp.exe
2728	SearchApp.exe
1880	SearchApp.exe
2356	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4688	SearchApp.exe
Token: SeDebugPrivilege	1524	SearchApp.exe
Token: SeDebugPrivilege	3828	SearchApp.exe
Token: SeDebugPrivilege	692	SearchApp.exe
Token: SeDebugPrivilege	3588	SearchApp.exe
Token: SeDebugPrivilege	2196	SearchApp.exe
Token: SeDebugPrivilege	2972	SearchApp.exe
Token: SeDebugPrivilege	4512	SearchApp.exe
Token: SeDebugPrivilege	2728	SearchApp.exe
Token: SeDebugPrivilege	1880	SearchApp.exe
Token: SeDebugPrivilege	2356	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2844	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	137
PID 3128 wrote to memory of 2844	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	137
PID 3128 wrote to memory of 2844	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	137
PID 2844 wrote to memory of 4464	2844	tmpA78C.tmp.exe	139
PID 2844 wrote to memory of 4464	2844	tmpA78C.tmp.exe	139
PID 2844 wrote to memory of 4464	2844	tmpA78C.tmp.exe	139
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 4464 wrote to memory of 5064	4464	tmpA78C.tmp.exe	140
PID 3128 wrote to memory of 3316	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	141
PID 3128 wrote to memory of 3316	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	141
PID 3128 wrote to memory of 3552	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	142
PID 3128 wrote to memory of 3552	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	142
PID 3128 wrote to memory of 1856	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	143
PID 3128 wrote to memory of 1856	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	143
PID 3128 wrote to memory of 2112	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	144
PID 3128 wrote to memory of 2112	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	144
PID 3128 wrote to memory of 2272	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	145
PID 3128 wrote to memory of 2272	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	145
PID 3128 wrote to memory of 1260	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	146
PID 3128 wrote to memory of 1260	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	146
PID 3128 wrote to memory of 2892	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	147
PID 3128 wrote to memory of 2892	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	147
PID 3128 wrote to memory of 1012	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	148
PID 3128 wrote to memory of 1012	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	148
PID 3128 wrote to memory of 4472	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	149
PID 3128 wrote to memory of 4472	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	149
PID 3128 wrote to memory of 2108	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	150
PID 3128 wrote to memory of 2108	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	150
PID 3128 wrote to memory of 3416	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	151
PID 3128 wrote to memory of 3416	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	151
PID 3128 wrote to memory of 2192	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	162
PID 3128 wrote to memory of 2192	3128	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe	162
PID 2192 wrote to memory of 508	2192	cmd.exe	165
PID 2192 wrote to memory of 508	2192	cmd.exe	165
PID 2192 wrote to memory of 4688	2192	cmd.exe	169
PID 2192 wrote to memory of 4688	2192	cmd.exe	169
PID 4688 wrote to memory of 1612	4688	SearchApp.exe	171
PID 4688 wrote to memory of 1612	4688	SearchApp.exe	171
PID 4688 wrote to memory of 4548	4688	SearchApp.exe	172
PID 4688 wrote to memory of 4548	4688	SearchApp.exe	172
PID 1612 wrote to memory of 1524	1612	WScript.exe	175
PID 1612 wrote to memory of 1524	1612	WScript.exe	175
PID 1524 wrote to memory of 5016	1524	SearchApp.exe	176
PID 1524 wrote to memory of 5016	1524	SearchApp.exe	176
PID 1524 wrote to memory of 1884	1524	SearchApp.exe	177
PID 1524 wrote to memory of 1884	1524	SearchApp.exe	177
PID 1524 wrote to memory of 2892	1524	SearchApp.exe	178
PID 1524 wrote to memory of 2892	1524	SearchApp.exe	178
PID 1524 wrote to memory of 2892	1524	SearchApp.exe	178
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 2892 wrote to memory of 2196	2892	tmpE05.tmp.exe	180
PID 5016 wrote to memory of 3828	5016	WScript.exe	183
PID 5016 wrote to memory of 3828	5016	WScript.exe	183
PID 3828 wrote to memory of 4716	3828	SearchApp.exe	184

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe
"C:\Users\Admin\AppData\Local\Temp\baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3128
- C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MBJbhMGqP1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:508
- - C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
    "C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4688
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f349b49-da94-4436-8b60-16a9bc6f76ed.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86841c7c-1453-4928-9213-22adae9d52c1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aade539-24e2-46ac-92f7-8b153a26a081.vbs"
        8⤵
        
        PID:4716
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3adff2e6-fb27-48e5-b35f-6c7dbc49f805.vbs"
        10⤵
        
        PID:1148
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d913493c-eec1-46f2-ab0d-9252b5870680.vbs"
        12⤵
        
        PID:3092
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04946746-dd88-4e69-8b1d-52042af1050a.vbs"
        14⤵
        
        PID:5060
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d89bc00-1bb9-43c7-8fce-8875e13b4b42.vbs"
        16⤵
        
        PID:4780
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c9da68-f47a-4d6b-861c-bb6d820c35ca.vbs"
        18⤵
        
        PID:3060
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22f4bae-31e6-4786-99f0-9bd6f3da85e4.vbs"
        20⤵
        
        PID:1204
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68787f53-35b9-44d7-bf2a-4b57cd561891.vbs"
        22⤵
        
        PID:2896
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd76c328-5a23-4a83-b92c-994574e089b8.vbs"
        24⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19de9c76-bf70-43af-9b7e-38683cee10fa.vbs"
        24⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp63A2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp63A2.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp63A2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp63A2.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b7d2847-07f6-4001-bfe9-465d073a349e.vbs"
        22⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp4721.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4721.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp4721.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4721.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\455db80d-972c-45a6-a9fe-f029d040c63c.vbs"
        20⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b63c4a7-4eaf-48d3-ba24-0d2a9d40f977.vbs"
        18⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE4FC.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd75be8-2122-476a-bb2f-41000456d273.vbs"
        16⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB273.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cea4eca-da44-45c1-a12f-83155746062f.vbs"
        14⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9601.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\926154c8-826a-4392-b681-86ddd878bc26.vbs"
        12⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp7903.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7903.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7903.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7903.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ec301ee-fddf-4ff7-8a80-07b6b3fb1b3c.vbs"
        10⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b9d867-c73d-422a-979f-f52a262cb836.vbs"
        8⤵
        
        PID:2344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38e36f36-78be-489a-95ae-421b809e3e2d.vbs"
        6⤵
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2196
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16bbfcb6-1b0c-41ee-ba1c-e715b7ce2c3c.vbs"
      4⤵
      PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\lib\cmm\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\cmm\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\lib\cmm\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Local\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\PrintHood\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\de-DE\RCXC478.tmp

Filesize
4.9MB

MD5
ff0593d5a60cbd71f01b67cbdd3f2873

SHA1
235ed10808d8d0c30c23b503a6729f1c2db43af7

SHA256
1989d5b925d85e7d3c39e44511e69121961c7c1b812ac0e49c195aa8cdcaee69

SHA512
72ef121cca535fe91e7daee3de346039eaa6a575e03c032c949454c77adfecf2790000c486e1a638e909185e37d61ac40f7417d73c89375bc9eef2afbf3d70c6

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
4.9MB

MD5
916dfec6e74a12ca331424d9a83f6270

SHA1
e0990916cd17d53000a9d4feec420c7965bcc23f

SHA256
baad38b864eef46fd5414ef4aa483b644746242a09f95ab81e0fa90704aae353

SHA512
230dd85c3a6e7ff009a4ce16d692f32269c38a04681faf09badcad5cb9c7f7ee768960fd69f40e4203df31c0a6d06e1340499e0abb8bba45609de34b33f2a5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\04946746-dd88-4e69-8b1d-52042af1050a.vbs

Filesize
738B

MD5
aea7a9048eda479a87e8ea47e5a23b84

SHA1
cf90586d4fc717876912e10fdaa43f858e18b346

SHA256
96d8cf6167938c89f03c165161fc1d3ea7cab078f8f379e91f187686e9650118

SHA512
2883d3c3835fc869a08ec8275f5a7209da47909e54f354bbb3806c703b2a6ee441ebaff3d418271946b37c21214c5894593fc1fa69cf0046ab44b412626e4013

Download Submit
C:\Users\Admin\AppData\Local\Temp\16bbfcb6-1b0c-41ee-ba1c-e715b7ce2c3c.vbs

Filesize
514B

MD5
951270b15c2082ac0f96d7ca43381bae

SHA1
91ecb5031e3bb220a60e9ed1b7421ee4932d954a

SHA256
cb9d56e30168bf2d942508e91b1a81502297c7174c0cee40e44515da85ca6bcc

SHA512
a2fed625df4ccb1c764630ff1c1b2ec1c8c60d3ad998e6b2ae973cef28769950a508bf1ec85bcdb2b35045517d6a608b905306c7c7952923f489983c95322d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f349b49-da94-4436-8b60-16a9bc6f76ed.vbs

Filesize
738B

MD5
1136f4c9f3e9e0b2922a0bcf6615e17a

SHA1
8e619ba4f237c1b769a87dbd46a46b94d2cc1101

SHA256
d3daee1f31aabfefc26c0d9c4feeeb12580bb543f2358a0b6de03423d5b85002

SHA512
5e7c1d6216add23898bcdccfb88cf8c816e9e7dbb76533b2d114e8821a2b9de9d67d74fd325c79256c5ebb13b910dbfad35d85d878d0d57777c671aa2fbe53f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aade539-24e2-46ac-92f7-8b153a26a081.vbs

Filesize
738B

MD5
ccc1afbe25a9c5b63450effd6edf767f

SHA1
0ac2aeff6de0046606396175a4b0e67cbfff0192

SHA256
d2c8e4796948119a3279753dfd8b4595f7d3c910163d545dd16bbe5b80e0a95c

SHA512
0d6dd9f1957e9325b81e0cdb6e48bdc96deefd2626872abad4620f365de5eb1d4086e7e6d980d3d56d822461d06cc3d13686cc488b1af690862edc359365b083

Download Submit
C:\Users\Admin\AppData\Local\Temp\3adff2e6-fb27-48e5-b35f-6c7dbc49f805.vbs

Filesize
737B

MD5
1022198a3f894375b908cb75fc2ea4a9

SHA1
abb9dd21ebabd75c38646686b7a3a41c2b45aaac

SHA256
6c19da85dc3bbda5d87489eaf0c33156bf4d2ba450fad15187c034a029af8070

SHA512
012fd324d33e4e166b7e24d59d40f4561049b09ecb72618c56d9df0748a0311c3ded6f3256e87b1bd90d30c319acff730f5080bfab7c0f7d881c2fea050ff161

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d89bc00-1bb9-43c7-8fce-8875e13b4b42.vbs

Filesize
738B

MD5
743fe66520896d996955ff7aeb3d5a86

SHA1
c3457eb82a99554deb13ed2c76357a89c81eb7a5

SHA256
e79c4691f1fcbdc3cc77be24010afed909d652041584178b90f833db335d0290

SHA512
29d24d65871e3fa3960b8e1674030372574fe53a667fa97a1d8a6ea006065a03652949ed65023a1241b28c10d17240b9432b90d6e110a7b6810ab6e2bf808474

Download Submit
C:\Users\Admin\AppData\Local\Temp\86841c7c-1453-4928-9213-22adae9d52c1.vbs

Filesize
738B

MD5
a93b022a276c219de617ab03202ab43b

SHA1
ad5b7d19a49b1d34ad88788fc7d2d68d59b25c6b

SHA256
ab4f607d26d462a27a41d58369ffacb118020b1e9bd6bb0220b1a8f22cdb5072

SHA512
8ddda3e21ddc411555e46f6ca01979db73500006fd5bb3f365504895136e97ffdae08c2406522f720d64fdd3c1b1a562f008a57de89c15dd3e5f2729866dfa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBJbhMGqP1.bat

Filesize
227B

MD5
b0529639cdb4556121f080a47963a270

SHA1
548162308ddf78dc9bc2024cbac7d15324e4d52d

SHA256
5023c5c07573ecd13bc9c0c47256d1b0bac5dca1e9bb42ed094b2609065e57b9

SHA512
a45b77b1c807cb2ee98b37ed5f728579896b8413e49ccd1a59972fd94c4df0a6579d792ebbdc2c536c4c000c95df8b050dbad1a3ab4538ca0d774a27a6363c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4q0wawt.wdk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6c9da68-f47a-4d6b-861c-bb6d820c35ca.vbs

Filesize
738B

MD5
8e51fd2688a81c97d67b34b29014ae15

SHA1
66457970965bab5650ff76133a5f292df54c14c0

SHA256
ccb1df96608e75f5d3ef3b49ed502309502b7b4136d76734874a018277dd04d9

SHA512
f4cb62fb8322bd53d6f135c9e795ca78d2f690498f2aaf8c70d469c182220afa826e225ba112d16185077a47562743a581028d7d48c4fb62aedac4e20238289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d913493c-eec1-46f2-ab0d-9252b5870680.vbs

Filesize
738B

MD5
8cc72cd09e793380d3c0fae6c134b5e7

SHA1
7698ac0cb25bd7700179fafdc75c94d383867f29

SHA256
1bad5baa45d98699a72abcfbc6560663b8f16111813ca56f9b137bd835586541

SHA512
61028e5a35484b8e1b8515a40996ec58af6de354d4319c934f4ece8cf4edffe3234940177a802b9c77ca35ba4d1973d43da2c5bc742af40af9f1c1973f7adb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA78C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\fontdrvhost.exe

Filesize
4.9MB

MD5
2af0cd488f5b982279e1ea25ae0fe922

SHA1
4e9b5d48e64a9ed19c0b40cf1e9c35de88ca1d5e

SHA256
fa9d641df34bd8061b1a5356e200c29ecab32cd6a3f16e85b3760a72d6e1f9a4

SHA512
7a22903e0223e17cc9a49613afb8551c5d672ea68e98ae7707af801da1c0156c803fd3e7f88fbc149959a559ff99eae6bd07955325cb7e9a7fa4b61b18a319dc

Download Submit
memory/3128-11-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/3128-0-0x00007FFEF7F83000-0x00007FFEF7F85000-memory.dmp

Filesize
8KB

Download
memory/3128-154-0x00007FFEF7F83000-0x00007FFEF7F85000-memory.dmp

Filesize
8KB

Download
memory/3128-1-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/3128-198-0x00007FFEF7F80000-0x00007FFEF8A41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-3-0x00007FFEF7F80000-0x00007FFEF8A41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-16-0x0000000002D60000-0x0000000002D68000-memory.dmp

Filesize
32KB

Download
memory/3128-18-0x0000000002D80000-0x0000000002D8C000-memory.dmp

Filesize
48KB

Download
memory/3128-17-0x0000000002D70000-0x0000000002D78000-memory.dmp

Filesize
32KB

Download
memory/3128-12-0x000000001C400000-0x000000001C928000-memory.dmp

Filesize
5.2MB

Download
memory/3128-15-0x0000000002BE0000-0x0000000002BEE000-memory.dmp

Filesize
56KB

Download
memory/3128-13-0x0000000002BC0000-0x0000000002BCA000-memory.dmp

Filesize
40KB

Download
memory/3128-14-0x0000000002BD0000-0x0000000002BDE000-memory.dmp

Filesize
56KB

Download
memory/3128-164-0x00007FFEF7F80000-0x00007FFEF8A41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-10-0x0000000002BA0000-0x0000000002BAA000-memory.dmp

Filesize
40KB

Download
memory/3128-9-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/3128-8-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/3128-5-0x0000000002D10000-0x0000000002D60000-memory.dmp

Filesize
320KB

Download
memory/3128-6-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/3128-7-0x00000000012B0000-0x00000000012C0000-memory.dmp

Filesize
64KB

Download
memory/3128-2-0x000000001B8A0000-0x000000001B9CE000-memory.dmp

Filesize
1.2MB

Download
memory/3128-4-0x0000000001290000-0x00000000012AC000-memory.dmp

Filesize
112KB

Download
memory/3552-204-0x000002A8321D0000-0x000002A8321F2000-memory.dmp

Filesize
136KB

Download
memory/3588-395-0x000000001BAA0000-0x000000001BAB2000-memory.dmp

Filesize
72KB

Download
memory/5064-84-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download