colibri | 8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

Analysis

max time kernel
119s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Size

4.9MB
MD5

87c0d521f3387245929438143a477b30
SHA1

d427908e35f8a94c83750d923b32c91583091981
SHA256

8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93
SHA512

f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4560	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4560	schtasks.exe	82

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3908-3-0x000000001B850000-0x000000001B97E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4556	powershell.exe
4404	powershell.exe
2280	powershell.exe
2156	powershell.exe
4788	powershell.exe
4896	powershell.exe
4160	powershell.exe
3288	powershell.exe
2232	powershell.exe
1780	powershell.exe
4480	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 32 IoCs

pid	Process
2500	tmpC2B6.tmp.exe
1948	tmpC2B6.tmp.exe
616	tmpC2B6.tmp.exe
4576	sihost.exe
4672	sihost.exe
2304	tmp24F8.tmp.exe
4476	tmp24F8.tmp.exe
624	sihost.exe
2044	tmp54E1.tmp.exe
1528	tmp54E1.tmp.exe
1284	sihost.exe
4328	tmp7143.tmp.exe
1988	tmp7143.tmp.exe
2832	tmp7143.tmp.exe
424	sihost.exe
2284	tmpA256.tmp.exe
704	tmpA256.tmp.exe
4564	sihost.exe
2816	tmpD339.tmp.exe
1924	tmpD339.tmp.exe
3276	sihost.exe
3908	tmp41D.tmp.exe
3648	tmp41D.tmp.exe
3368	sihost.exe
3836	tmp212A.tmp.exe
2420	tmp212A.tmp.exe
4996	sihost.exe
5032	sihost.exe
2816	tmp5A6B.tmp.exe
2444	tmp5A6B.tmp.exe
1992	tmp5A6B.tmp.exe
4972	sihost.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 616	1948	tmpC2B6.tmp.exe	134
PID 2304 set thread context of 4476	2304	tmp24F8.tmp.exe	174
PID 2044 set thread context of 1528	2044	tmp54E1.tmp.exe	182
PID 1988 set thread context of 2832	1988	tmp7143.tmp.exe	189
PID 2284 set thread context of 704	2284	tmpA256.tmp.exe	195
PID 2816 set thread context of 1924	2816	tmpD339.tmp.exe	201
PID 3908 set thread context of 3648	3908	tmp41D.tmp.exe	207
PID 3836 set thread context of 2420	3836	tmp212A.tmp.exe	213
PID 2444 set thread context of 1992	2444	tmp5A6B.tmp.exe	223

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXCEA2.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXC16C.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sihost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Media Player\OfficeClickToRun.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Common Files\Services\taskhostw.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\sihost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Portable Devices\66fc9ff0ee96c2	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXDE78.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Common Files\Services\ea9f0e6c9e2dcd	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Media Player\e6c9b481da804f	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Common Files\Services\taskhostw.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\sihost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXC5D4.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD124.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Media Player\OfficeClickToRun.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXE07D.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\66fc9ff0ee96c2	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files\Windows Portable Devices\sihost.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXC7F8.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCXCC21.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\f3b6ecef712a24	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\IdentityCRL\RCXD54D.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\IdentityCRL\upfc.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Cursors\RCXDA50.tmp	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File opened for modification	C:\Windows\Cursors\spoolsv.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\IdentityCRL\upfc.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\IdentityCRL\ea1d8f6d871115	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
File created	C:\Windows\Cursors\spoolsv.exe	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp212A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A6B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC2B6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC2B6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp24F8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA256.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD339.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp41D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54E1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7143.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7143.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A6B.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
3660	schtasks.exe
5032	schtasks.exe
464	schtasks.exe
2300	schtasks.exe
3180	schtasks.exe
1172	schtasks.exe
1224	schtasks.exe
1672	schtasks.exe
3784	schtasks.exe
2828	schtasks.exe
1524	schtasks.exe
5040	schtasks.exe
4500	schtasks.exe
2332	schtasks.exe
1164	schtasks.exe
1896	schtasks.exe
212	schtasks.exe
3804	schtasks.exe
1916	schtasks.exe
1804	schtasks.exe
4672	schtasks.exe
1920	schtasks.exe
3480	schtasks.exe
4020	schtasks.exe
2848	schtasks.exe
4956	schtasks.exe
3248	schtasks.exe
4512	schtasks.exe
1956	schtasks.exe
116	schtasks.exe
208	schtasks.exe
3548	schtasks.exe
1284	schtasks.exe
4884	schtasks.exe
4928	schtasks.exe
5084	schtasks.exe
704	schtasks.exe
4736	schtasks.exe
1984	schtasks.exe
4932	schtasks.exe
3556	schtasks.exe
4936	schtasks.exe
5056	schtasks.exe
4752	schtasks.exe
5012	schtasks.exe
3504	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
4896	powershell.exe
4896	powershell.exe
4788	powershell.exe
4788	powershell.exe
4404	powershell.exe
4404	powershell.exe
1780	powershell.exe
1780	powershell.exe
4556	powershell.exe
4556	powershell.exe
2232	powershell.exe
2232	powershell.exe
4480	powershell.exe
4480	powershell.exe
2280	powershell.exe
2280	powershell.exe
4160	powershell.exe
4160	powershell.exe
2156	powershell.exe
2156	powershell.exe
4788	powershell.exe
2280	powershell.exe
4160	powershell.exe
3288	powershell.exe
3288	powershell.exe
3288	powershell.exe
2232	powershell.exe
4556	powershell.exe
1780	powershell.exe
4896	powershell.exe
4404	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	4576	sihost.exe
Token: SeDebugPrivilege	4672	sihost.exe
Token: SeDebugPrivilege	624	sihost.exe
Token: SeDebugPrivilege	1284	sihost.exe
Token: SeDebugPrivilege	424	sihost.exe
Token: SeDebugPrivilege	4564	sihost.exe
Token: SeDebugPrivilege	3276	sihost.exe
Token: SeDebugPrivilege	3368	sihost.exe
Token: SeDebugPrivilege	4996	sihost.exe
Token: SeDebugPrivilege	5032	sihost.exe
Token: SeDebugPrivilege	4972	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2500	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	131
PID 3908 wrote to memory of 2500	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	131
PID 3908 wrote to memory of 2500	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	131
PID 2500 wrote to memory of 1948	2500	tmpC2B6.tmp.exe	133
PID 2500 wrote to memory of 1948	2500	tmpC2B6.tmp.exe	133
PID 2500 wrote to memory of 1948	2500	tmpC2B6.tmp.exe	133
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 1948 wrote to memory of 616	1948	tmpC2B6.tmp.exe	134
PID 3908 wrote to memory of 4160	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	139
PID 3908 wrote to memory of 4160	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	139
PID 3908 wrote to memory of 3288	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	140
PID 3908 wrote to memory of 3288	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	140
PID 3908 wrote to memory of 2232	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	141
PID 3908 wrote to memory of 2232	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	141
PID 3908 wrote to memory of 4556	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	142
PID 3908 wrote to memory of 4556	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	142
PID 3908 wrote to memory of 4404	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	143
PID 3908 wrote to memory of 4404	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	143
PID 3908 wrote to memory of 2280	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	144
PID 3908 wrote to memory of 2280	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	144
PID 3908 wrote to memory of 2156	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	145
PID 3908 wrote to memory of 2156	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	145
PID 3908 wrote to memory of 1780	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	146
PID 3908 wrote to memory of 1780	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	146
PID 3908 wrote to memory of 4480	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	147
PID 3908 wrote to memory of 4480	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	147
PID 3908 wrote to memory of 4788	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	148
PID 3908 wrote to memory of 4788	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	148
PID 3908 wrote to memory of 4896	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	149
PID 3908 wrote to memory of 4896	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	149
PID 3908 wrote to memory of 3952	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	153
PID 3908 wrote to memory of 3952	3908	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe	153
PID 3952 wrote to memory of 3140	3952	cmd.exe	163
PID 3952 wrote to memory of 3140	3952	cmd.exe	163
PID 3952 wrote to memory of 4576	3952	cmd.exe	166
PID 3952 wrote to memory of 4576	3952	cmd.exe	166
PID 4576 wrote to memory of 1380	4576	sihost.exe	167
PID 4576 wrote to memory of 1380	4576	sihost.exe	167
PID 4576 wrote to memory of 4364	4576	sihost.exe	168
PID 4576 wrote to memory of 4364	4576	sihost.exe	168
PID 1380 wrote to memory of 4672	1380	WScript.exe	169
PID 1380 wrote to memory of 4672	1380	WScript.exe	169
PID 4672 wrote to memory of 4664	4672	sihost.exe	170
PID 4672 wrote to memory of 4664	4672	sihost.exe	170
PID 4672 wrote to memory of 3452	4672	sihost.exe	171
PID 4672 wrote to memory of 3452	4672	sihost.exe	171
PID 4672 wrote to memory of 2304	4672	sihost.exe	172
PID 4672 wrote to memory of 2304	4672	sihost.exe	172
PID 4672 wrote to memory of 2304	4672	sihost.exe	172
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 2304 wrote to memory of 4476	2304	tmp24F8.tmp.exe	174
PID 4664 wrote to memory of 624	4664	WScript.exe	177
PID 4664 wrote to memory of 624	4664	WScript.exe	177
PID 624 wrote to memory of 3368	624	sihost.exe	178

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe
"C:\Users\Admin\AppData\Local\Temp\8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3908
- C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NyG5yfUOLF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3140
- - C:\Program Files\Windows Portable Devices\sihost.exe
    "C:\Program Files\Windows Portable Devices\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4576
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb21c60d-0a12-41fe-9ad8-7b3f887ba6da.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dabc74f-bf44-4738-86eb-d5e6abb88a11.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d3f570-4d88-46cb-8c4e-b33168a94807.vbs"
        8⤵
        
        PID:3368
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5e149cc-14ab-4608-a0b0-58e9e2ae8f18.vbs"
        10⤵
        
        PID:3008
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc512b5c-3ff2-4004-897f-6d9e8a03fef6.vbs"
        12⤵
        
        PID:5020
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe59255f-a5e2-4793-9ab6-aed2b346ee96.vbs"
        14⤵
        
        PID:216
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4359c39-a03b-488b-89f3-81b6b572d80a.vbs"
        16⤵
        
        PID:3952
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5ee3356-4196-40a1-a228-3daa68e03ac7.vbs"
        18⤵
        
        PID:2568
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bb5f0e7-19e1-4ba0-a32d-14d54b45354f.vbs"
        20⤵
        
        PID:1960
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c24a11ed-788c-41ba-8760-19d83d178fb3.vbs"
        22⤵
        
        PID:4876
        
        C:\Program Files\Windows Portable Devices\sihost.exe
        
        "C:\Program Files\Windows Portable Devices\sihost.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc765dc1-419f-41ce-90e8-2e366776cb03.vbs"
        24⤵
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\675656d4-0731-4831-a9ff-2bdc87039c4b.vbs"
        24⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1de84d1-9c1d-4132-99f5-397616951994.vbs"
        22⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\444e35c5-b562-487e-ab58-5f5cdacdcfdb.vbs"
        20⤵
        
        PID:4732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1669e644-4886-4796-b1fc-b37771545473.vbs"
        18⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp212A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp212A.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp212A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp212A.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66c4482e-5428-4ddd-bccc-e5a5f7743941.vbs"
        16⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp41D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp41D.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp41D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp41D.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22c6d037-c722-4314-b706-fa8987a9b98e.vbs"
        14⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmpD339.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD339.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmpD339.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD339.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8e8a20-b0eb-4701-82c4-8f42227084f7.vbs"
        12⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmpA256.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA256.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmpA256.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA256.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5df975-be95-4b02-b2f2-218a96db3f13.vbs"
        10⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7143.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a4aaf2-9f1f-419d-84fd-d239a7c28c5f.vbs"
        8⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp54E1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54E1.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp54E1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54E1.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb46bde6-66b6-40a2-bb48-1e7c7ddbf8c9.vbs"
        6⤵
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\tmp24F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp24F8.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp24F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp24F8.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4476
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71443d4a-819c-40d9-9772-b99408382735.vbs"
      4⤵
      PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXE282.tmp

Filesize
4.9MB

MD5
a0411fa36a6f1072f9e5d50c7dd8307c

SHA1
d67c558e35214e0775fdbfdc33d5e24bc791427a

SHA256
352df6d94128af7361e62ddde4a3b3fbe7514ffc13e037dd3f776f7f87c51c01

SHA512
0db0c478907974eb0091932eba4a47385df3ac993f4d6296d40f03b5d1499319441fcc0233bcd7cbc6561ad058da828abda2cc35c842d26b2a7c99ea5b5f1c65

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
4.9MB

MD5
87c0d521f3387245929438143a477b30

SHA1
d427908e35f8a94c83750d923b32c91583091981

SHA256
8a8010863859888ac4f08fa9afbda54602dabbbbbcf114b8d51fef0b66be7f93

SHA512
f0f2d6916ad0082e4e30874e1df32bb9250e4f4d7557746eda09c8d38ac115122856cb19361f4d6085326b7826a029ad6e413dabfb81ef439913c711e0c2ac29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dabc74f-bf44-4738-86eb-d5e6abb88a11.vbs

Filesize
728B

MD5
5ee1e51224e4cd3c3e24ec9cfd12678c

SHA1
1c76f6ff2a989772962b9d609a456cab9e4b55e2

SHA256
70d790e0342a39a9d33b2c9bf407b1fd9cf300a91897a2ffd2634a0b4ffd3389

SHA512
80220f7427b7b45698cfaad6da322d23a69dee26307a4e88ae9d24a40cf0f184b131b1d34b538726fae85cda255d1c5b10315020e9c71131895eb7380dd8193a

Download Submit
C:\Users\Admin\AppData\Local\Temp\71443d4a-819c-40d9-9772-b99408382735.vbs

Filesize
504B

MD5
77ca259f1bc06dfa0de9a9d8248fc40f

SHA1
3737f4889fa8951654c1fcbab1ddb9c0ef1f611f

SHA256
665c41dcf6d30ca65268a3b6a544d8bf393d3bfeb3583aa736d4b817c35347d2

SHA512
d9c952cd70f245d22f451cc4eff72b3ee585482e02845a0e9b994df405940a38892b5d0474e892e99125abd70bad723e365142779e0e26195e7288323ca22ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NyG5yfUOLF.bat

Filesize
217B

MD5
27ffdcdadedea138a3d7217b594cfd35

SHA1
cc4118b75905a7f9a09212b9c32fb31081202c18

SHA256
e6a942095818b96e7e52227c546c4572c434dcd0c9d5212a93e9caf99ae69e35

SHA512
3bf899891d6c469e52e86d1cd6050b72661ec00da15361bc87645e32cff086a57562c0868be43ee151b63be121b81858fda27595c8c0761849889fb76dbd2341

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4um2rl10.ifm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5e149cc-14ab-4608-a0b0-58e9e2ae8f18.vbs

Filesize
728B

MD5
3b0ce19faf8c0617c5f9cffac467e711

SHA1
1ce055dd27090c3208cf5fe8f20aebd5c761f4c9

SHA256
45eba4602902f80e999e38c1eb0f58e5a2fdcd8c7c9ba0d4a9c6d66b56411f9a

SHA512
7190a0f60db19b457230bc1e0d7cfe8d33207361b634e2d6fd7a05e29080a1645c8b9c7247ec7e59515b8ea8e9e9148a932f5791b1c4f2f0468e849c61cdd62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d3f570-4d88-46cb-8c4e-b33168a94807.vbs

Filesize
727B

MD5
5fb3ae3add8b0a6a732a306c0035ccb0

SHA1
f4981967fa1207f73fee8466fd96043f35378eb3

SHA256
d5742c9861fd0ed16040fc2d60edac909a963736e678e3cf82896a4833a91f53

SHA512
95707f7048aa2dfe0f94b8a5d23b0bf49edf905ee254b1acaa98d38430d45542655f87a183a82199da523837797b5bfd71e29c215d358019935e5e9d073dd1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc512b5c-3ff2-4004-897f-6d9e8a03fef6.vbs

Filesize
727B

MD5
9b29604e91a1ba33d2c202bb2d5c5b35

SHA1
57996cc6722a1e1d218575522fc7766067945007

SHA256
560861cc3fc9ad082a69be0bb3448b1a37233af791789625ab7c22c8b678ca58

SHA512
e6b6eb0c720a9e0481f1a7a45bdda2766c2964cf0a610bf27bd3798059de590c7d87d7efc63236fd974a55b5e6b206e7c2d36a0d3ec25dfc70c8c0b9619403b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4359c39-a03b-488b-89f3-81b6b572d80a.vbs

Filesize
728B

MD5
33ec5fd6b7ff8176963dd35f754502a8

SHA1
6239561a861d4c092e6c3e46b66552c4eda6d527

SHA256
53a1d6125e0af312900ea0f57d9b9e008f3fca29fd5f3f565d0c485dd97ad776

SHA512
0fb89eadeb56aba73c596e04f81b1ab41b0f688da18abe38ba4819a45446167c7356085b47c7ff4c6648e754a977d8b22e125e2ee3292a7b37e078582c62fff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb21c60d-0a12-41fe-9ad8-7b3f887ba6da.vbs

Filesize
728B

MD5
3691d528e36f8b42b88b0c0790a7bc9b

SHA1
e1a56d6383a987023605acbb36d031e3c443d8cc

SHA256
9ed9d172dec451027610ea4c09295d0cc2d8f78592a75bcf178a8c7363c7fd96

SHA512
c5487b6ff23fb06bd0c5f829918c5927e9200f8652476245bcacb550f757ba1ceeb17ad62bdf5d034462c2f799839d073ae0291767175b5d15f1e7b54d6cd631

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe59255f-a5e2-4793-9ab6-aed2b346ee96.vbs

Filesize
728B

MD5
7a667f17e5f955d1fee3ae8007c649c6

SHA1
c46900e8d15641abed46c2f0bc006f2fefe3bf0c

SHA256
f66e08c7b1941a923ebeda3b48f23b0d6e02404df208e6c73bea0cb610f56b04

SHA512
d49f7490b6771830e5190c7076dad1cd2a30152fa520fceb3a2ad384f867199c1fcc16c54ebebe8e9d2bb02b4357bd154462af40084b3b8474d9646645a385cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2B6.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/616-80-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/624-349-0x000000001C6F0000-0x000000001C702000-memory.dmp

Filesize
72KB

Download
memory/1284-373-0x000000001B5F0000-0x000000001B602000-memory.dmp

Filesize
72KB

Download
memory/3276-446-0x000000001B910000-0x000000001B922000-memory.dmp

Filesize
72KB

Download
memory/3908-10-0x000000001B820000-0x000000001B82A000-memory.dmp

Filesize
40KB

Download
memory/3908-6-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/3908-0-0x00007FFAA7F43000-0x00007FFAA7F45000-memory.dmp

Filesize
8KB

Download
memory/3908-13-0x000000001BF80000-0x000000001BF8A000-memory.dmp

Filesize
40KB

Download
memory/3908-14-0x000000001BF90000-0x000000001BF9E000-memory.dmp

Filesize
56KB

Download
memory/3908-15-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

Filesize
56KB

Download
memory/3908-12-0x000000001C550000-0x000000001CA78000-memory.dmp

Filesize
5.2MB

Download
memory/3908-11-0x000000001B830000-0x000000001B842000-memory.dmp

Filesize
72KB

Download
memory/3908-18-0x000000001C020000-0x000000001C02C000-memory.dmp

Filesize
48KB

Download
memory/3908-9-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download
memory/3908-8-0x000000001B800000-0x000000001B816000-memory.dmp

Filesize
88KB

Download
memory/3908-16-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/3908-1-0x0000000000580000-0x0000000000A74000-memory.dmp

Filesize
5.0MB

Download
memory/3908-184-0x00007FFAA7F40000-0x00007FFAA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/3908-7-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/3908-144-0x00007FFAA7F43000-0x00007FFAA7F45000-memory.dmp

Filesize
8KB

Download
memory/3908-5-0x000000001BFD0000-0x000000001C020000-memory.dmp

Filesize
320KB

Download
memory/3908-17-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/3908-4-0x0000000002B20000-0x0000000002B3C000-memory.dmp

Filesize
112KB

Download
memory/3908-156-0x00007FFAA7F40000-0x00007FFAA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/3908-2-0x00007FFAA7F40000-0x00007FFAA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/3908-3-0x000000001B850000-0x000000001B97E000-memory.dmp

Filesize
1.2MB

Download
memory/4576-312-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

Filesize
72KB

Download
memory/4672-325-0x000000001BC70000-0x000000001BC82000-memory.dmp

Filesize
72KB

Download
memory/4896-195-0x0000022E77C00000-0x0000022E77C22000-memory.dmp

Filesize
136KB

Download