colibri | 89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Size

4.9MB
MD5

45974b762310d71adf461efb209aba70
SHA1

642d3052b7e6c3da970a6f10b2355f363a4c605e
SHA256

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351
SHA512

323ae3b46331e3e0af898dc8942af1ef3eafa3cd0aebee3c9472ef4905ac32b5703c735033e835716243ea47ccff7cdd209c1a2602c30ab7d58acccb51a61752
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	pid	Process
		1724	schtasks.exe
		4168	schtasks.exe
		4276	schtasks.exe
		4108	schtasks.exe
		5100	schtasks.exe
		3596	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
		4916	schtasks.exe
		3088	schtasks.exe
		632	schtasks.exe
		1120	schtasks.exe
		3996	schtasks.exe
		4364	schtasks.exe
		4452	schtasks.exe
		1836	schtasks.exe
		3588	schtasks.exe
		4164	schtasks.exe
		1836	schtasks.exe
		4756	schtasks.exe
		1588	schtasks.exe
		4176	schtasks.exe
		3812	schtasks.exe
		4460	schtasks.exe
		2804	schtasks.exe
		2816	schtasks.exe
		2508	schtasks.exe
		2676	schtasks.exe
		3192	schtasks.exe
		1908	schtasks.exe
		2140	schtasks.exe
		3772	schtasks.exe
		2136	schtasks.exe
		2080	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\38384e6a620884		89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
		4880	schtasks.exe
		3284	schtasks.exe
		4228	schtasks.exe
		636	schtasks.exe
		4768	schtasks.exe
		1108	schtasks.exe
		452	schtasks.exe
		4888	schtasks.exe
		1852	schtasks.exe
		4160	schtasks.exe
		4264	schtasks.exe
		3360	schtasks.exe
		4700	schtasks.exe
		216	schtasks.exe
		3956	schtasks.exe
		2388	schtasks.exe
		2508	schtasks.exe
		2008	schtasks.exe
		4748	schtasks.exe
		4776	schtasks.exe
		2736	schtasks.exe
		3736	schtasks.exe
		1256	schtasks.exe
		2120	schtasks.exe
		2096	schtasks.exe
		3044	schtasks.exe
		3916	schtasks.exe
		116	schtasks.exe
		4224	schtasks.exe
		2664	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2272	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2272	schtasks.exe	86

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/868-2-0x000000001BF30000-0x000000001C05E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3652	powershell.exe
4100	powershell.exe
4880	powershell.exe
3656	powershell.exe
4380	powershell.exe
2708	powershell.exe
4972	powershell.exe
4208	powershell.exe
3012	powershell.exe
2552	powershell.exe
4484	powershell.exe
4884	powershell.exe
3968	powershell.exe
60	powershell.exe
732	powershell.exe
4576	powershell.exe
3824	powershell.exe
2292	powershell.exe
3240	powershell.exe
4076	powershell.exe
2708	powershell.exe
4120	powershell.exe
1140	powershell.exe
4040	powershell.exe
5076	powershell.exe
3172	powershell.exe
3568	powershell.exe
2984	powershell.exe
396	powershell.exe
740	powershell.exe
4068	powershell.exe
3348	powershell.exe
3636	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 38 IoCs

Processes:

tmp9A9C.tmp.exetmp9A9C.tmp.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exetmpDDBD.tmp.exetmpDDBD.tmp.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exetmpFE9.tmp.exetmpFE9.tmp.exetmpFE9.tmp.exeRuntimeBroker.exetmp4040.tmp.exetmp4040.tmp.exetmp4040.tmp.exetmp4040.tmp.exeRuntimeBroker.exetmp5E28.tmp.exetmp5E28.tmp.exeRuntimeBroker.exetmpA1B9.tmp.exetmpA1B9.tmp.exeRuntimeBroker.exetmpD126.tmp.exetmpD126.tmp.exetmpD126.tmp.exetmpD126.tmp.exeRuntimeBroker.exetmpFFF6.tmp.exetmpFFF6.tmp.exetmpFFF6.tmp.exeRuntimeBroker.exetmp1B1F.tmp.exetmp1B1F.tmp.exetmp1B1F.tmp.exeRuntimeBroker.exetmp3687.tmp.exetmp3687.tmp.exetmp3687.tmp.exeRuntimeBroker.exe

pid	Process
4444	tmp9A9C.tmp.exe
244	tmp9A9C.tmp.exe
4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
228	tmpDDBD.tmp.exe
2332	tmpDDBD.tmp.exe
2456	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
2452	tmpFE9.tmp.exe
4832	tmpFE9.tmp.exe
3776	tmpFE9.tmp.exe
3156	RuntimeBroker.exe
2592	tmp4040.tmp.exe
4452	tmp4040.tmp.exe
2516	tmp4040.tmp.exe
1696	tmp4040.tmp.exe
1656	RuntimeBroker.exe
1852	tmp5E28.tmp.exe
740	tmp5E28.tmp.exe
4284	RuntimeBroker.exe
4120	tmpA1B9.tmp.exe
3060	tmpA1B9.tmp.exe
2552	RuntimeBroker.exe
4112	tmpD126.tmp.exe
4264	tmpD126.tmp.exe
2736	tmpD126.tmp.exe
3308	tmpD126.tmp.exe
1472	RuntimeBroker.exe
1120	tmpFFF6.tmp.exe
3248	tmpFFF6.tmp.exe
3472	tmpFFF6.tmp.exe
4660	RuntimeBroker.exe
632	tmp1B1F.tmp.exe
3776	tmp1B1F.tmp.exe
4108	tmp1B1F.tmp.exe
1976	RuntimeBroker.exe
3356	tmp3687.tmp.exe
2808	tmp3687.tmp.exe
2416	tmp3687.tmp.exe
4048	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

tmp9A9C.tmp.exetmpDDBD.tmp.exetmpFE9.tmp.exetmp4040.tmp.exetmp5E28.tmp.exetmpA1B9.tmp.exetmpD126.tmp.exetmpFFF6.tmp.exetmp1B1F.tmp.exetmp3687.tmp.exe

description	pid	Process	procid_target
PID 4444 set thread context of 244	4444	tmp9A9C.tmp.exe	134
PID 228 set thread context of 2332	228	tmpDDBD.tmp.exe	198
PID 4832 set thread context of 3776	4832	tmpFE9.tmp.exe	286
PID 2516 set thread context of 1696	2516	tmp4040.tmp.exe	320
PID 1852 set thread context of 740	1852	tmp5E28.tmp.exe	329
PID 4120 set thread context of 3060	4120	tmpA1B9.tmp.exe	338
PID 2736 set thread context of 3308	2736	tmpD126.tmp.exe	349
PID 3248 set thread context of 3472	3248	tmpFFF6.tmp.exe	360
PID 3776 set thread context of 4108	3776	tmp1B1F.tmp.exe	369
PID 2808 set thread context of 2416	2808	tmp3687.tmp.exe	379

Drops file in Program Files directory 64 IoCs

Processes:

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9F33.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\explorer.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\121e5b5079f7c0	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Media Player\es-ES\69ddcba757bf72	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Java\66fc9ff0ee96c2	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7d5d2dabcf4826	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCX9CFF.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXAC97.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\wininit.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\9e8d7a4ca61bd9	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\spoolsv.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXA86E.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Registry.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows NT\backgroundTaskHost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\smss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Adobe\e6c9b481da804f	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Mail\f3b6ecef712a24	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\VideoLAN\VLC\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\VideoLAN\VLC\886983d96e3d3e	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\38384e6a620884	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9AEB.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\SearchApp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\24dbde2999530e	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Windows NT\backgroundTaskHost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\explorer.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Mail\38384e6a620884	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\9e8d7a4ca61bd9	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SearchApp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Mail\spoolsv.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Adobe\OfficeClickToRun.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Adobe\OfficeClickToRun.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\7a0fd90576e088	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Mail\SearchApp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Media Player\es-ES\smss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\7.0.16\RCXA64A.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Java\sihost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Registry.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\SearchApp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX98C6.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows Multimedia Platform\wininit.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files\Java\sihost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\ee2ad38f3d4382	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Program Files\Windows NT\eddb19405b7ce1	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

Drops file in Windows directory 43 IoCs

Processes:

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\lsass.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\winlogon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\Containers\serviced\taskhostw.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\DiagTrack\StartMenuExperienceHost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\29c1c3cc0f7685	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\lsass.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\security\EDP\Idle.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\DiagTrack\RCXB5C2.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\DigitalLocker\en-US\fontdrvhost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\DiagTrack\StartMenuExperienceHost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\uk-UA\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\DiagTrack\55b276f4edf653	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\INF\TAPISRV\0411\dllhost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\Idle.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\winlogon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Containers\serviced\taskhostw.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\CSC\SearchApp.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\GameBarPresenceWriter\Idle.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\security\EDP\Idle.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\cc11b995f2a76d	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\DigitalLocker\en-US\5b884080fd4f94	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\sysmon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\uk-UA\csrss.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\RCXB11D.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\fontdrvhost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\lsass.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\addins\RCXB7D7.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\addins\5940a34987c991	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\uk-UA\RCXA1B4.tmp	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\L2Schemas\lsass.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Web\4K\Wallpaper\121e5b5079f7c0	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\uk-UA\886983d96e3d3e	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\6203df4a6bafc7	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\GameBarPresenceWriter\6ccacd8608530f	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\security\EDP\6ccacd8608530f	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Web\4K\Wallpaper\sysmon.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\Containers\serviced\ea9f0e6c9e2dcd	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File created	C:\Windows\addins\dllhost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
File opened for modification	C:\Windows\addins\dllhost.exe	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpD126.tmp.exetmp1B1F.tmp.exetmp1B1F.tmp.exetmp3687.tmp.exetmp4040.tmp.exetmp5E28.tmp.exetmp9A9C.tmp.exetmp3687.tmp.exetmpA1B9.tmp.exetmpD126.tmp.exetmpFFF6.tmp.exetmpFE9.tmp.exetmp4040.tmp.exetmp4040.tmp.exetmpD126.tmp.exetmpFFF6.tmp.exetmpDDBD.tmp.exetmpFE9.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD126.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1B1F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1B1F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3687.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4040.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E28.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A9C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3687.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1B9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD126.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFFF6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFE9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4040.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4040.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD126.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFFF6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDDBD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFE9.tmp.exe

Modifies registry class 11 IoCs

Processes:

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
4348	schtasks.exe
4764	schtasks.exe
2388	schtasks.exe
3192	schtasks.exe
4976	schtasks.exe
1120	schtasks.exe
3384	schtasks.exe
3812	schtasks.exe
1556	schtasks.exe
3992	schtasks.exe
3360	schtasks.exe
5000	schtasks.exe
5104	schtasks.exe
2008	schtasks.exe
1112	schtasks.exe
3044	schtasks.exe
4164	schtasks.exe
4160	schtasks.exe
4000	schtasks.exe
2676	schtasks.exe
2804	schtasks.exe
716	schtasks.exe
3356	schtasks.exe
3172	schtasks.exe
2212	schtasks.exe
1908	schtasks.exe
636	schtasks.exe
3916	schtasks.exe
2564	schtasks.exe
3972	schtasks.exe
3952	schtasks.exe
4756	schtasks.exe
4636	schtasks.exe
2096	schtasks.exe
1588	schtasks.exe
1756	schtasks.exe
4752	schtasks.exe
3088	schtasks.exe
4888	schtasks.exe
632	schtasks.exe
3740	schtasks.exe
4916	schtasks.exe
4264	schtasks.exe
1256	schtasks.exe
4460	schtasks.exe
2508	schtasks.exe
2736	schtasks.exe
2060	schtasks.exe
3996	schtasks.exe
2524	schtasks.exe
4768	schtasks.exe
3284	schtasks.exe
3888	schtasks.exe
4880	schtasks.exe
2508	schtasks.exe
4776	schtasks.exe
4576	schtasks.exe
3736	schtasks.exe
4364	schtasks.exe
4668	schtasks.exe
2120	schtasks.exe
976	schtasks.exe
3772	schtasks.exe
5100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	Process
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
4484	powershell.exe
4484	powershell.exe
5076	powershell.exe
5076	powershell.exe
3824	powershell.exe
3824	powershell.exe
4880	powershell.exe
4880	powershell.exe
3636	powershell.exe
3636	powershell.exe
4576	powershell.exe
4576	powershell.exe
4076	powershell.exe
4076	powershell.exe
2984	powershell.exe
2984	powershell.exe
3568	powershell.exe
3568	powershell.exe
5076	powershell.exe
4884	powershell.exe
4884	powershell.exe
732	powershell.exe
732	powershell.exe
4484	powershell.exe
3824	powershell.exe
3568	powershell.exe
4880	powershell.exe
4576	powershell.exe
3636	powershell.exe
4884	powershell.exe
4076	powershell.exe
2984	powershell.exe
732	powershell.exe
4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	Process
Token: SeDebugPrivilege	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2456	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	3156	RuntimeBroker.exe
Token: SeDebugPrivilege	1656	RuntimeBroker.exe
Token: SeDebugPrivilege	4284	RuntimeBroker.exe
Token: SeDebugPrivilege	2552	RuntimeBroker.exe
Token: SeDebugPrivilege	1472	RuntimeBroker.exe
Token: SeDebugPrivilege	4660	RuntimeBroker.exe
Token: SeDebugPrivilege	1976	RuntimeBroker.exe
Token: SeDebugPrivilege	4048	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exetmp9A9C.tmp.execmd.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exetmpDDBD.tmp.exe

description	pid	Process	procid_target
PID 868 wrote to memory of 4444	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	132
PID 868 wrote to memory of 4444	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	132
PID 868 wrote to memory of 4444	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	132
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 4444 wrote to memory of 244	4444	tmp9A9C.tmp.exe	134
PID 868 wrote to memory of 732	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	136
PID 868 wrote to memory of 732	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	136
PID 868 wrote to memory of 4484	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	137
PID 868 wrote to memory of 4484	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	137
PID 868 wrote to memory of 4076	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	138
PID 868 wrote to memory of 4076	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	138
PID 868 wrote to memory of 4880	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	139
PID 868 wrote to memory of 4880	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	139
PID 868 wrote to memory of 4576	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	140
PID 868 wrote to memory of 4576	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	140
PID 868 wrote to memory of 3636	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	141
PID 868 wrote to memory of 3636	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	141
PID 868 wrote to memory of 5076	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	142
PID 868 wrote to memory of 5076	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	142
PID 868 wrote to memory of 2984	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	143
PID 868 wrote to memory of 2984	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	143
PID 868 wrote to memory of 3824	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	144
PID 868 wrote to memory of 3824	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	144
PID 868 wrote to memory of 3568	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	145
PID 868 wrote to memory of 3568	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	145
PID 868 wrote to memory of 4884	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	146
PID 868 wrote to memory of 4884	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	146
PID 868 wrote to memory of 1120	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	157
PID 868 wrote to memory of 1120	868	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	157
PID 1120 wrote to memory of 3772	1120	cmd.exe	160
PID 1120 wrote to memory of 3772	1120	cmd.exe	160
PID 1120 wrote to memory of 4612	1120	cmd.exe	162
PID 1120 wrote to memory of 4612	1120	cmd.exe	162
PID 4612 wrote to memory of 228	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	196
PID 4612 wrote to memory of 228	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	196
PID 4612 wrote to memory of 228	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	196
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 228 wrote to memory of 2332	228	tmpDDBD.tmp.exe	198
PID 4612 wrote to memory of 2708	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	200
PID 4612 wrote to memory of 2708	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	200
PID 4612 wrote to memory of 2552	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	201
PID 4612 wrote to memory of 2552	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	201
PID 4612 wrote to memory of 4100	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	202
PID 4612 wrote to memory of 4100	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	202
PID 4612 wrote to memory of 3656	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	203
PID 4612 wrote to memory of 3656	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	203
PID 4612 wrote to memory of 4120	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	204
PID 4612 wrote to memory of 4120	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	204
PID 4612 wrote to memory of 396	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	205
PID 4612 wrote to memory of 396	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	205
PID 4612 wrote to memory of 3968	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	206
PID 4612 wrote to memory of 3968	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	206
PID 4612 wrote to memory of 4380	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	207
PID 4612 wrote to memory of 4380	4612	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe	207

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exeRuntimeBroker.exeRuntimeBroker.exe89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
"C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:868
- C:\Users\Admin\AppData\Local\Temp\tmp9A9C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A9C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\tmp9A9C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9A9C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I8FbskAvyB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
    "C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\tmpDDBD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpDDBD.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\tmpDDBD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDDBD.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat"
      4⤵
      PID:4220
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
      - C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ed4b7ae-2940-4e0d-bf76-c26132c90d9a.vbs"
        7⤵
        
        PID:3324
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc2b21b-c29f-4803-9cc8-d75f2a14718c.vbs"
        9⤵
        
        PID:4212
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529d3217-0722-4e75-994a-a9fae005ffc6.vbs"
        11⤵
        
        PID:228
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65af2036-7676-4609-93b2-b26fc5eea7af.vbs"
        13⤵
        
        PID:3276
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdaf7f29-07b7-4e81-9788-44f3e7111df1.vbs"
        15⤵
        
        PID:4336
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19d3eed-0afc-478b-b106-a72da5837886.vbs"
        17⤵
        
        PID:2304
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a26021-94f1-4f18-88bf-f742dc4e08c5.vbs"
        19⤵
        
        PID:1044
        
        C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c890274-7d7e-4084-a467-c2b95c49b952.vbs"
        21⤵
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccae1899-25cc-447c-a3d7-6d50c7d49a81.vbs"
        21⤵
        
        PID:4676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2c8e6e-1389-41e7-a152-345a58849227.vbs"
        19⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adaf896-10c0-47b3-87a6-a45c363eb4fa.vbs"
        17⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd0804a1-aa04-4db3-a84b-26e12862190c.vbs"
        15⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFFF6.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51b61832-c71a-4570-91f6-54ab3b634419.vbs"
        13⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD126.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5c633e-b5d0-440f-8fa4-50a1daca84bf.vbs"
        11⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmpA1B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA1B9.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmpA1B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA1B9.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514b3dba-6fe5-4a97-ad0f-f78481d3b322.vbs"
        9⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E28.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E28.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E28.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E28.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d620f8-9b25-4380-8287-9eaa98b983e4.vbs"
        7⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4040.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N8" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N8" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\DiagTrack\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\security\EDP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\EDP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\security\EDP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- DcRat
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- DcRat
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\sihost.exe'" /f
1⤵
- DcRat
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Network Sharing\explorer.exe'" /f
1⤵
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\Registry.exe'" /f
1⤵
- DcRat
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Registry.exe'" /f
1⤵
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Registry.exe'" /rl HIGHEST /f
1⤵
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N8" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N8" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\4K\Wallpaper\sysmon.exe'" /f
1⤵
- DcRat
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\4K\Wallpaper\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /f
1⤵
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f
1⤵
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /f
1⤵
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\69ddcba757bf72

Filesize
646B

MD5
716f60e8a6032888e800faa9068acb4c

SHA1
ec60d422fc7129614ffef2f8d52d720412d74d25

SHA256
1f6b9139e6ec13933f63d9a7ce4a5bb16567a714416951512b63f1fa795edf0f

SHA512
56e7f4c2261a0bbdb261a60c9d3bd5a663235405c7189986a29cdbed83d9c79e102b4e1a76cac193f7f106bf2f491549d73d23b562e05e106f6f027829ff5bff

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
4.9MB

MD5
857527e6033ad39df743408ffae626f4

SHA1
649985b0eadfd91399849a3e729f8324b94326fb

SHA256
6095961216a37c2c62ba0aba10d74158aba5cef6390f13855ff57b83bfa0b153

SHA512
209a0b5733ddcb1995ad7d0ed6af99945ea42ac1ecb8200db1a3ebe953dd3c981ae7bcf254aab2f182477eba4c9975cf292c0ee1a57b38df6e58daca1834ba31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5b210bb5af7ad5735e5adc3261a05a5d

SHA1
c70bf5f62575bdaf30a1e9ae0c19660afa8a6798

SHA256
be4d62011180fb0a51d2ef5dcbc2962d4c0513d25ee43ce3ca2dd7aef9920c86

SHA512
0a5e45fe8f755b1df400513f14bf92f9362d096b6ea29be5975780fa2a55fcba39aa92fd09ee26a8d7ef032bcdc34c8695eca90db4300b6e922be6df637f827a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7eddad621ef66e1f62158c7d7b04237f

SHA1
6b3028f9a95d7130a801fd233f7c772f2b4a19a0

SHA256
ad4865f26c6094ee4541d0579639906580c6867a4bf6dd95967366bd9c30dafe

SHA512
e89fea6c80da347d9329a423948b6df62332d33ae73aa0077d49ab26d14385e3d4b5c2a1aba60597234ecc8930fb2ecc96adb3212c5cd18b2221d8d2e5d55de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ea91e7d1b473f8290ae52d13e105194

SHA1
5e565d99a7733250427e70f5f6e1951a081deed6

SHA256
712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a

SHA512
0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4ae2dfb2891c1435b64093282a68b1f

SHA1
9d9bd37be1ad288541f79fb040194a1cafc052ba

SHA256
e73a442682f27e3f57130da394d30e555db1a222703c364b8f252717c15d877d

SHA512
730c3a063087d7662ec120facc42eaab7f020287739d5231bf4a0c5f1e0c3eeb5dd814a7d58556f68977812e750657870bd09608ec2324c8c9d345cf47b82929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e232627459d4d39d4f62ef240bbce08b

SHA1
502ed4a74502271cdde819daa632a894a24546bb

SHA256
dbd81702bec29aceb441d72cd3842769b02b35b689e313622af57df4e4c12708

SHA512
cc4dae212bd7f7823f417d8f119d9c42320d843d42123c3d8dbcf9a8db1ca38244be34568408f44744d30ca678feb4db3e788b6c346c67f1bea0710abbdd8bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8320aeea03d40a74715d8b9613f9d0cc

SHA1
09fcf3cf06de496b434aaf3181f5aed78731425e

SHA256
54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

SHA512
7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\29d620f8-9b25-4380-8287-9eaa98b983e4.vbs

Filesize
510B

MD5
cddcbf8c51c02058140853a090dbf092

SHA1
870bdded20767f14d43eeb1a5a9a25a5a87dd43f

SHA256
42e99db1bb32231b1475008ccec3b950830b2f02a73d80af939d8ecc4a114d59

SHA512
6cebe6d4da706c0c3208200f2c2ada930b926a37cc4b1a3b2b6e38aaf2b65d179700189f2789c3004cc60737272bf9303db84e43007495d7faa7704f19334815

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ed4b7ae-2940-4e0d-bf76-c26132c90d9a.vbs

Filesize
734B

MD5
3f2e9443d6557c10d274730e60b90ea3

SHA1
3ca516412c3f9b639c73de6d3968601b26615f72

SHA256
1d8381548f1d6191d13e24b1bdf44d6145f193b91d30d70250c26a1d353374d9

SHA512
38e3fd9121919fbad2f23f38d21d60ef039f4603be21051a44647bb0a3061b35b171531db603dcadb5bd3f1aa6d74f3255a0c6a2da9ad52e950c3606ee043847

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bc2b21b-c29f-4803-9cc8-d75f2a14718c.vbs

Filesize
734B

MD5
60ed90bb46d41f66a960de0673f7c5b3

SHA1
c3004ea1a3e2c5cc5a330d51738ed8256ff48c25

SHA256
a7b9b5263cbe8b359c002f515ad22da50e89e9af6afb16830c139336b139d4c4

SHA512
17f3ce0f87c4b5a04d5d862bd6ad8757f693be22f4495592903e9c85e66c24d0aa92fe52f39b7675f8966c1b79f5f7b3b1264ef2c5c5b8c57ece8613a3cfd268

Download Submit
C:\Users\Admin\AppData\Local\Temp\I8FbskAvyB.bat

Filesize
268B

MD5
8468b68e559949e96b0a858ced5de79d

SHA1
abf076865155fa1a74d628ec45ac924201ec1b31

SHA256
aa37f40b7cacdba86a8af7c3839e480ecbb58f210db4c4a9c7ae0f13d98641f4

SHA512
82a64b8c3951daa0a2a8cb369cb6abbbac32e8daa24589d8ce0f4720cee7d136bc09243f26d66e6f97fae1ad4f1a65cb36cfed910fea1c11d83b771af861f841

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmfa1gyu.zfm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A9C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat

Filesize
268B

MD5
6136d0c52521d69220106e61fd847a1b

SHA1
10d96eb3200efb0da0ff2a6c9aa53c86a1d408d7

SHA256
2aa6afe9036236ee814d08ab083c8cf0e0b446a63fd3e3f88de2344cf5cfffcc

SHA512
73d969be6b22bb0330039d760c109292c43e6377ae4429aec240bcf23898c2cb37c9786ee3ed5039697a9878d38a62c77fafe46e1bdb11dae19534bc9146e991

Download Submit
C:\Windows\uk-UA\csrss.exe

Filesize
4.9MB

MD5
45974b762310d71adf461efb209aba70

SHA1
642d3052b7e6c3da970a6f10b2355f363a4c605e

SHA256
89531130e4053529f10085cfd35f7a776adab6696f0b8b4797afa2a53f6ed351

SHA512
323ae3b46331e3e0af898dc8942af1ef3eafa3cd0aebee3c9472ef4905ac32b5703c735033e835716243ea47ccff7cdd209c1a2602c30ab7d58acccb51a61752

Download Submit
memory/244-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/732-291-0x0000021556320000-0x000002155648A000-memory.dmp

Filesize
1.4MB

Download
memory/868-16-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

Filesize
32KB

Download
memory/868-8-0x000000001BE90000-0x000000001BEA6000-memory.dmp

Filesize
88KB

Download
memory/868-0-0x00007FFEB0583000-0x00007FFEB0585000-memory.dmp

Filesize
8KB

Download
memory/868-2-0x000000001BF30000-0x000000001C05E000-memory.dmp

Filesize
1.2MB

Download
memory/868-3-0x00007FFEB0580000-0x00007FFEB1041000-memory.dmp

Filesize
10.8MB

Download
memory/868-4-0x0000000003370000-0x000000000338C000-memory.dmp

Filesize
112KB

Download
memory/868-171-0x00007FFEB0580000-0x00007FFEB1041000-memory.dmp

Filesize
10.8MB

Download
memory/868-158-0x00007FFEB0580000-0x00007FFEB1041000-memory.dmp

Filesize
10.8MB

Download
memory/868-143-0x00007FFEB0583000-0x00007FFEB0585000-memory.dmp

Filesize
8KB

Download
memory/868-5-0x000000001BED0000-0x000000001BF20000-memory.dmp

Filesize
320KB

Download
memory/868-6-0x0000000003390000-0x0000000003398000-memory.dmp

Filesize
32KB

Download
memory/868-7-0x000000001BE80000-0x000000001BE90000-memory.dmp

Filesize
64KB

Download
memory/868-9-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/868-10-0x000000001BEC0000-0x000000001BECA000-memory.dmp

Filesize
40KB

Download
memory/868-11-0x000000001C660000-0x000000001C672000-memory.dmp

Filesize
72KB

Download
memory/868-17-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

Filesize
32KB

Download
memory/868-12-0x000000001CBA0000-0x000000001D0C8000-memory.dmp

Filesize
5.2MB

Download
memory/868-18-0x000000001C7C0000-0x000000001C7CC000-memory.dmp

Filesize
48KB

Download
memory/868-1-0x0000000000C20000-0x0000000001114000-memory.dmp

Filesize
5.0MB

Download
memory/868-15-0x000000001C690000-0x000000001C69E000-memory.dmp

Filesize
56KB

Download
memory/868-14-0x000000001C680000-0x000000001C68E000-memory.dmp

Filesize
56KB

Download
memory/868-13-0x000000001C670000-0x000000001C67A000-memory.dmp

Filesize
40KB

Download
memory/2984-296-0x000001DF76E00000-0x000001DF76F6A000-memory.dmp

Filesize
1.4MB

Download
memory/3568-306-0x00000237E2D60000-0x00000237E2ECA000-memory.dmp

Filesize
1.4MB

Download
memory/3636-305-0x000002DBA98E0000-0x000002DBA9A4A000-memory.dmp

Filesize
1.4MB

Download
memory/3824-285-0x0000014021CF0000-0x0000014021E5A000-memory.dmp

Filesize
1.4MB

Download
memory/4076-301-0x0000019C71200000-0x0000019C7136A000-memory.dmp

Filesize
1.4MB

Download
memory/4484-177-0x00000232F23D0000-0x00000232F23F2000-memory.dmp

Filesize
136KB

Download
memory/4484-279-0x00000232F2510000-0x00000232F267A000-memory.dmp

Filesize
1.4MB

Download
memory/4576-288-0x000002774C9B0000-0x000002774CB1A000-memory.dmp

Filesize
1.4MB

Download
memory/4612-309-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download
memory/4880-282-0x0000025632B30000-0x0000025632C9A000-memory.dmp

Filesize
1.4MB

Download
memory/4884-304-0x0000018861550000-0x00000188616BA000-memory.dmp

Filesize
1.4MB

Download
memory/5076-278-0x00000255B7AE0000-0x00000255B7C4A000-memory.dmp

Filesize
1.4MB

Download