Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 22:11
Static task
static1
Behavioral task
behavioral1
Sample
9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
Resource
win7-20240903-en
General
-
Target
9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe
-
Size
4.9MB
-
MD5
4331bb6448c6da37580f2ac382b45750
-
SHA1
4516ce7712311a62a03c332aec5d0dec7513efc3
-
SHA256
9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14de
-
SHA512
9ee79af2228dacf6294a06a069f3ef4addd897bfcd930d7c78a51062dec60ef611edcb3332f3d8181188b029dbc2635e1e35a8a2f6b8c88cb348f967da8a1b9a
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3420 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3872 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 3872 schtasks.exe 86 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
resource yara_rule behavioral2/memory/2592-3-0x000000001BE80000-0x000000001BFAE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3160 powershell.exe 2932 powershell.exe 3928 powershell.exe 3644 powershell.exe 1892 powershell.exe 3040 powershell.exe 700 powershell.exe 4124 powershell.exe 2600 powershell.exe 2548 powershell.exe 1044 powershell.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wininit.exe -
Executes dropped EXE 64 IoCs
pid Process 4420 tmp8D2F.tmp.exe 3524 tmp8D2F.tmp.exe 3524 wininit.exe 2124 tmpDA33.tmp.exe 2444 tmpDA33.tmp.exe 2840 wininit.exe 2760 tmp1D86.tmp.exe 2836 tmp1D86.tmp.exe 3460 wininit.exe 5048 tmp38FD.tmp.exe 4164 tmp38FD.tmp.exe 3712 tmp38FD.tmp.exe 4892 wininit.exe 944 tmp6898.tmp.exe 3128 tmp6898.tmp.exe 2096 wininit.exe 4856 tmp9834.tmp.exe 868 tmp9834.tmp.exe 2068 wininit.exe 4496 tmpB532.tmp.exe 4888 tmpB532.tmp.exe 220 wininit.exe 3456 tmpE450.tmp.exe 2952 tmpE450.tmp.exe 4432 wininit.exe 2660 tmp28AC.tmp.exe 2772 tmp28AC.tmp.exe 2936 wininit.exe 340 tmp4404.tmp.exe 4836 tmp4404.tmp.exe 4168 tmp4404.tmp.exe 3808 tmp4404.tmp.exe 1004 tmp4404.tmp.exe 2368 tmp4404.tmp.exe 2068 tmp4404.tmp.exe 4376 tmp4404.tmp.exe 1124 tmp4404.tmp.exe 3356 tmp4404.tmp.exe 2916 tmp4404.tmp.exe 2632 tmp4404.tmp.exe 3416 tmp4404.tmp.exe 3928 tmp4404.tmp.exe 4928 tmp4404.tmp.exe 4620 tmp4404.tmp.exe 4700 tmp4404.tmp.exe 4652 tmp4404.tmp.exe 2620 tmp4404.tmp.exe 4640 tmp4404.tmp.exe 3560 tmp4404.tmp.exe 3284 tmp4404.tmp.exe 1708 tmp4404.tmp.exe 1628 tmp4404.tmp.exe 2656 tmp4404.tmp.exe 4964 tmp4404.tmp.exe 2328 tmp4404.tmp.exe 5000 tmp4404.tmp.exe 4568 tmp4404.tmp.exe 2100 tmp4404.tmp.exe 1888 tmp4404.tmp.exe 3852 tmp4404.tmp.exe 116 tmp4404.tmp.exe 528 tmp4404.tmp.exe 3480 tmp4404.tmp.exe 3448 tmp4404.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 4420 set thread context of 3524 4420 tmp8D2F.tmp.exe 146 PID 2124 set thread context of 2444 2124 tmpDA33.tmp.exe 181 PID 2760 set thread context of 2836 2760 tmp1D86.tmp.exe 193 PID 4164 set thread context of 3712 4164 tmp38FD.tmp.exe 203 PID 944 set thread context of 3128 944 tmp6898.tmp.exe 213 PID 4856 set thread context of 868 4856 tmp9834.tmp.exe 223 PID 4496 set thread context of 4888 4496 tmpB532.tmp.exe 233 PID 3456 set thread context of 2952 3456 tmpE450.tmp.exe 243 PID 2660 set thread context of 2772 2660 tmp28AC.tmp.exe 254 -
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows NT\dllhost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Windows NT\RCXAA79.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\MSBuild\eddb19405b7ce1 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RCXA1E9.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\MSBuild\sihost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Windows NT\dllhost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\MSBuild\backgroundTaskHost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\Windows NT\TableTextService\29c1c3cc0f7685 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\MSBuild\RCX8A7E.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCX9FE5.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\MSBuild\RCXACFA.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\MSBuild\66fc9ff0ee96c2 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Windows NT\5940a34987c991 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\Common Files\System\es-ES\RCX9DC1.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\Windows NT\TableTextService\unsecapp.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Reference Assemblies\9e8d7a4ca61bd9 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXA670.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\MSBuild\backgroundTaskHost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\MSBuild\sihost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\Common Files\System\es-ES\ea9f0e6c9e2dcd 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Google\Temp\66fc9ff0ee96c2 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\Common Files\System\es-ES\taskhostw.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files (x86)\Google\Temp\sihost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\Common Files\System\es-ES\taskhostw.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Google\Temp\sihost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Program Files\Windows NT\TableTextService\unsecapp.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Program Files\Windows NT\TableTextService\RCXB1FE.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\Offline Web Pages\services.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Logs\fontdrvhost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Logs\5b884080fd4f94 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Logs\fontdrvhost.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Logs\RCX98AE.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\CbsTemp\wininit.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Tasks\System.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Tasks\27d1bcfc3c54e0 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Offline Web Pages\c5b4cb5e9653cc 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Provisioning\ee2ad38f3d4382 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\CbsTemp\wininit.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Tasks\System.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Provisioning\RCX9B30.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\CbsTemp\RCXA46B.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\Provisioning\Registry.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File created C:\Windows\CbsTemp\56085415360792 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Tasks\RCX8CA2.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Offline Web Pages\RCX9187.tmp 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Offline Web Pages\services.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe File opened for modification C:\Windows\Provisioning\Registry.exe 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6898.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp38FD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4404.tmp.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3252 schtasks.exe 3420 schtasks.exe 4680 schtasks.exe 948 schtasks.exe 5008 schtasks.exe 2124 schtasks.exe 3496 schtasks.exe 4280 schtasks.exe 2212 schtasks.exe 2612 schtasks.exe 372 schtasks.exe 1456 schtasks.exe 2000 schtasks.exe 2192 schtasks.exe 700 schtasks.exe 2436 schtasks.exe 3940 schtasks.exe 3708 schtasks.exe 4384 schtasks.exe 3448 schtasks.exe 4008 schtasks.exe 388 schtasks.exe 2372 schtasks.exe 1476 schtasks.exe 644 schtasks.exe 3820 schtasks.exe 4660 schtasks.exe 4168 schtasks.exe 3152 schtasks.exe 4328 schtasks.exe 2096 schtasks.exe 3984 schtasks.exe 4472 schtasks.exe 2692 schtasks.exe 4508 schtasks.exe 3064 schtasks.exe 2392 schtasks.exe 2628 schtasks.exe 2052 schtasks.exe 3516 schtasks.exe 2972 schtasks.exe 4760 schtasks.exe 4676 schtasks.exe 2208 schtasks.exe 208 schtasks.exe 2152 schtasks.exe 4964 schtasks.exe 2840 schtasks.exe 3416 schtasks.exe 2656 schtasks.exe 3020 schtasks.exe 3164 schtasks.exe 2476 schtasks.exe 4960 schtasks.exe 3568 schtasks.exe 4340 schtasks.exe 3256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 3928 powershell.exe 3928 powershell.exe 2600 powershell.exe 2600 powershell.exe 3160 powershell.exe 3160 powershell.exe 700 powershell.exe 700 powershell.exe 2548 powershell.exe 2548 powershell.exe 2932 powershell.exe 2932 powershell.exe 3644 powershell.exe 3644 powershell.exe 4124 powershell.exe 4124 powershell.exe 1892 powershell.exe 1892 powershell.exe 3040 powershell.exe 3040 powershell.exe 2548 powershell.exe 1044 powershell.exe 1044 powershell.exe 3644 powershell.exe 3160 powershell.exe 2600 powershell.exe 3928 powershell.exe 3928 powershell.exe 700 powershell.exe 1892 powershell.exe 2932 powershell.exe 4124 powershell.exe 1044 powershell.exe 3040 powershell.exe 3524 wininit.exe 2840 wininit.exe 3460 wininit.exe 4892 wininit.exe 2096 wininit.exe 2068 wininit.exe 220 wininit.exe 4432 wininit.exe 2936 wininit.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 3524 wininit.exe Token: SeDebugPrivilege 2840 wininit.exe Token: SeDebugPrivilege 3460 wininit.exe Token: SeDebugPrivilege 4892 wininit.exe Token: SeDebugPrivilege 2096 wininit.exe Token: SeDebugPrivilege 2068 wininit.exe Token: SeDebugPrivilege 220 wininit.exe Token: SeDebugPrivilege 4432 wininit.exe Token: SeDebugPrivilege 2936 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 4420 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 144 PID 2592 wrote to memory of 4420 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 144 PID 2592 wrote to memory of 4420 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 144 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 4420 wrote to memory of 3524 4420 tmp8D2F.tmp.exe 146 PID 2592 wrote to memory of 3040 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 149 PID 2592 wrote to memory of 3040 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 149 PID 2592 wrote to memory of 3928 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 150 PID 2592 wrote to memory of 3928 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 150 PID 2592 wrote to memory of 1044 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 151 PID 2592 wrote to memory of 1044 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 151 PID 2592 wrote to memory of 2548 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 152 PID 2592 wrote to memory of 2548 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 152 PID 2592 wrote to memory of 2600 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 153 PID 2592 wrote to memory of 2600 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 153 PID 2592 wrote to memory of 2932 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 154 PID 2592 wrote to memory of 2932 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 154 PID 2592 wrote to memory of 3160 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 155 PID 2592 wrote to memory of 3160 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 155 PID 2592 wrote to memory of 700 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 156 PID 2592 wrote to memory of 700 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 156 PID 2592 wrote to memory of 4124 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 157 PID 2592 wrote to memory of 4124 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 157 PID 2592 wrote to memory of 3644 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 159 PID 2592 wrote to memory of 3644 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 159 PID 2592 wrote to memory of 1892 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 167 PID 2592 wrote to memory of 1892 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 167 PID 2592 wrote to memory of 1228 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 170 PID 2592 wrote to memory of 1228 2592 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe 170 PID 1228 wrote to memory of 3252 1228 cmd.exe 173 PID 1228 wrote to memory of 3252 1228 cmd.exe 173 PID 1228 wrote to memory of 3524 1228 cmd.exe 175 PID 1228 wrote to memory of 3524 1228 cmd.exe 175 PID 3524 wrote to memory of 4384 3524 wininit.exe 177 PID 3524 wrote to memory of 4384 3524 wininit.exe 177 PID 3524 wrote to memory of 3964 3524 wininit.exe 178 PID 3524 wrote to memory of 3964 3524 wininit.exe 178 PID 3524 wrote to memory of 2124 3524 wininit.exe 179 PID 3524 wrote to memory of 2124 3524 wininit.exe 179 PID 3524 wrote to memory of 2124 3524 wininit.exe 179 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 2124 wrote to memory of 2444 2124 tmpDA33.tmp.exe 181 PID 4384 wrote to memory of 2840 4384 WScript.exe 187 PID 4384 wrote to memory of 2840 4384 WScript.exe 187 PID 2840 wrote to memory of 2692 2840 wininit.exe 189 PID 2840 wrote to memory of 2692 2840 wininit.exe 189 PID 2840 wrote to memory of 4268 2840 wininit.exe 190 PID 2840 wrote to memory of 4268 2840 wininit.exe 190 PID 2840 wrote to memory of 2760 2840 wininit.exe 191 PID 2840 wrote to memory of 2760 2840 wininit.exe 191 PID 2840 wrote to memory of 2760 2840 wininit.exe 191 PID 2760 wrote to memory of 2836 2760 tmp1D86.tmp.exe 193 PID 2760 wrote to memory of 2836 2760 tmp1D86.tmp.exe 193 PID 2760 wrote to memory of 2836 2760 tmp1D86.tmp.exe 193 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe"C:\Users\Admin\AppData\Local\Temp\9e9ce882d8ce63520122f37c16cc256ec0365efa288f12e12cf1a25d81ad14deN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\tmp8D2F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D2F.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\tmp8D2F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D2F.tmp.exe"3⤵
- Executes dropped EXE
PID:3524
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Cha9kXnVr.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3252
-
-
C:\Windows\CbsTemp\wininit.exe"C:\Windows\CbsTemp\wininit.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68010d57-49ed-4796-80c8-aba578649529.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce8d11ec-5a32-4e53-b5d2-b6e219cfe611.vbs"6⤵PID:2692
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c405df60-7c5c-43b6-8e5b-7e52e55c1c37.vbs"8⤵PID:3140
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0513ab27-fb68-4eec-9583-2eaf42987fba.vbs"10⤵PID:3800
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d57a706a-97b3-4553-a178-a44ac427a11f.vbs"12⤵PID:764
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0001d22b-6bb0-42a1-ad71-16fcbf609bee.vbs"14⤵PID:4844
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:220 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4506c756-2b38-44f4-891e-9dbd7f9dda45.vbs"16⤵PID:4740
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285110d5-3571-4518-8f1c-486db29bf06d.vbs"18⤵PID:3660
-
C:\Windows\CbsTemp\wininit.exeC:\Windows\CbsTemp\wininit.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c62104de-19e9-4479-a43a-4e9055710a21.vbs"20⤵PID:2968
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a23b745-fbb0-4ae5-8239-c26bc8a0d38c.vbs"20⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"21⤵
- Executes dropped EXE
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"22⤵
- Executes dropped EXE
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"23⤵
- Executes dropped EXE
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"25⤵
- Executes dropped EXE
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"26⤵
- Executes dropped EXE
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"27⤵
- Executes dropped EXE
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"28⤵
- Executes dropped EXE
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"29⤵
- Executes dropped EXE
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"30⤵
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"31⤵
- Executes dropped EXE
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"32⤵
- Executes dropped EXE
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"34⤵
- Executes dropped EXE
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"35⤵
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"36⤵
- Executes dropped EXE
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"37⤵
- Executes dropped EXE
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"41⤵
- Executes dropped EXE
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"42⤵
- Executes dropped EXE
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"43⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"44⤵
- Executes dropped EXE
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"47⤵
- Executes dropped EXE
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"48⤵
- Executes dropped EXE
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"49⤵
- Executes dropped EXE
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"50⤵
- Executes dropped EXE
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"51⤵
- Executes dropped EXE
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"54⤵
- Executes dropped EXE
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"55⤵
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"56⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"57⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"58⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"59⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"60⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"61⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"62⤵
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"63⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"64⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"65⤵
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"66⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"67⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"68⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"69⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"70⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"71⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"72⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"73⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"74⤵
- System Location Discovery: System Language Discovery
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"75⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"76⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"77⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"78⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"79⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"80⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"81⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"82⤵
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"83⤵
- System Location Discovery: System Language Discovery
PID:392 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"84⤵
- System Location Discovery: System Language Discovery
PID:764 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"85⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"86⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"87⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"88⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"89⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"90⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"91⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"92⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"93⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"94⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"95⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"96⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"97⤵
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"98⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"99⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"100⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"101⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"102⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"103⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"104⤵
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"105⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"106⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"107⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"108⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"109⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"110⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"111⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"112⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"113⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"114⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"115⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"116⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"117⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"118⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"119⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"120⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"121⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp.exe"122⤵PID:388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-