colibri | a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Size

4.9MB
MD5

28feb5efaafa67cef60ea0228eaaad26
SHA1

11f07fa02dad31c4209461451386796085235e66
SHA256

a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294
SHA512

0c3b5d70c06d01d0124bddadf15ee6df3a787a77eb786fe6438587ecc87291de0e3b5b1d5102f5228e6a944e88251b3bf4b584c236cda6d5c1cb947739a6be6c
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2292	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2292	schtasks.exe	86

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2724-2-0x000000001BE00000-0x000000001BF2E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4060	powershell.exe
636	powershell.exe
4480	powershell.exe
5076	powershell.exe
2920	powershell.exe
4840	powershell.exe
3228	powershell.exe
2580	powershell.exe
4864	powershell.exe
4340	powershell.exe
3104	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 50 IoCs

pid	Process
4548	tmpD94C.tmp.exe
1252	tmpD94C.tmp.exe
2300	StartMenuExperienceHost.exe
4512	tmpD1A.tmp.exe
1936	tmpD1A.tmp.exe
1368	StartMenuExperienceHost.exe
3716	tmp3FA4.tmp.exe
1320	tmp3FA4.tmp.exe
1016	StartMenuExperienceHost.exe
3580	tmp5BF6.tmp.exe
1844	tmp5BF6.tmp.exe
4984	StartMenuExperienceHost.exe
1564	tmp777D.tmp.exe
1760	tmp777D.tmp.exe
3572	tmp777D.tmp.exe
1012	StartMenuExperienceHost.exe
2952	tmp9333.tmp.exe
1976	tmp9333.tmp.exe
2712	StartMenuExperienceHost.exe
1412	tmpAF94.tmp.exe
4132	tmpAF94.tmp.exe
4592	StartMenuExperienceHost.exe
1728	tmpCB79.tmp.exe
3816	tmpCB79.tmp.exe
1604	tmpCB79.tmp.exe
4120	StartMenuExperienceHost.exe
3616	tmpE829.tmp.exe
1880	tmpE829.tmp.exe
3268	StartMenuExperienceHost.exe
4404	tmp1812.tmp.exe
4460	tmp1812.tmp.exe
2648	StartMenuExperienceHost.exe
2780	tmp477F.tmp.exe
2952	tmp477F.tmp.exe
3944	StartMenuExperienceHost.exe
1028	tmp62F6.tmp.exe
116	tmp62F6.tmp.exe
1236	tmp62F6.tmp.exe
2920	StartMenuExperienceHost.exe
3680	tmpA704.tmp.exe
872	tmpA704.tmp.exe
2964	tmpA704.tmp.exe
3088	tmpA704.tmp.exe
4840	StartMenuExperienceHost.exe
4364	tmpD7D8.tmp.exe
1508	tmpD7D8.tmp.exe
4132	tmpD7D8.tmp.exe
2560	StartMenuExperienceHost.exe
3816	tmp84E.tmp.exe
4616	tmp84E.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 4548 set thread context of 1252	4548	tmpD94C.tmp.exe	140
PID 4512 set thread context of 1936	4512	tmpD1A.tmp.exe	169
PID 3716 set thread context of 1320	3716	tmp3FA4.tmp.exe	179
PID 3580 set thread context of 1844	3580	tmp5BF6.tmp.exe	191
PID 1760 set thread context of 3572	1760	tmp777D.tmp.exe	201
PID 2952 set thread context of 1976	2952	tmp9333.tmp.exe	213
PID 1412 set thread context of 4132	1412	tmpAF94.tmp.exe	222
PID 3816 set thread context of 1604	3816	tmpCB79.tmp.exe	232
PID 3616 set thread context of 1880	3616	tmpE829.tmp.exe	242
PID 4404 set thread context of 4460	4404	tmp1812.tmp.exe	252
PID 2780 set thread context of 2952	2780	tmp477F.tmp.exe	262
PID 116 set thread context of 1236	116	tmp62F6.tmp.exe	272
PID 2964 set thread context of 3088	2964	tmpA704.tmp.exe	283
PID 1508 set thread context of 4132	1508	tmpD7D8.tmp.exe	293
PID 3816 set thread context of 4616	3816	tmp84E.tmp.exe	302

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\38384e6a620884	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Common Files\System\fr-FR\6ccacd8608530f	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\Idle.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Security\StartMenuExperienceHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Security\RCXEFEB.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Crashpad\22eafd247d37c3	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Multimedia Platform\38384e6a620884	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Portable Devices\SearchApp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\69ddcba757bf72	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Crashpad\TextInputHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXDD07.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Crashpad\RCXF81D.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\886983d96e3d3e	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD8ED.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXE20A.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Microsoft Office\unsecapp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE48C.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\smss.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Common Files\System\fr-FR\Idle.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Microsoft Office\29c1c3cc0f7685	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Security\StartMenuExperienceHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Security\55b276f4edf653	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\RCXDF89.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\SearchApp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\smss.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Portable Devices\SearchApp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RCXE922.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Crashpad\TextInputHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXFA9E.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXD68B.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Microsoft Office\unsecapp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files (x86)\Internet Explorer\images\55b276f4edf653	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Program Files\Windows Multimedia Platform\SearchApp.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\csrss.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\backgroundTaskHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Windows\DigitalLocker\en-US\9e8d7a4ca61bd9	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Windows\ShellComponents\backgroundTaskHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXED69.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Windows\rescache\_merged\2137598169\TextInputHost.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Windows\ShellComponents\eddb19405b7ce1	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File created	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Windows\ShellComponents\RCXEB55.tmp	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE829.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1812.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp62F6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp62F6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA704.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA704.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD94C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3FA4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp777D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB79.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA704.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD7D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5BF6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAF94.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB79.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp477F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD1A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp777D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9333.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD7D8.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1564	schtasks.exe
1820	schtasks.exe
4944	schtasks.exe
2208	schtasks.exe
1596	schtasks.exe
2720	schtasks.exe
2584	schtasks.exe
1964	schtasks.exe
1644	schtasks.exe
756	schtasks.exe
4020	schtasks.exe
1300	schtasks.exe
1372	schtasks.exe
3420	schtasks.exe
3628	schtasks.exe
1132	schtasks.exe
2356	schtasks.exe
2324	schtasks.exe
2696	schtasks.exe
2368	schtasks.exe
1084	schtasks.exe
4560	schtasks.exe
2044	schtasks.exe
4660	schtasks.exe
4112	schtasks.exe
3436	schtasks.exe
4612	schtasks.exe
4808	schtasks.exe
3820	schtasks.exe
368	schtasks.exe
3544	schtasks.exe
4688	schtasks.exe
2300	schtasks.exe
2168	schtasks.exe
1744	schtasks.exe
408	schtasks.exe
5076	schtasks.exe
2920	schtasks.exe
216	schtasks.exe
5116	schtasks.exe
1760	schtasks.exe
3672	schtasks.exe
3028	schtasks.exe
1152	schtasks.exe
1012	schtasks.exe
2944	schtasks.exe
1604	schtasks.exe
1704	schtasks.exe
916	schtasks.exe
3088	schtasks.exe
4520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
4864	powershell.exe
4864	powershell.exe
4840	powershell.exe
4840	powershell.exe
636	powershell.exe
636	powershell.exe
3104	powershell.exe
3104	powershell.exe
4060	powershell.exe
4060	powershell.exe
2580	powershell.exe
2580	powershell.exe
3228	powershell.exe
3228	powershell.exe
2920	powershell.exe
2920	powershell.exe
3104	powershell.exe
4340	powershell.exe
4340	powershell.exe
4480	powershell.exe
4480	powershell.exe
5076	powershell.exe
5076	powershell.exe
4840	powershell.exe
636	powershell.exe
4864	powershell.exe
4060	powershell.exe
4480	powershell.exe
2580	powershell.exe
3228	powershell.exe
2920	powershell.exe
4340	powershell.exe
5076	powershell.exe
2300	StartMenuExperienceHost.exe
2300	StartMenuExperienceHost.exe
1368	StartMenuExperienceHost.exe
1016	StartMenuExperienceHost.exe
4984	StartMenuExperienceHost.exe
1012	StartMenuExperienceHost.exe
2712	StartMenuExperienceHost.exe
4592	StartMenuExperienceHost.exe
4120	StartMenuExperienceHost.exe
3268	StartMenuExperienceHost.exe
2648	StartMenuExperienceHost.exe
3944	StartMenuExperienceHost.exe
2920	StartMenuExperienceHost.exe
4840	StartMenuExperienceHost.exe
2560	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2300	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1368	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1016	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4984	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1012	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2712	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4592	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4120	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3268	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2648	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3944	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2920	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4840	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2560	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4548	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	138
PID 2724 wrote to memory of 4548	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	138
PID 2724 wrote to memory of 4548	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	138
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 4548 wrote to memory of 1252	4548	tmpD94C.tmp.exe	140
PID 2724 wrote to memory of 5076	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	141
PID 2724 wrote to memory of 5076	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	141
PID 2724 wrote to memory of 4864	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	142
PID 2724 wrote to memory of 4864	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	142
PID 2724 wrote to memory of 2920	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	143
PID 2724 wrote to memory of 2920	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	143
PID 2724 wrote to memory of 4840	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	144
PID 2724 wrote to memory of 4840	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	144
PID 2724 wrote to memory of 4060	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	145
PID 2724 wrote to memory of 4060	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	145
PID 2724 wrote to memory of 636	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	146
PID 2724 wrote to memory of 636	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	146
PID 2724 wrote to memory of 4340	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	147
PID 2724 wrote to memory of 4340	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	147
PID 2724 wrote to memory of 3104	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	148
PID 2724 wrote to memory of 3104	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	148
PID 2724 wrote to memory of 4480	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	149
PID 2724 wrote to memory of 4480	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	149
PID 2724 wrote to memory of 3228	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	150
PID 2724 wrote to memory of 3228	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	150
PID 2724 wrote to memory of 2580	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	151
PID 2724 wrote to memory of 2580	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	151
PID 2724 wrote to memory of 2300	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	163
PID 2724 wrote to memory of 2300	2724	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe	163
PID 2300 wrote to memory of 2584	2300	StartMenuExperienceHost.exe	165
PID 2300 wrote to memory of 2584	2300	StartMenuExperienceHost.exe	165
PID 2300 wrote to memory of 3672	2300	StartMenuExperienceHost.exe	166
PID 2300 wrote to memory of 3672	2300	StartMenuExperienceHost.exe	166
PID 2300 wrote to memory of 4512	2300	StartMenuExperienceHost.exe	167
PID 2300 wrote to memory of 4512	2300	StartMenuExperienceHost.exe	167
PID 2300 wrote to memory of 4512	2300	StartMenuExperienceHost.exe	167
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 4512 wrote to memory of 1936	4512	tmpD1A.tmp.exe	169
PID 2584 wrote to memory of 1368	2584	WScript.exe	172
PID 2584 wrote to memory of 1368	2584	WScript.exe	172
PID 1368 wrote to memory of 1976	1368	StartMenuExperienceHost.exe	174
PID 1368 wrote to memory of 1976	1368	StartMenuExperienceHost.exe	174
PID 1368 wrote to memory of 1848	1368	StartMenuExperienceHost.exe	175
PID 1368 wrote to memory of 1848	1368	StartMenuExperienceHost.exe	175
PID 1368 wrote to memory of 3716	1368	StartMenuExperienceHost.exe	177
PID 1368 wrote to memory of 3716	1368	StartMenuExperienceHost.exe	177
PID 1368 wrote to memory of 3716	1368	StartMenuExperienceHost.exe	177
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179
PID 3716 wrote to memory of 1320	3716	tmp3FA4.tmp.exe	179

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe
"C:\Users\Admin\AppData\Local\Temp\a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724
- C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Program Files\Windows Security\StartMenuExperienceHost.exe
  "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd8ee7e-526b-4875-ad88-54693d0a91df.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Program Files\Windows Security\StartMenuExperienceHost.exe
      "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7cd0a48-3d56-498b-8e45-b3be20997168.vbs"
        5⤵
        
        PID:1976
      - C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4630d9b6-cfc1-455f-b2d6-563d47f12c86.vbs"
        7⤵
        
        PID:4592
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\677c86e3-528a-4a57-8f96-6cc47b4e014d.vbs"
        9⤵
        
        PID:4300
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed63c738-24d7-44fd-b570-7a806c716aa9.vbs"
        11⤵
        
        PID:2632
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edfec621-3d19-4b90-9481-766f9b256f20.vbs"
        13⤵
        
        PID:1596
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77091d81-de8a-4520-b10a-086076354dcd.vbs"
        15⤵
        
        PID:1364
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1002242-b536-4112-ac78-472bb0f633f6.vbs"
        17⤵
        
        PID:3324
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cb432a7-c6da-4387-9094-43c907fe0db7.vbs"
        19⤵
        
        PID:532
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e681a839-f0af-4025-922f-c04fe172d39f.vbs"
        21⤵
        
        PID:3016
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f176916-4f6d-4670-9b9e-2367839e7ef3.vbs"
        23⤵
        
        PID:4912
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5b9e875-131a-4d62-9fee-774b5e90c7f9.vbs"
        25⤵
        
        PID:4012
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f03772fd-4949-4101-8656-a16326278ec2.vbs"
        27⤵
        
        PID:4896
        
        C:\Program Files\Windows Security\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Security\StartMenuExperienceHost.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4b055cb-9762-402b-a3b8-3ca3b6f3157a.vbs"
        29⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a4532de-a74a-4c50-a5f6-399ce858202f.vbs"
        29⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84E.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859d5ae5-3f27-4fd7-88ca-12dc8c97f5ea.vbs"
        27⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\736d1140-784a-4f27-9585-4a652facdf2c.vbs"
        25⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA704.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5029bf7-7c24-4ce2-8d73-b1cb886afcf6.vbs"
        23⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp62F6.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2bf037-dc6b-49c0-9e72-aa676ab6012c.vbs"
        21⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp477F.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4460514a-132a-42dc-b728-09defded5742.vbs"
        19⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1812.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98401a2a-653b-4b90-8283-201663f85b69.vbs"
        17⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE829.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1341083a-c021-4032-b2c1-dc9ac18b9385.vbs"
        15⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f517509d-e4c6-4bfd-b4ed-0a17560d5a0b.vbs"
        13⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAF94.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b19597-01f9-4cdf-a793-762e18e05b3e.vbs"
        11⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9333.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\960f67c4-1770-4c94-9720-deb81304ef86.vbs"
        9⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp777D.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb44d336-9099-4498-b5d1-a48f7c4b50e9.vbs"
        7⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b1534e-08bb-4848-aeb5-5bee2fc80a4e.vbs"
        5⤵
        
        PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3FA4.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977bc7e1-bb30-4df8-8ec8-44fbb38c4fdb.vbs"
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD1A.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\fr-FR\Idle.exe

Filesize
4.9MB

MD5
28feb5efaafa67cef60ea0228eaaad26

SHA1
11f07fa02dad31c4209461451386796085235e66

SHA256
a14a650188cebc865e97fb3fd917fb6cc3e9efb30500bf45317994bc37c1a294

SHA512
0c3b5d70c06d01d0124bddadf15ee6df3a787a77eb786fe6438587ecc87291de0e3b5b1d5102f5228e6a944e88251b3bf4b584c236cda6d5c1cb947739a6be6c

Download Submit
C:\Program Files\Crashpad\TextInputHost.exe

Filesize
4.9MB

MD5
a4a27b58a4cc61da3cb68c8269bd7ba5

SHA1
1d2fc974209ae251e7ab1599fe04c32bc3df8559

SHA256
f04c187aeffb7e7ede15ea2d8bc371bbf8fb4f8931982e11262b8793aa39cb68

SHA512
dd4ba7deda5da39d7ccec5b19eca52cfcd9df9850cd2561ae1a7b38a70b92fdc6a7311d8015db255935d79fb58ecc5e4171e5e24efc40196a01b3b4404590ac0

Download Submit
C:\Program Files\Windows Security\RCXEFEB.tmp

Filesize
4.9MB

MD5
fc3d3330bba09040a4f336fb5d7fb17a

SHA1
0ab1bfe3649db1109197b6a619b91bfb6d77fee4

SHA256
66a4537a7f5892f30287dd78d2d22ce3b0d312d4c6f8b996c7b3f6762b8c981f

SHA512
019f5444fe85d22b9868cd63fcf6c75b47b942e7040d015dbf281e85c2ec2146b92e0c4cda11185e7a538637ebe89876434ea58be3df9496c27dd075fd380e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4630d9b6-cfc1-455f-b2d6-563d47f12c86.vbs

Filesize
737B

MD5
d5f7d138798785b3b68a0e9f212f6d82

SHA1
60f88abc3de1cb7c4c131e2fe0b8356d3d26724b

SHA256
6dcf2cafe2df52d2ce40340392cccaaabd5a6d5fa80b474958952f2b90bb557a

SHA512
cc24c794b70201bba7a38bde077be170f870e04d40e85bb16ecf2a065e6f2aa8bef6e19d78e9b229bddf76db8f1c90e86710d8fbad5f66a5de998e3722e34dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\677c86e3-528a-4a57-8f96-6cc47b4e014d.vbs

Filesize
737B

MD5
da869193a79f6938359c4f210967abe8

SHA1
4db24d90c1fc3eefa174dfcab5c40cf28b9168ff

SHA256
98f2f5fc2afb65aa2658dbaddd3fa32c37cc7008f265dea493e38dcf68d0d280

SHA512
18418faf384a4895e70e69401037c8b29e547872787ee40f3931be10a5c0dcb04118a39edeaa22b9ed8eb2befce2296f5971b6aa4510a43d12463ff5ceca9e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d889a504b94b3ba7ef7a4a7021d9bf827218cb1.exe

Filesize
4.9MB

MD5
242b580afd1cf06e03e38cf554d52335

SHA1
40dfce08976261d4bf6046399eb22d51c5745bca

SHA256
698070e3219eba0cc5d9b94a67618478e642e179ab5aca28ab70a596b8e0cb49

SHA512
332ce55dee7031544f06cd35f6c36366169264ef70e104a97a17ce041a3727a6eb23a60dc659fa68469f7a7b2069884db01250390229d5ba887ec0ca3d945183

Download Submit
C:\Users\Admin\AppData\Local\Temp\77091d81-de8a-4520-b10a-086076354dcd.vbs

Filesize
737B

MD5
c449c75ad42f2b3c118baf0e33cbb131

SHA1
74f3720856380b1d8c00943726fd503b90470466

SHA256
8fcd69ddc62ea9a892b6f93ff01271b821a328f034da61c2008d87b71504c878

SHA512
d99ad01de73bed1e2c8d0e36afe30ce714ebae20a4d72fa9e7af19e6c1c972f4de9a2f79defece42f24541ad5c87523e7b0e31a260275fe9de1645b67c3500c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\977bc7e1-bb30-4df8-8ec8-44fbb38c4fdb.vbs

Filesize
513B

MD5
1a8ca627414030509e33bb6e0a11931d

SHA1
3b07518e903988c8c5e8361a4841c0fe66666db9

SHA256
d75eb018233894b22f66f7f4f4b4352554a45f9f9964b477c3481011f9bb08c7

SHA512
0abd255f78d9b9b217c53a3fb21773b3504785b17ed6507924fd0828c3cba624936dad3aa0b747000342df85221a3fd5189910ace78baa50e6f96ec42be54e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dd8ee7e-526b-4875-ad88-54693d0a91df.vbs

Filesize
737B

MD5
a561c9144b7f01eb24fc36b462fafae7

SHA1
0a9ddfbe54808595c6d7fa7477092276118b7d60

SHA256
9046c534236c0a1f79d603d2869ae9dee869b13307ee485b5638c081f5432fd1

SHA512
ae6b8b75e8a25deef5644410af659497e0ed24dc1e829a3c66b35559744c3d45b027833b001f954e6388157d35e6ce8834083a65b9cad29d62b0a25e7ee1afdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc0ly4ko.adt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7cd0a48-3d56-498b-8e45-b3be20997168.vbs

Filesize
737B

MD5
08f6df074af8f46c8e242f4f99b89fdd

SHA1
4fdb1b3d870606e5005d857376903bd7e66b9706

SHA256
1ab91113b25a448a5e5411f906eb0d79510b53b49057452b34f5ec43b52ecd36

SHA512
4bace21ce205f65440ad7b6257967eb139669a1bb55b5790517756c4f923e16c99090e708333e23c83138aa4d83ad40ce69525154d8ea9a14aef728cb93f0e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\edfec621-3d19-4b90-9481-766f9b256f20.vbs

Filesize
737B

MD5
3923d1962917fc848c8e833f24577ad2

SHA1
459a72c1845ed6fedd70c413005bbaff891ecd96

SHA256
0b51850e0e9eca16d526f23aa5a1c045e0ad54c17174e5f75c3c38624fd64774

SHA512
9b51eb8d1b37663aa96a58db68d23bb02312aea2ed7e07f7c9266693dc59d2ce92baf73ca87d4e8d74b24bff07e9ac25098f514338304e698c3165330ef9c825

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD94C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1252-86-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2724-12-0x000000001CA60000-0x000000001CF88000-memory.dmp

Filesize
5.2MB

Download
memory/2724-1-0x0000000000A50000-0x0000000000F44000-memory.dmp

Filesize
5.0MB

Download
memory/2724-13-0x000000001BD60000-0x000000001BD6A000-memory.dmp

Filesize
40KB

Download
memory/2724-16-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/2724-146-0x00007FFC9E2B3000-0x00007FFC9E2B5000-memory.dmp

Filesize
8KB

Download
memory/2724-161-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp

Filesize
10.8MB

Download
memory/2724-15-0x000000001BD80000-0x000000001BD8E000-memory.dmp

Filesize
56KB

Download
memory/2724-18-0x000000001BDB0000-0x000000001BDBC000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x000000001BD70000-0x000000001BD7E000-memory.dmp

Filesize
56KB

Download
memory/2724-11-0x000000001BD50000-0x000000001BD62000-memory.dmp

Filesize
72KB

Download
memory/2724-17-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/2724-0-0x00007FFC9E2B3000-0x00007FFC9E2B5000-memory.dmp

Filesize
8KB

Download
memory/2724-342-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp

Filesize
10.8MB

Download
memory/2724-10-0x0000000003210000-0x000000000321A000-memory.dmp

Filesize
40KB

Download
memory/2724-6-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/2724-8-0x00000000031E0000-0x00000000031F6000-memory.dmp

Filesize
88KB

Download
memory/2724-9-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/2724-7-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/2724-5-0x0000000003220000-0x0000000003270000-memory.dmp

Filesize
320KB

Download
memory/2724-4-0x00000000030A0000-0x00000000030BC000-memory.dmp

Filesize
112KB

Download
memory/2724-3-0x00007FFC9E2B0000-0x00007FFC9ED71000-memory.dmp

Filesize
10.8MB

Download
memory/2724-2-0x000000001BE00000-0x000000001BF2E000-memory.dmp

Filesize
1.2MB

Download
memory/4864-236-0x000001D10E1E0000-0x000001D10E202000-memory.dmp

Filesize
136KB

Download